Professional Documents
Culture Documents
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Module8:ManagingEnterpriseSecurityand ConfigurationwithGroupPolicySettings
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: Lesson4: LabD: ManageGroupMembershipbyUsingGroupPolicySettings UseGroupPolicytoManageGroupMembership ManageSecuritySettings ManageSecuritySettings Auditing AuditFileSystemAccess SoftwareRestrictionPolicyandAppLocker ConfigureApplicationControlPolicies
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
1/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 2/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
3/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Manyenterpriseshaveoneormorepeoplededicatedtosupportingendusers.They areoftenreferredtoasthehelpdesk,desktopsupport,orjustsupport.Helpdesk personnelneedtotroubleshoot,configure,orperformothersupporttasksonclient computers,andthesetasksoftenrequireadministrativeprivileges.Therefore,the credentialsusedbysupportpersonnelmustbeatthelevelofamemberofthelocal Administratorsgrouponclientcomputers.However,desktopsupportpersonneldo notneedthehighlevelofprivilegegiventotheDomainAdminsgroup,sodonot placetheminthatgroup.Instead,configureclientsystemssothatagroup representingsupportpersonnelisaddedtothelocalAdministratorsgroup.Restricted groupspoliciesenableyoutodojustthat,andinthislesson,youwilllearnhowto userestrictedgroupspoliciestoaddthehelpdeskpersonneltothelocal Administratorsgroupofclientsand,thereby,delegatesupportofthosecomputersto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 4/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
thehelpdesk.Thesameapproachcanbeusedtodelegatetheadministrationofany scopeofcomputerstotheteamresponsibleforthosesystems.
Objectives
Aftercompletingthislesson,youwillbeableto: Describerestrictedgroups. UseRestrictedGroupspoliciestomodifyorenforcethemembershipofgroups. UseGroupPolicyPreferencestomodifythemembershipofgroups.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
5/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
RestrictedGroupspolicysettingsenableyoutomanagethemembershipofgroups.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 6/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Therearetwotypesofsettings:thisgroupisamemberof(theMemberOfsetting) andMembersofthisgroup(theMemberssetting).
Itsveryimportanttounderstandthedifferencebetweenthesetwosettings.A MemberOfsettingspecifiesthatthegroupspecifiedbythepolicyisamemberof anothergroup.Ontheleftofthepreviousscreenshot,youcanseeatypical example:TheCONTOSO\HelpDeskgroupisamemberoftheAdministratorsgroup. Whenacomputerappliesthispolicysetting,itensuresthattheHelpDeskgroupfrom thedomainbecomesamemberofitslocalAdministratorsgroup.Ifthereismore thanoneGPOwithrestrictedgroupspolicies,eachMemberOfpolicyisapplied.For example,ifaGPOlinkedtotheClientComputersorganizationalunit(OU)specifies CONTOSO\HelpDeskasamemberofAdministrators,andasecondGPOlinkedtothe SEAOU(asubOUoftheClientComputersOU)specifiesCONTOSO\NYCSupportas amemberofAdministrators,acomputerintheNYCOUwilladdboththeHelpDesk andNYCSupportgroupstoitsAdministratorsgroupinadditiontoanyexisting
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 7/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
membersofthegroup,suchasDomainAdmins.Thisexampleisillustratedinthe followingscreenshot.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Inyourenterprise,becarefultodesignandtestyourrestrictedgroupspoliciesto ensurethattheyachievethedesiredresult.
YoucanuserestrictedgroupspolicieswiththeMemberofsettingtomanagethe delegationofadministrativeprivilegesforcomputersbyfollowingthesesteps:
Demonstration Steps
1. Start6425CNYCDC1andlogonasPat.Colemanwiththepassword
10/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Pa$$w0rd. 2. OnNYCDC1clickStart,pointtoAdministrativeToolsandrunGroupPolicy Managementwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 3. Intheconsoletree,expandForest:contoso.com,Domainsand contoso.com,andthenclicktheGroupPolicyObjectscontainer. 4. 5. 6. RightclicktheGroupPolicyObjectscontainer,andthenclickNew. IntheNamebox,typeCorporateHelpDesk,andthenclickOK. Inthedetailspane,rightclickCorporateHelpDesk,andthenclickEdit. TheGroupPolicyManagementEditorappears. 7. InGroupPolicyManagementEditor,gotoComputer Configuration\Policies\WindowsSettings\SecuritySettings\Restricted Groups. 8. 9. RightclickRestrictedGroupsandclickAddGroup. ClickBrowseand,intheSelectGroupsdialogbox,typethenameofthe groupyouwanttoaddtotheAdministratorsgroupforexample, CONTOSO\HelpDeskandclickOK. 10. ClickOKtoclosetheAddGroupdialogbox.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
11/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Demonstration Steps
1. InGroupPolicyManagementEditor,gotoComputer
12/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Configuration\WindowsSettings\SecuritySettings\RestrictedGroups. 2. 3. RightclickRestrictedGroups,andclickAddGroup. TypeAdministrators,andclickOK. APropertiesdialogboxappears. 4. 5. ClickAddnexttotheMembersofthisgroupsection. ClickBrowseandenterthenameofthegroupyouwanttomakethesole memberoftheAdministratorsgroupforexample,CONTOSO\HelpDeskand clickOK. 6. ClickOKagaintoclosetheAddMemberdialogbox. ThegrouppolicysettingPropertiesshouldlooksimilartothedialogboxonthe leftofthesidebysidedialogboxesshownearlier. 7. ClickOKagaintoclosethePropertiesdialogbox.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
permanentandirremovablememberofAdministrators.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
14/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Discussion Questions
1. Whymightyouwanttoaddthecurrentlyloggedonuser? Answer:Whileitisnotthebestpracticeforausertobeloggedonasa memberofthelocalAdministratorsgroup,therearestillapplicationsand functionsthatrequireadministrativeprivilegestofunctionproperly.Inthese situations,youmightwanttoallowausertobeamemberofthelocal Administratorsgrouponcomputerstowhichtheuserlogson.Asatip,you canimplementtheDeleteAllMembersUsersoptionandtheAtTheCurrent Useroption.Whenthepreferenceisprocessed,allexistinguseraccounts areremovedfromthegroupfirst,andthenthecurrentuserisadded.The usermustthenlogoffandlogon,atwhichpointtheuserbecomesa memberofAdministrators.Duringthenextlogonpolicyrefresh,theDelete AllMemberUserssettingremovestheuser'saccount,andthenreaddsit. So,theuserremainsamemberofAdministratorsaslongastheuseris withinthemanagementscopeoftheGPO.
