1 / 19

Understanding Group Policy

Understanding Group Policy. James Michael Stewart CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K, iNet+ michael@itinfopros.com. What is Group Policy?. A centralized collection of operational and security controls Available in Active Directory domains

nodin
Download Presentation

Understanding Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding Group Policy James Michael Stewart CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K, iNet+ michael@itinfopros.com

  2. What is Group Policy? • A centralized collection of operational and security controls • Available in Active Directory domains • Contains items previously found in system policies and through editing the Registry (i.e. Windows NT) Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  3. Elements of Group Policy • general security controls • audit • user rights • passwords • accounts lockout • Kerberos • Public key policies • IPSec policies

  4. Divisions of Group Policy • Computer Configuration • User Configuration Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  5. Application of Group Policy • Group Policy Objects – GPOs • Can be applied to any AD container • Application order: LSDOU • Local, Site, Domain, Organizational Unit • Last GPO applied takes precedent Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  6. Group Policy Editors • MMC snap-in: Group Policy • Active Directory Domains and Trusts • Active Directory Sites and Services Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  7. GPO Application • Inheritance by default • No Override – prevents other GPOs from changing settings in this GPO • Disabled – this GPO is not applied to this container • Multiple GPOs on same container – application order • Disable Computer Configuration or User Configuration • Set Allow/Deny for Apply Group Policy to control user/group application

  8. GPO Limitations • If a single user is a member of 70 to 80 groups, the respective GPOs may not be applied • Problem caused by Kerberos token size – 70 to 80 groups fills the token and causes an error • Result is no GPOs are applied

  9. GPO Uses • Local GPO • Windows 2000, XP, .NET Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  10. Security Configuration and Analysis • MMC snap-ins: • Security Configuration and Analysis • Security Templates • Used to customize Group Policies a.k.a. security templates. • Several pre-defined security templates for client, server, and DC systems of basic, compatible, secure, and high security. • Analyze current security state

  11. GPO: Password Policy • Min & max password age (0-999) • Min password length (0-14) • History (1 - 24 entries) • Passwords must meet complexity requirements • Store passwords using reversible encryption for all users in the domain

  12. GPO: Accounts Policy • Lockout duration (0 – 99999 minutes) • Failed logon attempts • Counter reset after time limit Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  13. GPO: Audit Policy • Account logon events Account management • Directory service access • Logon events Object access • Policy change Privilege use • Process tracking System events • Object level controls accessed through Advanced Security Properties • Audit policy must be enabled in order for audited events to be recorded in the Security log

  14. GPO: User Rights • To increase security settings, make the following changes: • Log on locally: assigned only to Administrators on Servers • Shutdown the System: assigned only to Administrators, Power Users • Access computer from network: assigned to Users, revoke for Administrators and Everyone • Restore files/directories: revoke for Backup Operators • Bypass traverse checking: assigned to Authenticated Users, revoke for Everyone

  15. GPO: Security Options • Numerous security related controls • Previous found only as Registry edits Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  16. GPO: misc • Scripts • Public Key – EFS • IPSec • Software • Administrative Templates • Templates for Registry alteration

  17. Using GPOs • Group similar users • Place similar users/groups in separate containers (i.e. OUs) • Define universal GPOs at domain level • Define specific GPOs as far down the organizational tree as possible • Avoid changing default inheritance mechanism

  18. Questions? Click on the Ask a Question link in the lower left corner of your screen to ask James Michael Stewart a question.

  19. Thank you for your participation!Did you like this Webcast? Send us your feedback on this event and ideas for other event topics at editor@searchwin2000.com.

More Related