1 / 22

Group Policy

Group Policy. An overview of Microsoft Windows Group Policy. My Credentials. B.S Computer Science M.S. Information Technology (2012) Certified Information Systems Security Professional (CISSP) Network Admin at BCG Early NT 3.51 and 4.0 days Network Admin and Instructor at Hilbert College

kiona
Download Presentation

Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Group Policy An overview of Microsoft Windows Group Policy

  2. My Credentials • B.S Computer Science • M.S. Information Technology (2012) • Certified Information Systems Security Professional (CISSP) • Network Admin at BCG • Early NT 3.51 and 4.0 days • Network Admin and Instructor at Hilbert College • Transition from NT4 to 2000 • Accounts and Profiles for all students (GPO Based) • Taught Networking, Databases, Programming in the Computer Security program there • An admins perspective who learned it on the job

  3. What is Group Policy • Microsoft NT Technology • Other NOS have their own versions • Centralized management of clients • Security management • Application management • Profile management • Can be pushed from domain • Can be modified locally for individual clients • Local policy objects not as in depth • Can be pushed as part of disc imaging

  4. What can it do for me • Manage security • Firewall and Networking • OS configuration restrictions • Reduce workstation downtime • Can restrict users from modifying potentially damaging settings • Manage applications • Whitelist available applications • Control which applications are visible • Roaming profiles • Centralized data storage • Full or partial

  5. Not a Silver Bullet • Only as effective as the Information Security Policies it is enforcing • Needs to be a part of security in depth • Can be complex to implement and manage • Improper management can interfere with business goals • Easy to lock down a machine tighter than it needs to be • Applications typically use voluntary enforcement • Possible to modify or interfere an application reading its policy

  6. What do I need to use it Domain Based Policy Local Policy Active Directory Domain Install Group Policy Management Objects Server Roles vary by OS version Can be managed using remote administration tools from Vista (2003 Domains) or Windows 7 (2008 Domains) Windows NT based OS’s No domain needed Easily configured on XP and above Can be used in conjunction with domain policies Configured locally on the target client

  7. Management Tools • Group Policy Management Console (GPMC) • Suite of tools in 2003 • Unified tool in 2008 • Cmdlets • Powershell extensions that allow scripting • Local Policy Editor • Pre Win 7 one user policy for all users • Gpupdate • Forces update of policy on machines (XP and later)

  8. What is a GPO? • Collection of settings that can be used in a Group Policy • Most modify registry settings • Can also be processed by extending applications • Can be applied to users or computers • Can be inherited • Can be linked to multiple policies

  9. Policy Object Types Computer Policy User Policy Applies based on the Computer Account Useful to configure settings on a specific workstation Same for all users on that machine Example: remove start menu on public machine Applies based on the logged in User Account Setting travel with the user Roaming Profiles go here Example: Password policy

  10. How it works • Machine Boots up • Machine policy downloaded and applied • User Logs in • User Policy downloaded and applied • Settings may be cached • 90 +/- 30 min for clients • gpupdate to refresh immediately

  11. Applying Multiple Polcies • Local Group Policy objects - Computer's local policy (accessed by running gpedit.msc). • Site - Group policies that are applied to the AD Site • Lowest link order processed last, overrides higher links • Domain - Group policies specified for the AD Domain • Lowest link order processed last, overrides higher links • Organizational Unit - Policies for User or Computer OUs • Lowest link order processed last, overrides higher links • Inheritance - Inheritance can be blocked or enforced to control what policies • Use GPMC to see what will actually be applied

  12. Typical Policy Components • Administrative Templates • Security Settings • IP Security Policy • Software Restriction Policies • Wireless Network Policies • Public Key Policies • Software Installation • Remote Installation Services • Scripts • Internet Explorer Maintenance • Folder Redirection • Disk Quotas • QoSPacket Scheduler • Custom Registry Modifications

  13. Creating a Policy • Demonstration

  14. Roaming Profiles • Can redirect some or all user data • Can redirect different sections to different locations • Administrators do not have access to redirected profiles (by default) • Allows for centralized backup • User is no longer dependent on specific machine for user data • Typically redirected profile folders • My Documents, • Application Data, • Desktop, • Start Menu • Folder redirection is under User Settings, Windows Settings

  15. Tips and Tricks • Lock down Regedit • Be extremely careful when applying policy to admins and domain controllers • Calculate space requirements before trying to redirect folders • Consider implementing quotas • Gpanswers.com • Learn to use MSDN and Technet • Set up a lab environment and play

  16. Getting started withCommon Deployment Scenarios • Lightly Managed • Mobile • Multi-User • App Station • Task Station • Kiosk • GPOs can be obtained for these from: • Implementing Common Desktop Management Scenarios with the Group Policy Management Console • http://technet.microsoft.com/en-us/library/cc758350(WS.10).aspx

  17. Lightly Managed • Power Users and Developers • Is the least managed of all of the scenarios. • Allows users to customize most settings that affect them but prevents them from making harmful system changes. • Includes settings that reduce help desk costs and user downtime. • Full Roaming Profiles with local caching • speeds up login/logout • Core set of applications which are always available. • Users can also install applications

  18. Mobile • Laptop and Mobile User Support • disconnected user who frequently needs to work offline • Does not require high speed link • Offline files • Partial Roaming to support offline files • Allows users to disconnect from the network without logging off or shutting down.

  19. Multi-User • Computer laboratory or library • Allows basic customization of the desktop environment. • Allows screen saver, background, etc. but no hardware or OS configuration • Full Roaming Profiles with no caching to protect privacy • Restricted write access to the local computer • Can only write data to their own profile • Highly secure.

  20. App and Task Station • Highly restricted configurations with only a few applications. • Vertical applications such as marketing, claims, and customer-service scenarios. • Allows minimal customization by the user. • Allows users to access a small number of applications appropriate to their job role. • Does not allow users to add or remove applications. • Full Roaming Profiles with caching • Provides a simplified desktop and Start menu. • Restricted write access to the local computer • Can only write data to their user profile and to redirected folders. • Is highly secure. • Task Station • Only one app available and no start menu

  21. Kiosk • Unattended machine in a public area, highly secure • Is a public workstation. • Runs only one application. • Uses only one user account and automatically logs on. • The system automatically resets to a default state at the start of each session. • Runs unattended. • Is highly secure. • Does not allow users to make changes to the default user or system settings. • Does not save data to the disk. • Is always on (no log off or shutdown).

  22. Q & A • Questions, comments? • My contact info again: • Patrick Lupiani • plupiani@gmail.com or plupiani@BuffaloComputerGraphics.com • 716-822-8668

More Related