Download presentation
Presentation is loading. Please wait.
Published byTheresa McKinney Modified over 9 years ago
1
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Windows Server 2008 Security UNIT 11
2
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 What is Group Policy? A group of policies applied directly to Active Directory Objects Policies can be linked to: –Sites –Domains –OUs Policies are applied by assigning them to the objecta do they apply to specific users or groups
3
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Functions Control the user environment. –Manipulate Start menu options, wallpaper, colors, and so on. –Prevent users from using the Control Panel. Control the computer settings. –Configure DNS client settings. –Configure the time server client computers use. Distribute software. –Force software installation. –Allow for easy optional software installation through Add/Remove Programs.
4
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Settings Registry-based – control the user environment that are stored in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE Software installations and repairs – to keep patches up to date and fix broken apps Folder redirection and offline storage – force use of network drive for backup Disk quotas – can enforce quotas Offline file storage works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible
5
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Run Scripts – Including logon, logoff, startup, and shutdown scripts Windows Deployment Services (WDS) – rebuilding or deploying workstations quickly and efficiently Microsoft Internet Explorer settings –Provide quick links and bookmarks for user accessibility –Enforce browser options such as proxy use, acceptance of cookies, and caching options Security settings – Protect resources on computers in the enterprise.
6
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Benefits Company benefits –Reduce Total Cost of Ownership (TOC) –Improve Return on Investment (ROI) User benefits –Access to files either offline or online. –Consistent environment. –Files are centrally backed up. Administrator benefits –Centralized management of computer and user settings. –Centralized application distribution. –Centralized backup. –Centralized security enforcement.
7
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Default Group Policies Two Default group policies are created when active directory is installed Default Domain Policy - affects all users and computers in the domain Default Domain Controllers Policy - affects all domain controllers within this object As domain controllers are added to the domain, they are automatically placed in this OU and are affected by any settings
8
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Objects (GPOs) Contain all of the Group Policy settings that you wish to implement to user and computer objects within a site, domain, or OU Must be associated (linking) with the container to which it is applied There are three types of GPOs: –Local GPOs –Domain GPOs –Starter GPOs
9
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Objects (GPOs) Local GPO –Gpedit.msc (Local Computer Policy) –Local Security Policy Non-Local Group Policy Objects –Not inherited from the domain –Stored in Sysvol –Linked to sites, domains, or OUs –Applied to all users and computers in the container –If conflict with local AD based group policies, non-local take precedence
10
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policies in Active Directory Linked to site—Affects all users and computers in the site to which the policy is linked, regardless of domain membership Linked to domain—Affects all users and computers in the domain to which the policy is linked Linked to OU—Affects all users and computers in the OU to which the policy is linked
11
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Group Policies can be linked to sites, domains, or OUs (not groups) to apply those settings to all users and computers within these Active Directory containers You can use security group filtering, which allows you to apply GPO settings to specific users or groups within a container by selectively granting the “Apply Group Policy” permission to one or more users or security groups
12
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Local GPO The local GPO settings are stored on the local computer in the %systemroot%/System32/GroupPolicy folder Local GPOs contain fewer options –They do not support folder redirection or Group Policy software installation –Fewer security settings are available When a local and a nonlocal (Active Directory–based) GPO have conflicting settings, the local GPO is overwritten by the nonlocal GPO
13
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Nonlocal GPOs Nonlocal GPOs are created in Active Directory They are linked to sites, domains, or OUs. –Once linked to a container, the GPO is applied to all users and computers within that container by default GPOs are stored in two places: –Group Policy container (GPC) — An Active Directory object that stores the properties of the GPO –Group Policy template (GPT) — Located in the Policies subfolder of the SYSVOL share, the GPT is a folder that stores policy settings, such as security settings and script files
14
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Starter GPOs A new feature in Windows Server 2008 Used as GPO templates within Active Directory Allow you to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO
15
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Creating & Managing Group Policies The Group Policy Management Console (GPMC) is the Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings When you configure a GPO, you will use the Group Policy Management Editor, which can be accessed through the GPMC or through Active Directory Users and Computers