2.
Inwhatscenariomightyouwanttomodifythemembershipofthelocal
16/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
AdministratorsgroupofacomputerbyusingaLocalGrouppreferenceinthe UserConfigurationnodeofaGPOthatscopesthepreferencenottospecific computers,buttospecificusers? Answer:Answerswillvary.Thisisafairlyadvancedquestion,buthere's thescenario:Thereisasupportorganizationdedicatedtohelpingspecific users,suchasanExecutiveSupportteamthatisoncalltosupport executivesofanorganization.Inthisadministrativemodel,whenan executivehasaproblem,theExecutiveSupportteamshouldbeamember oftheAdministratorsgrouponwhichevermachinetheexecutiveislogged on.So,thedefinitionofwhoshouldbeintheAdministratorsgroup (ExecutiveSupport)should"follow"theexecutiveusersratherthanbe locked(scoped)toaspecificsetofcomputers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
17/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
18/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lab Scenario
Youhavebeenaskedbythecorporatesecurityteamtolockdownthemembershipof theAdministratorsgrouponclientcomputers.However,youneedtoprovidethe centralizedhelpdeskwiththeabilitytoperformsupporttasksforusersthroughout theorganization.Additionally,youmustempowerthelocalsitedesktopsupportteam toperformadministrativetasksforclientcomputersinthatsite.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1.
OnNYCDC1,runGroupPolicyManagementasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
CreateaGPOnamedCorporateHelpDesk,scopedtoallcomputersinthe ClientComputersOU.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
20/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
IntheGroups\RoleOU,createaglobalsecuritygroupcalledSEASupport. CloseActiveDirectoryUsersandComputers.
1.
RunGroupPolicyManagement,createaGPOnamedSeattleSupport, scopedtoallcomputersintheClientComputers\SEAOU.
2.
UseGroupPolicyModelingtoconfirmthatacomputerintheSEAOUwill includebothHelpDeskandSEASupportgroupsinitsAdministratorsgroup.
Results:Inthisexercise,youcreatedaCorporateHelpDeskGPOthatensures
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 21/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
22/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
SecurityisaprimaryconcernforallWindowsadministrators.WindowsServer2008 includesseveralsettingsthataffecttheservicesthatarerunning,theopenports,the networkpacketsthatareallowedintooroutofthesystem,therightsand permissionsofusers,andtheauditedactivities.Thereisanenormousnumberof settingsthatcanbemanaged.Theappropriatesecurityconfigurationforaserver dependsontherolesthattheserverplays,themixofoperatingsystemsinthe environment,andthesecuritypoliciesoftheorganization,whichthemselvesdepend oncomplianceregulationsenforcedfromoutsidetheorganization. Therefore,youmustdetermineandconfigurethesecuritysettingsthatarerequired forserversinyourorganization,andyoumustbepreparedtomanagethosesettings inawaythatcentralizesandoptimizessecurityconfiguration.WindowsServer2008
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 23/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
providesseveralmechanismswithwhichtoconfiguresecuritysettingsononeormore systems.Inthislesson,youwilldiscoverthesemechanismsandtheirinteractions.
