Download presentation
Presentation is loading. Please wait.
1
Security through Group Policy
2
Use Organizational Units (OUs)
Separate Workstations from Users from Servers Separate workstations by function (HR, Payroll, Admins, etc) Separate users based on roles (HR, Payroll, Admins, etc) Organizational Units should be used to group objects by function. This will help user group policies apply to the right users, and computer policies will be applied to the appropriate machines.
3
Stay Current With Patches - SUS
Software Update Service, and in the future, Windows Update Service, is designed to simplify the process of keeping your Windows-based computer up to date with the latest critical updates. SUS and WUS enables you to quickly and reliably deploy critical updates to your servers and workstations running Windows 2000, XP, or 2003. On this easy-to-use interface, you simply check the update you want to push out, and click the Approve button. No additional scripts, and no running around to each workstation every time a new patch comes out.
4
Force Updates with GP Options can be enabled here for pushing patches to machines. For instance, workstations can be forced to patch and reboot, servers can be forced to patch and be manually rebooted, and a testing OU can be exempt from patching. Patches are pulled from one centralized server for an entire network, but multiple servers can be used for load balancing if needed.
5
Use the XP SP2 Firewall The configuration here shows how workstations can be locked down. For each of the “allow program” or “allow port” exceptions, a program or port is specified along with the scope or IP range that is allowed to access that resource. Our group policy only allows ICMP incoming echo requests to get through the firewall, with the only exception being a handful of administrative workstations and servers.
6
Restrict Applications by name
The easiest way to stop unapproved applications such as peer-to-peer or other file-sharing applications is to prevent their execution. If a user tries to run a restricted application, the error shown above pops up and the program does not run. In order to prevent other applications from running, you can also restrict them by a hash instead of the name.
7
Restrict Applications by hash
A hash is like a fingerprint for the file. The hash prevents only the positively identified program from running. This can also be useful if, for example, an older version of wmplayer.exe has a security flaw. The hash can prevent the old version of wmplayer.exe from running, while the current version will still function normally. This method is slightly harder to implement because each version of a program will have a different hash, and must be added to the restricted list seperately.
8
Prevent Workstation Lockouts
Some of you may have experienced workstation lockouts in the past due to a worm or virus that tries to guess the administrator password. If the XP SP2 firewall is used, worms cannot see the machines and will not try to authenticate to them. If the firewall cannot be used however, your security log can be set to overwrite as needed. This slightly diminished security on the workstation, but allows users to continue work uninterrupted.
9
Run a Managed Antivirus Client
Ex: Symantec Antivirus Corporate Ed. Clients pull defs from the server every 15 minutes, or on restart Only one machine (server) needs to be updated with new defs Automatically updated daily, or manually if desired For less than $10 per machine, your entire network can run the newest symantec antivirus client and have access to automatic updates.
10
Conclusion Use OUs to separate users and computers by function
Stay current with patches Use the XP SP2 firewall Restrict applications that violate policy Prevent workstation lockouts Run a managed antivirus program -Organization Units were created to help you organize your domain. Make use of them and it will lighten your workload later. -push patches to workstations & servers so that all machines are protected against possible security holes -use the XP SP2 firewall to prevent unauthorized access -restrict applications that can cause security holes, copyright infringement, or anything that may cause you more work (weatherbug or bonzi buddy for example) -keep machines functional for users by preventing lockouts. For most users, if they can’t log in, they can’t work. -keep workstations virus free without even thinking about it. A 60 minute setup can keep your network virus free. -questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.