16
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Settings Configuring Group Policy settings enables you to customize the configuration of a user’s desktop, environment, and security settings. The actual settings are divided into two subcategories: –Computer Configuration –User Configuration
17
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Settings The Computer Configuration and the User Configuration nodes contain three subnodes –Software Settings Used to install software –Windows Settings Used for define security settings and scripts –Administrative Templates Includes thousands of Administrative Template policies, which contain all registry-based policy settings They are used to generate the user interface for the Group Policy setting
18
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 GPO Inheritance You link a GPO to a domain, site, or OU or create and link a GPO to one of these containers in a single step The settings within that GPO apply to all child objects within the object
19
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 How Group Policies are Used During computer startup, a list of GPOs for the computer is obtained. Computer settings are applied during startup. Startup scripts are run. Windows Logon prompt appears when step 3 completes. Upon successful validation of user, the user profile loads. A list of GPOs for the user is obtained. Logon scripts are run. The user interface appears. At log off and shutdown any log off and shutdown scripts are run
20
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Processing Group Policy Processing Order 1.Local Policies 2.Site Policies 3.Domain Policies 4.OU Policies Multiple policies at the same level applied bottom up If there is a conflict on a particular setting – By default, the last policy applied wins – Exceptions: No Override, Block Policy Inheritance, and User Group Policy loopback processing mode
21
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 No Override Ensures policy is applied, regardless of priority, hierarchy, inheritance blocking, or conflicting settings Configured on a per-policy basis
22
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Block Policy Inheritance Prevents policies from being inherited from higher levels in the Active Directory hierarchy Can be used at the Domain or OU level only—not per policy Cannot stop a policy marked as No Override
23
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Security Settings Account – password and account lock out and user authentication) for the domain Local – audit, user rights and security for the local Machine Event Log Policy – size, history and accessibility Restricted Groups – control the “members” and “members of” properties in security groups (used to populate local machines groups with the domain values) System Services – control service startup mode and access permissions
24
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Security Settings Registry & File System – access permissions and audit setting per key or per file system object Wireless network – preferred networks, authentication types, etc. Public Key - Encrypted File System, automatic request certificate request, trusted root certificates, and an enterprise trust list Software Restriction – allow or disallow application redirection for specific applications, folder redirection, offline files control and disk quotas IPSec for AD – assign policies based on IP address
25
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Account Policies Account policies influence how a user interacts with a computer or a domain By default, they are linked to the Default Domain Policy This account policy is applied to all accounts throughout the domain by default, unless you create one or more Fine-Grained Password Policies (FGPP) that override the domain- wide policy. These Fine-Grained Password Policies can be applied
26
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Fine-Grained Password Policy Prior to Windows Server 2008 Active Directory domain you were only able to configure a single –Password Policy –Account Lockout Policy The only choice was configuring a separate domain or forcing all users within the domain to conform to a single password policy Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain
27
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Kerberos Policy Kerberos is the default mechanism for authenticating domain users in Windows Server 2008, Windows Server 2003, and Microsoft Windows 2000 Kerberos is a ticket-based system that allows domain access by using a Key Distribution Center (KDC) –These tickets have a finite lifetime and are based in part on system time clocks –Note that Kerberos has a 5-minute clock skew tolerance between the client and the domain controller –If the clocks are off by more than 5 minutes, the client will not be able to log on
28
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Kerberos Policy Enforce User Logon Restrictions tells Windows Server 2008 to validate each request for a session ticket against the rights associated with the user account Although this process can slow the response time for user access to resources, it is an important security feature that should not be overlooked or disabled Enforce User Logon Restrictions is enabled by default
29
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Local Policies Allow administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log (auditing): –User Rights Assignment. –Security Options. –Audit Policy.