Objectives
Aftercompletingthislesson,youwillbeableto: ConfiguresecuritysettingsonacomputerbyusingtheLocalSecuritypolicy. Createandapplysecuritytemplatestomanagesecurityconfiguration. Analyzesecurityconfigurationbasedonsecuritytemplates. Create,edit,andapplysecuritypoliciesbyusingtheSecurityConfigurationWizard. DeploysecurityconfigurationwithGroupPolicy.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
24/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Securitypolicymanagementinvolvesdesigning,deploying,managing,analyzing,and revisingsecuritysettingsforoneormoreconfigurationsofWindowssystems.A typicalenterpriseislikelytohaveseveralconfigurations:desktopsandlaptops, servers,anddomaincontrollers.Mostenterprisesendupdefiningevenmore configurations,suchasbydelineatingvarioustypesorrolesofservers. Beforeyoueventouchthetechnology,youneedtounderstandwhatyourenterprise securitypolicyrequiresandifyoudonotyethaveawrittensecuritypolicy,beginby creatingone. Thesecuritypolicy,andtherequirementsitcontains,willlikelyrequiremultiple customizationstothedefault,outofboxsecurityconfigurationofWindowsclientand
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 25/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
26/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
27/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Thislessonfocusesonthemechanismswithwhichtoconfigureandmanagesecurity settingsratherthanonthedetailsofthesettingsthemselves.Manyofthesettings includingaccountpolicies,auditpolicy,anduserrightsassignmentarediscussed elsewhereinthiscourse. Becausedomaincontrollersdonothavelocaluseraccountsandhaveonlydomain accounts,thepoliciesintheAccountPoliciescontainerofthelocalGPOonDCs cannotbeconfigured.Instead,accountpoliciesforthedomainshouldbeconfigured aspartofadomainlinkedGPOsuchastheDefaultDomainPolicyGPO.Account policiesarediscussedinfurtherdetailinModule10. ThesettingsfoundinthelocalSecuritySettingspoliciesareasubsetofthepolicies thatcanbeconfiguredbyusingdomainbasedGroupPolicy,shownbelow:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 28/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
29/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
30/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Thetoolsusedtomanagesecuritytemplatespresentsettingsinaninterfacethat enableyoutosaveyoursecurityconfigurationsasfilesanddeploythemwhenand wheretheyareneeded.Youcanalsouseasecuritytemplatetoanalyzethe complianceofacomputerscurrentconfigurationagainstthedesiredconfiguration. Thereareseveraladvantagestostoringsecurityconfigurationinsecuritytemplates. Becausethetemplatesareplaintextfiles,youcanworkwiththemmanuallyaswith anytextfile,cuttingandpastingsectionsasneeded.Second,templatesmakeiteasy tostoresecurityconfigurationsofvarioustypessothatyoucaneasilyapplydifferent levelsofsecuritytocomputersperformingdifferentroles. Securitytemplatesenableyoutoconfigureanyofthefollowingtypesofpoliciesand settings: AccountPolicies:Enableyoutospecifypasswordrestrictions,accountlockout policies,andKerberospolicies.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 31/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
LocalPolicies:Enableyoutoconfigureauditpolicies,userrightsassignments,and securityoptionspolicies. EventLogPolicies:Enableyoutoconfiguremaximumeventlogsizesandrollover policies. RestrictedGroups:Enableyoutospecifytheuserswhoarepermittedtobe membersofspecificgroups. SystemServices:Enableyoutospecifythestartuptypesandpermissionsfor systemservices. RegistryPermissions:Enableyoutosetaccesscontrolpermissionsforspecific registrykeys. FileSystemPermissions:EnableyoutospecifyaccesscontrolpermissionsforNTFS filesandfolders.
Secedit.exe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 32/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Secedit.exeisacommandlineutilitythatcanbeusedtomanagesecuritytemplates. TheadvantageofSecedit.exeisthatyoucancallitfromscriptsandbatchfiles, enablingyoutoautomateyoursecuritytemplatedeployments.Anotherbigadvantage ofSecedit.exeisthatyoucanuseittoapplyonlypartofasecuritytemplatetoa computer,andthisissomethingyoucannotdowithGPOs.Forexample,ifyouwant toapplythefilesystemspermissionsfromatemplatebutleavealltheothersettings alone,Secedit.exeistheonlywaytodoit. TouseSecedit.exe,youruntheprogramfromthecommandpromptwithoneofthe followingsixmainparametersandadditionalparametersforeachfunction: Configure.Appliesallorpartofasecuritydatabasetothelocalcomputer.You canalsoconfiguretheprogramtoimportasecuritytemplateintothespecified databasebeforeapplyingthedatabasesettingstothecomputer. Analyze.Comparesthecomputerscurrentsecuritysettingswiththoseina securitydatabase.Youcanconfiguretheprogramtoimportasecuritytemplateinto thedatabasebeforeperformingtheanalysis.Theprogramstorestheresultsofthe analysisinthedatabaseitself,whichyoucanviewlaterbyusingtheSecurity ConfigurationandAnalysissnapin. Import.Importsallorpartofasecuritytemplateintoaspecificsecuritydatabase. Export.Exportsallorpartofthesettingsfromasecuritydatabasetoanew securitytemplate.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 33/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Forexample,toconfigurethemachinebyusingatemplatecalledBaselineSecurity, usethefollowingcommand.
s e c e d i t/ c o n f i g u r e/ d bB a s e l i n e S e c u r i t y . s d b/ c f g B a s e l i n e S e c u r i t y . i n f/ l o gB a s e l i n e S e c u r i t y . l o g
TocreatearollbacktemplatefortheBaselineSecuritytemplate,usethefollowing command.
s e c e d i t/ g e n e r a t e r o l l b a c k/ c f gB a s e l i n e S e c u r i t y . i n f/ r b k B a s e l i n e S e c u r i t y R o l l b a c k . i n f/ l o g B a s e l i n e S e c u r i t y R o l l b a c k . l o g
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
34/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Toworkwithsecuritytemplates,youusetheSecurityTemplatessnapin.Windows Server2008doesnotincludeaconsolewiththeSecurityTemplatessnapin,soyou havetocreateoneyourselfbyusingtheMMCAdd/RemoveSnapincommand.The snapincreatesafoldercalledSecurityandasubfoldercalledTemplatesinyour Documentsfolder,andtheDocuments\Security\Templatesfolderbecomesthe templatesearchpath,whereyoucanstoreoneormoresecuritytemplates. Tocreateanewsecuritytemplate: Rightclickthenodethatrepresentsyourtemplatesearchpath C:\Users\Documents\Administrator\Security\Templates,forexampleandclick NewTemplate.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 35/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Youcanalsocreateatemplatethatreflectsthecurrentconfigurationofaserver youlllearnhowtodothatlaterinthislesson. Settingsareconfiguredinthetemplateinthesamewaythatsettingsareconfigured inaGPO.TheSecurityTemplatessnapinisusedtoconfiguresettingsinasecurity template.Itisjustaneditoritdoesnotplayanyroleinactuallyapplyingthose settingstoasystem.ConfiguresecuritysettingsinatemplatebyusingtheSecurity Templatessnapin.Althoughthetemplateitselfisatextfile,thesyntaxcanbe confusing.Usingthesnapinensuresthatsettingsarechangedthroughtheproper syntax. TheexceptiontothisruleisaddingRegistrysettingsthatarenotalreadylistedinthe LocalPolicies\SecurityOptionportionofthetemplate.Asnewsecuritysettings becomeknown,iftheycanbeconfiguredbyusingaRegistrykey,youcanaddthem toasecuritytemplate.Todoso,youaddthemtotheRegistryValuessectionofthe template. NoteBesuretosaveyourchangestoasecuritytemplatebyrightclickingthe templateandclickingsave.