30
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Audit Policy System events — Events that trigger a log entry include –system startups and shutdowns –system time changes –system event resources exhaustion, such as when an event log is filled and can no longer append entries –security log cleaning –any event that affects system security or the security log In the Default Domain Controllers GPO, this setting is set to log successes by default
31
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Policy Change Events By default, this policy is set to audit successes in the Default Domain Controllers GPO. Policy change audit log entries are triggered by –user rights assignment changes – establishment or removal of trust relationships –IPSec policy agent changes –grants or removals of system access privileges
32
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Account Management Events This policy setting is set to audit successes in the Default Domain Controllers GPO This setting triggers an event based on changes to account and group properties –user or group account creation –Deletion –Renaming –Enabling –Disabling
33
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Logon Events This setting logs events related to successful user log-ons on a computer –The event is logged on the computer that processes the request –The default setting is to log successes in the Default Domain Controllers GPO.
34
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Audit Policy Audit Directory Service Access —logs user access to Active Directory objects, such as other user objects or OUs Audit Object Access —logs user access to files, folders, registry keys, and printers, etc. You MUST enable Audit Object Access Then specify what objects you want to audit Audit results are written to the Event Viewer security log
35
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Configuring Object Access Auditing Right-click the file or folder you want to audit. Select Properties On the Security tab, click Advanced In the Advanced Security Settings dialog box, select the Auditing tab Select the appropriate user or group
36
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Restricted Groups Policy Allows an administrator to specify group membership lists You can control membership in important groups, such as the local Administrators
37
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Folder Redirection Policy Folder redirection redirects the contents of certain folders to a network location or to another location on the user’s local computer Contents of folders on a local computer located in the Documents and Settings folder can be redirected –Basic – Redirects Everyone's Folder To The Same Location and you must specify the Target folder location in the Settings dialog box –Advanced – can Specify Locations For Various User Groups and you must specify the target folder location for each group that you add in the Settings dialog box
38
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Offline Files Policy Can allow files to be available to users, even when the users are disconnected from the network. –The Offline Files feature works well with Folder Redirection –When Offline Files is enabled, users can access necessary files as if they were connected to the network –When the network connection is restored, changes made to any documents are automatically updated to the server –Folders can be configured so that either all files or only selected files within the folder are available for offline use –When it is combined with Folder Redirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present
39
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Disk Quotas Limit the amount of space available on the server for user data Can be enforce on all users domain wide
40
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Refresh Computer configuration group policies are refreshed every 90 minutes (+/- 30 minutes) by default Domain controller group policies are refreshed every 2 minutes You can force group policies by using the gpupdate command: gpupdate /force
41
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 GPUpdate Command If you make changes to a group policy, users may not see changes take effect until –They log off or log back in –They Reboot the computer –They wait 90 minutes (+/- 30 minutes) for stand-alone servers/workstations and 2 minutes for domain controllers To manually push group policies, you need to use the gpupdate command Gpupdate /force
42
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 AD Rights Management A new feature that allows users to provide better security for Microsoft applications Basically a second level of protection beyond the normal access list permission restrictions It chief advantage is the ability to block document forwarding and printing
43
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 FeatureAD RMS Secure/Multipurp ose Internet Mail Extension (S/MIME) Signing S/MIME Encryption Access control lists (ACLs) Encrypting File Systems (EFS) Attests to the identity of the publisher Differentiates permissions by a user Prevents unauthorized viewing Encrypts protected content Offers content expiration Controls content reading Modifying, or printing by user Extends protection beyond initial publication
44
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Software Lifecycle
45
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Group Policy Software Management Group Policy can be used to –Install –Upgrade –Patch –remove software applications Under the following conditions –when a computer is started –when a user logs on to the network –when a user accesses a file associated with a program that is not currently on the user’s computer Group Policy can be used to fix problems associated with applications
46
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Windows Installer Service.MSI File Is a relational database file that is copied to the target computer system with the program files it deploys Assists in the self-healing process for damaged applications and clean application removal Consists of external source files that may be required for the installation or removal of software Includes summary information about the software and the package Includes reference point to the path where the installation files are located is responsible for automating the installation and configuration of the designated software