Whenyouinstallaserverorpromoteittoadomaincontroller,adefaultsecurity
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 36/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
IntheImportPolicyFromdialogbox,ifyouselecttheClearThisDatabase BeforeImportingcheckbox,allsecuritysettingsintheGPOwillbeerasedpriorto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 37/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Demonstration Steps
1. 2. 3. Start6425CNYCDC1. LogontoNYCDC1asPat.ColemanwiththepasswordPa$$w0rd. ClickStartandinthesearchbox,typemmc.exeandpressEnter.When prompted,supplyadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 4. 5. 6. 7. ClickFile,andthenclickAdd/RemoveSnapin. IntheAvailablesnapinslist,selectSecurityTemplates,thenclickAdd. ClickOK. ClickFile,andthenclickSave. TheSaveAsdialogboxappears. 8. TypeC:\SecurityManagement,andthenpressEnter.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
38/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
9.
Intheconsoletree,expandSecurityTemplates.
10. RightclickC:\Users\Pat.Coleman_Admin\Documents\Security \Templates,andthenclickNewTemplate. 11. TypeDCRemoteDesktop,andthenclickOK. 12. ClickStart,pointtoAdministrativeToolsandrunGroupPolicy Managementwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 13. Intheconsoletree,expandForest:contoso.com,Domains,and contoso.com,andthenclicktheGroupPolicyObjectscontainer. 14. Inthedetailspane,rightclicktheCorporateHelpDesk,andthenclickEdit. TheGroupPolicyManagementEditorappears. 15. Intheconsoletree,expandComputerConfiguration,Policies,Windows Settings,andthenclickSecuritySettings. 16. RightclickSecuritySettings,andthenclickImportPolicy. 17. SelecttheDCRemoteDesktoptemplate,andthenclickOpen.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Thatsecuritypolicycanthenbemodified,appliedtoanotherserver,ortransformed intoaGPOfordeploymenttomultiplesystems.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
41/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2. 3.
4.
TheSecurityConfigurationWizardbeginstheanalysisoftheselectedserversroles.It usesasecurityconfigurationdatabasethatdefinesservicesandportsrequiredfor eachserverrolesupportedbytheSecurityConfigurationWizard.Thesecurity configurationdatabaseisasetof.xmlfilesinstalledin %SystemRoot%\Security\Msscw\Kbs. NoteInanenterpriseenvironment,centralizethesecurityconfiguration databasesothatadministratorsusethesamedatabasewhenrunningthe SecurityConfigurationWizard.Copythefilesinthe %SystemRoot%\Security\Msscw\Kbsfoldertoanetworkfolder.Then,launch theSecurityConfigurationWizardwiththeScw.execommandbyusingthe syntaxscw.exe/kbDatabaseLocation.Forexample,thecommandscw.exe /kb\\NYCSVR1\scwkblaunchestheSecurityConfigurationWizardbyusing thesecurityconfigurationdatabaseinthesharedfolderscwkbonNYCSVR1.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 42/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
43/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Theinitialsettingsintheconfigurationdatabasearecalledthebaselinesettings.After theserverhasbeenscannedandtheconfigurationdatabasehasbeencreated,you canmodifythedatabase,whichwillthenbeusedtogeneratethesecuritypolicyto configureservices,firewallrules,registrysettings,andauditpolicies.Thesecurity policycanthenbeappliedtotheserverortootherserversplayingsimilarroles.The SecurityConfigurationWizardpresentseachofthesefourcategoriesofthesecurity policyinasectionaseriesofwizardpages: Rolebasedserviceconfiguration Networksecurity Registrysettings Auditpolicy
Security Policy
Youcanskipanyofthelastthreesectionsyoudonotwanttoincludeinyour securitypolicy.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
44/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
ThesettingsareverywelldocumentedbytheSecurityConfigurationWizard.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
45/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Toimportasecuritytemplateintothesecuritypolicy. ClickIncludeSecurityTemplates.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
48/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
s c w c m dt r a n s f o r m/ p : " C o n t o s oD CS e c u r i t y . x m l / g : " C o n t o s o D CS e c u r i t yG P O
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
49/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Assuggestedintheintroductiontothelesson,thereareanumberofmechanisms withwhichtomanagesecuritysettings.YoucanusetoolssuchastheLocalSecurity Policyconsoletomodifysettingsonanindividualsystem.Youcanusesecurity templates,whichhaveexistedsinceWindows2000Server,tomanagesettingson oneormoresystemsandtocomparethecurrentstateofasystemsconfiguration againstthedesiredconfigurationdefinedbythetemplate.Securitypoliciesgenerated bytheSecurityConfigurationWizardarethemostrecentadditiontothesecurity configurationmanagementtoolset.Theyarerolebased.xmlfilesthatdefineservice startupmodes,firewallrules,auditpolicies,andsomeregistrysettings.Security policiescanincorporatesecuritytemplates.Bothsecuritytemplatesandsecurity policiescanbedeployedbyusingGroupPolicy. Theplethoraoftoolsavailablecanmakeitdifficulttoidentifythebestpracticefor managingsecurityononeormoresystems.PlantouseGroupPolicywhenever possibletodeploysecurityconfiguration.YoucangenerateaGPOfromarolebased securitypolicyproducedbytheSecurityConfigurationWizard,whichitself incorporatesadditionalsettingsfromasecuritytemplate.AftertheGPOhasbeen generated,youcanmakeadditionalchangestotheGPObyusingtheGroupPolicy ManagementEditorsnapin.SettingsnotmanagedbyGroupPolicycanbeconfigured onaserverbyserverbasisbyusingthelocalGPOsecuritysettings.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
50/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lab Setup
Forthislab,youwillusethesamevirtualmachinesthatwereusedforLabA.If required,completethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
51/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lab Scenario
Youareanadministratorofthecontoso.comdomain.Tosecurethedirectoryservice, youwanttoestablishasecurityconfigurationtoapplytodomaincontrollersthat, amongotherthings,specifieswhocanlogontodomaincontrollersbyusingRemote Desktoptoperformadministrativetasks.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
52/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2. 3. 4.
5.
Revertthelocalsecuritypolicytoitsdefaultsetting.
1.
OnNYCDC1,runServerManagerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
3.
CloseServerManager.
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
53/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2.
IntheAdmins\AdminGroups\ServerDelegationOU,createaglobal securitygroupnamedSYS_DCRemoteDesktop.
Task 3: Add SYS_DC Remote Desktop to the Remote Desktop Users group.
1.
AddtheSYS_DCRemoteDesktopgrouptotheRemoteDesktopUsers group,foundintheBuiltincontainer.
2.
CloseActiveDirectoryUsersandComputers.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Task 4: Configure the Local Security Policy to allow remote desktop connections by SYS_DC Remote Desktop. Onadomainmember(workstationorserver),theRemoteDesktopUsersgrouphas permissiontoconnecttotheRDPTcpconnectionandhasuserrightstologon throughRemoteDesktopServices.Therefore,onadomainmemberserveror workstation,theeasiestwaytomanageboththeuserrightsandthepermissionon RDPTcpconnectionistoaddauserorgroupdirectlytotheRemoteDesktopUsers group.
1.
RunLocalSecurityPolicyasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
55/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2.
Modifytheconfigurationoftheuserrightspolicysetting,AllowLogon throughRemoteDesktopServices,andaddSYS_DCRemoteDesktop.
Youwillnowrevertthepolicytoitsdefaultinpreparationforthefollowingexercises.
1.
2.
CloseLocalSecurityPolicy.
Results:Inthisexercise,youconfiguredeachofthelocalsettingsnecessaryto allowSYS_DCRemoteDesktoptologontoNYCDC1byusingremotedesktop.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Task 1: Create a custom MMC console with the Security Templates snap-in.
1.
Runmmc.exeasanadministrator,withtheusernamePat.Coleman_Admin andthepasswordPa$$w0rd.
2. 3.
AddtheSecurityTemplatessnapin. SavetheconsoleasC:\SecurityManagement.msc.
1.
IntheSecurityTemplatessnapin,createanewsecuritytemplatenamedDC RemoteDesktop.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
57/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
3.
UsingaRestrictedGroupssetting,configurethetemplatetoaddSYS_DC RemoteDesktoptotheRemoteDesktopUsersgroup.
4.
Savethechangesyoumadetothetemplate.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1.
RuntheintheAdministrativeToolsfolder,withadministrativecredentials.Use theaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2. 3.
4.
OntheSelectServerpage,acceptthedefaultservername,NYCDC1,and clickNext.
5.
6. 7.
8.
OntheSelectServerRolespage,youcanoptionallyexplorethesettingsthat werediscoveredonNYCDC1,butdonotchangeanysettings.ClickNext.
9.
OntheSelectClientFeaturespage,youcanoptionallyexplorethesettings thatwerediscoveredonNYCDC1,butdonotchangeanysettings.ClickNext.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
59/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
10. OntheSelectAdministrationandOtherOptionspage,youcanoptionally explorethesettingsthatwerediscoveredonNYCDC1,butdonotchangeany settings.ClickNext. 11. OntheSelectAdditionalServicespage,youcanoptionallyexplorethe settingsthatwerediscoveredonNYCDC1,butdonotchangeanysettings.Click Next. 12. OntheHandlingUnspecifiedServicespage,donotchangethedefault setting,Donotchangethestartupmodeoftheservice.ClickNext. 13. OntheConfirmServiceChangespage,intheViewlist,selectAllServices. 14. ExaminethesettingsintheCurrentStartupModecolumn,whichreflect servicestartupmodesonNYCDC1,andcomparethemwiththesettingsinthe PolicyStartupModecolumn. 15. IntheViewlist,selectChangedServices. 16. ClickNext. 17. OntheNetworkSecurityintroductionpage,clickNext. 18. OntheNetworkSecurityRulespage,youcanoptionallyexaminethefirewall rulesderivedfromtheconfigurationofNYCDC1.Donotchangeanysettings. ClickNext. 19. OntheRegistrySettingssectionintroductionpage,clickNext.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 60/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
20. OneachpageoftheRegistrySettingssection,examinethesettings,butdo notchangeanyofthem,andthenclickNext.WhentheRegistrySettings Summarypageappears,examinethesettingsandclickNext. 21. OntheAuditPolicysectionintroductionpage,clickNext. 22. OntheSystemAuditPolicypage,examinebutdonotchangethesettings. ClickNext. 23. OntheAuditPolicySummarypage,examinethesettingsintheCurrent SettingandPolicySettingcolumns.ClickNext. 24. OntheSaveSecurityPolicysectionintroductionpage,clickNext. 25. IntheSecurityPolicyFileNametextbox,clickattheendofthefilepathand typeDCSecurityPolicy. 26. ClickIncludeSecurityTemplates. 27. ClickAdd. 28. BrowsetolocatetheDCRemoteDesktoptemplatecreatedinExercise2, locatedintheMyDocuments\Security\Templatesfolder.Whenyouhavelocated andselectedthetemplate,clickOpen. BecarefulthatyouaddtheDocuments\Security\Templates\DCRemote Desktop.inffileandnottheDCSecurity.infdefaultsecuritytemplate. 29. ClickOKtoclosetheIncludeSecurityTemplatesdialogbox.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 61/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
30. ClickViewSecurityPolicy. YouarepromptedtoconfirmtheuseoftheActiveXcontrol. 31. ClickYes. 32. Examinethesecuritypolicy.NoticethattheDCRemoteDesktoptemplateis listedintheTemplatessection. 33. Closethewindowafteryouhaveexaminedthepolicy. 34. IntheSecurityConfigurationWizard,clickNext. 35. OntheApplySecurityPolicypage,accepttheApplyLaterdefaultsetting, andthenclickNext. 36. ClickFinish.