47
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008.MST File You may need to modify Windows Installer files to better suit the needs of your corporate network. Modifications to.msi files require transform files, which have an.mst extension
48
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Patch file (.msp) Patch files are used to apply service packs and hot fixes to installed software Instead, it contains, at minimum, a database transform procedure that adds patching information to the target installation package database.msp files should be located in the same folder as the original.msi file when you want the patch to be applied as part of the Group Policy software installation This allows the patch file to be applied to the original package or.msi file
49
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Software Distribution Point Before deploying software using Group Policy, you must create a distribution share/Software distribution point Users who are affected by the Group Policy assignment should be assigned NTFS Read permission to the folder containing the application and package files
50
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Assigning and Publishing Software Assigning Software –If you assign the program to a user, it is installed when the user logs on to the computer –If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer –When a user first runs the program, the installation is finalized. Publishing Software –You can publish a program distribution to users. –When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there
51
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Software Restrictions Policies Provides methods to control the use of software applications through Group Policy Strategy –Unrestricted - Allow all except explicitly denied (default) –Disallowed - Deny all except explicitly allowed –Basic User – block applications that require administrative rights, but allows programs that are accessible by normal users Default Software Restriction Policy - Unrestricted
52
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Software Restrictions Policies Four types of software restriction exist –Hash rule - attaches hash that governs whether it can run –Certificate rule – allows execution to specific file types –Path rule - can bypass default security setting for specific files –Network zone rule – determine if the application is allowed to be installed (.msi only)
53
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 EFS Encrypting File System (EFS) sets up a unique, private encryption key associated with the user account that encrypted the folder or file When you move an encrypted fi le to another folder on the same computer, that file remains encrypted, even if you rename it The cipher command line utility can encrypt or decrypt folders and files
54
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 BitLocker Trusted Platform Module (TPM) must be available (chip or controller on motherboard) – transparent to user Can also use a USB drive with the necessary identification info to access hard disks You must create an operating system partition no less than 1.5 GB in size A second primary partition for bitlocker Bit locker has it own control panel
55
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Network Access Protection Ipsec - can prevent non-co,pliant computers from communication with complient computers using a network policy server NAT – prevents outsiders from knowing a computer’s IP address VPN – secure encrypted network access through the internet DHCP – configured through the network policy server Terminal Services Gateway – uses a network policy server 802.1x – verifies client and provides a secure port
56
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Case Study You are a computer consultant The Park Publishing network consists of a single Active Directory domain with four domain controllers running Windows Server 2008, three file servers, and 300 clients that are evenly divided between Windows XP Professional and Windows 7 Recently, data was lost when an employee's laptop was stolen and other data was lost during a fire sprinkler system incident in which the employee's computer was destroyed
57
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Case Study (cont) Employees typically store documents in their My Documents folder All client computers have P drive mappings that are supposed to be used for storing files Editors frequently work on sensitive documents that should not be accessible to anyone else Given Park Publishing's concerns, answer the following questions:
58
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Case Study (cont) 1.How would you assure that employees store their data on the server in the future? 2.How can you address the situation concerning the sensitive data editors use? 3.How would you address the users with mobile computers so that they could work on their files while traveling while keeping the files safe on the server? 4.What could you do about the existing data in employees My Documents folder?
59
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Summary Microsoft provides several security options to protect both protect data nad monitor who is accessing it Group Policies can be assigned to sites, domains, and Ous By default, there is one local policy per computer and a Default Domain Policy and a Default Domain Controller Policy
60
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Summary Group Policy processing order –Local –Site –Domain –OU Group Policies applied to parent containers are inherited by all child containers and objects Inheritance Exceptions No Overide, Block Policy Inheritance, or Loopback settings
61
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Summary Auditing object access and user rights Account policies Object auditing Bit Locker AD Rights management (AD RMS) Offline file protection Disk quotas Network Access Protection
62
DPW © 2005-2010 DPW © Donna Warren WINDOWSSERVER2008 Lab 11 Do all the activities in chapter 13 of the text book Take a screen shot of the results of each activity and paste it into a word document titles Lab 11 Email you completed lab 11 document to donna.warren@comcast.netdonna.warren@comcast.net
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.