1.
RuntheCommandPromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
Typecdc:\windows\security\msscw\policies,andthenpressEnter. Typescwcmdtransform/?,andthenpressEnter.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
62/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
4.
Usethescwcmd.execommandtotransformthesecuritypolicynamed"DC SecurityPolicy.xml"toaGPOnamed"DCSecurityPolicy."
5.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
6.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lesson 3: Auditing
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Objectives
Aftercompletingthislesson,youwillbeableto: Configureauditpolicy. Configureauditingsettingsonfilesystemobjects. ViewtheSecuritylogusingtheEventViewersnapin.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
65/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Audit Policies
AuditPolicy DefaultSettingfor
66/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Setting
Explanation
AuditAccount LogonEvents
Successfulaccountlogonsare audited.
AuditLogonEvents
Createsaneventwhenauserlogsoninteractively (locally)toacomputeroroverthenetwork (remotely).Forexample,ifaworkstationanda serverareconfiguredtoauditlogonevents,the workstationauditsauserloggingondirectlytothat workstation.Whentheuserconnectstoashared folderontheserver,theserverlogsthatremote logon.Whenauserlogson,thedomaincontroller recordsalogoneventbecauselogonscriptsand policiesareretrievedfromthedomaincontroller.
Successfullogonsareaudited.
AuditAccount Management
AuditDirectory ServiceAccess
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
67/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
folders,butthispolicyappliestoActiveDirectory objects. AuditPolicyChange Auditschangestouserrightsassignmentpolicies, auditpolicies,ortrustpolicies. AuditPrivilegeUse Auditstheuseofaprivilegeoruserright.Seethe explanatorytextforthispolicyintheGroupPolicy ManagementEditor(GPME). AuditSystem Events AuditProcess Tracking Auditssystemrestart,shutdown,orchangesthat affectthesystemorsecuritylog. Auditseventssuchasprogramactivationand processexit.Seetheexplanatorytextforthispolicy intheGPME. AuditObjectAccess Auditsaccesstoobjectssuchasfiles,folders,registry keys,andprintersthathavetheirownSACLs.In additiontoenablingthisauditpolicy,youmust configuretheauditingentriesinobjectsSACLs. Noeventsareaudited. Successfulsystemeventsare audited. Noeventsareaudited. Successfulpolicychangesare audited. Noauditingisperformedby default.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
attemptstoaccessthedomainbyrepeatedlytryingtologonasadomainuser accountwithoutyetknowingtheaccountspassword.Auditingfailedaccount managementeventscanrevealsomeoneattemptingtomanipulatethemembershipof asecuritysensitivegroup. Oneofthemostimportanttasksyoumustperformistobalanceandaligntheaudit policywithyourcorporatepoliciesandreality.Yourcorporatepolicymightstatethat allfailedlogonsandsuccessfulchangestoActiveDirectoryusersandgroupsmustbe audited.ThatseasytoachieveinActiveDirectory.Buthow,exactly,areyougoingto usethatinformation?Verboseauditinglogsareuselessifyoudontknowhowor donthavethetoolstomanagethoselogseffectively.Toimplementauditing,you musthavethebusinessrequirementtoauditawellconfiguredauditpolicyandthe toolswithwhichtomanageauditedevents.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
69/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2. 3.
4. 5. 6.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
71/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
73/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Typically,auditingentriesreflectthepermissionentriesfortheobject.Inotherwords, youwouldconfiguretheConfidentialDatafolderwithpermissionsthatprevent Consultantsfromaccessingitscontents.Youwouldthenuseauditingtomonitor Consultantswhononethelessattempttoaccessthefolder.Keepinmind,ofcourse, thatamemberoftheConsultantsgroupcanalsobelongtoanothergroupthatdoes havepermissiontoaccessthefolder.Becausethataccesswillbesuccessful,the activityisnotlogged.Therefore,ifyoureallyareconcernedaboutkeepingusersout ofafolderandmakingsuretheydonotaccessitinanyway,monitorfailedaccess attempts.However,youshouldalsoauditsuccessfulaccesstoidentifysituationsin whichauserisaccessingthefolderthroughanothergroupmembershipthatis potentiallyincorrect. ImportantAuditlogshavethetendencytogetquitelargerapidly.Therefore, agoldenruleforauditingistoconfigurethebareminimumrequiredto achievethebusinesstask.Specifyingtoauditthesuccessesandfailuresonan activedatafolderfortheEveryonegroupbyusingFullControl(all permissions)generatesenormousauditlogsthatcouldaffecttheperformance oftheserverandmakelocatingaspecificauditedeventalmostimpossible.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
74/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
75/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Afterauditingisenabled,thesecuritysubsystembeginstopayattentiontotheaudit settingsandlogaccessasdirectedbythosesettings. Thepolicysettingmustbeappliedtotheserverthatcontainstheobjectbeing audited.YoucanconfigurethepolicysettingintheserverslocalGPOoruseaGPO scopedtotheserver. YoucandefinethepolicythentoauditSuccessevents,Failureevents,orboth.The policysetting(shownabove)mustspecifyauditingofSuccessorFailureattempts thatmatchthetypeofauditingentryintheobjectsSACL(shownintheprevious topic).Forexample,tologafailedattemptbyConsultantstoaccesstheConfidential Datafolder,youmustconfiguretheAuditobjectaccesspolicytoauditfailures,and youmustconfiguretheSACLoftheConfidentialDatafoldertoauditfailures.Ifthe auditpolicyauditssuccessesonly,thefailureentriesinthefoldersSACLwillnot
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 76/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
server.OpentheEventViewerconsolefromAdministrativeTools.ExpandWindows Logs\Security.
Lab Setup
Forthislab,youwillusethesamevirtualmachineenvironmentusedinpreviouslabs. Ifrequired,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen
78/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps2and3for6425CNYCSVR1.Donotlogontothemachine untildirectedtodoso.
Lab Scenario
Inthislab,youwillconfigureauditingsettings,enableauditpoliciesforobjectaccess, andfilterforspecificeventsintheSecuritylog.Thebusinessobjectiveistomonitora foldercontainingconfidentialdatathatshouldnotbeaccessedbyusersinthe Consultantsgroup.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1. 2.
3.
IntheGroups\RoleOU,createanewglobalsecuritygroupnamed Consultants.
4. 5. 6.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
80/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
ConfigureauditingsettingsontheConfidentialDatafoldertoauditforanyfailed accessbytheConsultantsgroup.
Results:Inthisexercise,youconfiguredpermissionsandauditsettingsfora folder.
1.
RunGroupPolicyManagementasanadministrator,withtheusername
81/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Results:Inthisexercise,youconfiguredforauditingoffailedaccesstofile systemobjectsonserversintheServers\FileOU.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1. 2.
3.
RefreshGroupPolicytoapplythenewauditingsettingsbyexecutingthe commandgpupdate.exe/forcecommand.
4. 5. 6.
1. 2.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
83/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Results:Inthisexercise,youvalidatedtheauditingoffailedaccesstothe ConfidentialDatafolderbymembersoftheConsultantsgroup.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
84/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Objectives
Aftercompletingthislesson,youwillbeableto: DescribeSoftwareRestrictionPolicy. DescribehowtocontrolaccesstoapplicationsbyusingApplicationControlPolicies.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 85/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
CompareApplockerandSoftwareRestrictionPolicies ConfigureApplocker.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Rules
RulesgovernhowanSRPrespondstoanapplicationbeingrunorinstalled.Rulesare thekeyconstructswithinanSRP,andagroupofrulestogetherdeterminehowan SRPwillrespondtoapplicationsbeingrun.Rulescanbebasedononeofthe followingcriteriathatapplytotheprimaryexecutablefilefortheapplicationin question. Hash.Acryptographicfingerprintofthefile. Certificate.Asoftwarepublishercertificateusedtodigitallysignafile. Path.ThelocalorUniversalNamingConvention(UNC)pathofwherethefileis stored. Zone.TheInternetzone.
Security Levels
EachappliedSRPisassignedasecuritylevelthatgovernsthewaytheoperating
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 87/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
definedbyanSRPrule.
Basedonthesethreecomponents,therearetwoprimarywaystouseSRPs: Ifanadministratorknowsallthesoftwarethatshouldbeallowedtorunonclients, theDefaultSecurityLevelcanbesettoDisallowed.Allapplicationsthatshouldbe allowedtoruncanbeidentifiedinSRPrulesthatwouldapplyeithertheBasicUser orUnrestrictedsecurityleveltoeachindividualapplication,dependingonthe securityrequirements. Ifanadministratordoesnothaveacomprehensivelistofthesoftwarethatshould beallowedtorunonclients,theDefaultSecurityLevelcanbesettoUnrestrictedor BasicUser,dependingonsecurityrequirements.Anyapplicationsthatshouldnot beallowedtoruncanthenbeidentifiedbyusingSRPrules,whichwouldusea securitylevelsettingofDisallowed.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
NoteThecontentinthissectiononlyappliestoWindowsServer2008R2.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
varietyofmethodsforquicklyandconciselydeterminingtheidentityofapplications towhichtheymaywanttorestrictorpermitaccess. AppLockerisappliedthroughGroupPolicytocomputerobjectswithinan organizationalunit.Inaddition,individualAppLockerrulescanbeappliedtoindividual ADDSusersorgroups. AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules, bothasrulesarebeingenforcedandinanauditonlyscenario. AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefrom running,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.Itcanalso reducethetotalcostofownershipbyensuringthatworkstationsarestandardized acrosstheirenterpriseandthatusersarerunningonlythesoftwareandapplications thatareapprovedbytheenterprise. Specifically,thefollowingscenariosprovideexamplesofwhereAppLockercanbe usedtoprovidesomelevelofapplicationmanagement: Yourorganizationimplementsapolicytostandardizetheapplicationsusedwithin eachbusinessgroup,soyouneedtodeterminetheexpectedusagecomparedwith theactualusage. Thesecuritypolicyforapplicationusagehaschanged,andyouneedtoevaluate
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 91/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
whereandwhenthosedeployedapplicationsarebeingaccessed. Yourorganization'ssecuritypolicydictatestheuseofonlylicensedsoftware,so youneedtodeterminewhichapplicationsarenotlicensedorpreventunauthorized usersfromrunninglicensedsoftware. Anapplicationisnolongersupportedbyyourorganization,andyouneedto preventitfrombeingusedbyeveryone. Anewapplicationoranewversionofanapplicationisdeployed,andyouneedto allowcertaingroupstouseit. Specificsoftwaretoolsarenotallowedwithintheorganization,oronlyspecific usershaveaccesstothosetools. Asingleuserorasmallgroupofusersneedstouseaspecificapplicationthatis deniedforallothers. Somecomputersinyourorganizationaresharedbypeoplewhohavedifferent softwareusageneeds.
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
NoteApplockerisnotenabledbydefaultinWindowsServer2008R2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
93/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
WhenimplementingSRPsinpreviousWindowsversions,itwasparticularlydifficultto createpoliciesthatweresecureandremainedfunctionalaftersoftwareupdateswere applied.Thiswasduetothelackofgranularityofcertificaterulesandthefragilityof hashrulesthatbecameinvalidwhenanapplicationbinarywasupdated.Toresolve thisissue,AppLockerenablesyoutocreatearulethatcombinesacertificateanda productname,filename,andfileversion.Thissimplifiesyourabilitytospecifythat anythingsignedbyaparticularvendorforaspecificproductnamecanrun. CertificaterulesinSRPallowyoutotrustallsoftwaresignedbyaspecificpublisher however,AppLockergivesyougreaterflexibility.Whencreatingpublisherrules,you cantrustthepublisher,andalsodrilldowntotheproductlevel,theexecutablelevel, andeventheversion.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 94/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Forexample,withSRP,youcancreatearulethateffectivelyreadsTrustallcontent signedbyMicrosoft.WithAppLocker,youfurtherrefinetheruletospecify:Trust theMicrosoftOffice2007SuiteifitissignedbyMicrosoftandtheversionisgreater than12.0.0.0. TheAppLockerenhancementsovertheSRPfeaturecanbesummarizedasfollows: Theabilitytodefinerulesbasedonattributesderivedfromafilesdigitalsignature, includingthepublisher,productname,filename,andfileversion.SRPsupports certificaterules,buttheyarelessgranularandmoredifficulttodefine. AmoreintuitiveenforcementmodelonlyafilethatisspecifiedinanAppLocker ruleisallowedtorun. Anew,moreaccessibleuserinterfacethatisaccessedthroughanewMicrosoft ManagementConsole(MMC)snapinextensiontotheGroupPolicyManagement Consolesnapin. Anauditonlyenforcementmodethatallowsadministratorstodeterminewhichfiles willbepreventedfromrunningifthepolicywereineffect.
ThefollowingtableoutlinesotherkeydifferencesbetweenAppLockerandSRPs.
Feature
SRP
AppLocker
95/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Rulescope
Specificusersorgroups(perrule)
Ruleconditionsprovided
Filehash,path,publisher
Ruletypesprovided DefaultRuleaction Auditonlymode Wizardtocreatemultiple rulesatonetime Policyimportorexport Rulecollection WindowsPowerShell support Customerrormessages
AllowandDeny Allowanddeny No No
No No No
No
Yes
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
grouppolicies. However,ifWindowsServer2008R2orWindows7havebothAppLockerandSRP rulesappliedinagrouppolicy,onlytheAppLockerrulesareenforcedandtheSRP rulesareignored. WhenyouaddasingleAppLockerruleinWindowsServer2008R2orWindows7,all processingofSRPrulesstops.Therefore,ifyouarereplacingSRPruleswith AppLockerrules,youmustimplementallAppLockerrulesthatyourequireatone time.IfyouimplementtheAppLockerrulesincrementally,youwilllosethe functionalityprovidedbySRPrulesthathavenotyetbeenreplacedwith correspondingAppLockerrules. NoteSRPisstillthestandardmethodtorestrictsoftwareusageinversionsof WindowspriortoWindowsServer2008andWindows7.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
97/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Demonstration Steps
1. OpentheGroupPolicyManagementConsole.
98/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2. 3. 4. 5. 6.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
99/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Lab Setup
Forthislab,youwillusethesamevirtualmachineenvironmentusedinpreviouslabs. Ifrequired,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps2and3for6425CNYCCL1.Donotlogontothemachineuntil directedtodoso.
Lab Scenario
Youhavebeenaskedtoensurethatawidelyusedapplicationintheenvironmentthat hasbeenrecentlyreplacedbyanewsoftwaresuiteisnolongerusedatContoso,Ltd.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 100/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
1.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
101/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
2.
ApplytheWordPadRestrictionPolicyGPOtotheContoso.comdomain container.
1.
RestartandthenlogontoNYCCL1asContoso\Alan.brewerwiththe password,Pa$$w0rd.
2. 3.
RefreshGroupPolicybyrunninggpudate/forcefromthecommandprompt. TrytorunStartAllProgramsAccessoriesWordPad.
102/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Results:Inthisexercise,yourestrictedanapplicationbyusingAppLocker.
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR1and6425CNYCCL1.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
103/105
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Review Questions
1. 2. Describetheprocedureusedtoapplyasecuritytemplatetoacomputer. WhymustAppLockerrulesbedefinedinaGPOseparatefromSRPrules?
104/105
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Description
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
105/105