1 / 35

Week 6 - Implement Group Policy

Week 6 - Implement Group Policy. Delegate the Support of Computers Manage Security Settings Manage Software with GPSI Auditing Troubleshooting. Delegation of Control. Domain. OU1. Admin1. Admin2. OU2. Admin3. OU3. Delegation of Administration Means:

ulani
Download Presentation

Week 6 - Implement Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 6 - Implement Group Policy • Delegate the Support of Computers • Manage Security Settings • Manage Software with GPSI • Auditing • Troubleshooting

  2. Delegation of Control Domain OU1 Admin1 Admin2 OU2 Admin3 OU3 Delegation of Administration Means: • Changing properties on a particular container • Creating and deleting objects of a specific type under an organizational unit • Updating specific properties on objects of a specific type under an organizational unit

  3. Using the Delegation of Control Wizard Tasks for Delegating Control to Users or Groups Start the Delegation of Control Wizard Select Users or Groups to Which to Delegate Control Assign Tasks to Delegate Select Active Directory Object Type Assign Permissions to Users or Groups

  4. DELEGATION OF CONTROL WIZARD

  5. Guidelines for Delegating Administrative Control Assign Control at the OU Level Use the Delegation of Control Wizard Track the Delegation of Permission Assignments Follow Organizational Guidelines for Delegating Control

  6. View the ACL of an Active Directory Object Demo Ensure Advanced Features are enabled in the View menu Properties  Security  Advanced  Edit

  7. Understand Restricted Groups Policies Demo • Restricted Groups policies enable you to manage the membership of groups. • Members • Policy is for a local group • Specify its members (groups and users) • Authoritative • Member Of • Policy is for a domain group • Specify its membership in a local group • Cumulative

  8. Define Group Membership with Group Policy Preferences • Create, delete, or replace a local group • Rename a local group • Change the Description • Modify group membership • Local Group preferencesare available in bothComputer Configuration andUser Configuration

  9. What Is Security Policy Management? • Enterprise IT Security Policy  security configuration  settings • Manage security configuration • Create the security policy • Apply the security policy to one or more systems • Analyze security settings against the policy • Update the policy, or correct the discrepancies on the system • Tools • Local Group Policy and Domain Group Policy • Security Templates snap-in • Security Configuration and Analysis snap-in • Security Configuration Wizard

  10. Configure the Local Security Policy Local Security Policy Domain Group Policy

  11. Manage Security Configurationwith Security Templates Demo • Settings are a subset of domain GPO settingsbut different than local GPO • Security Templates • Plain text files • Can be applied directly to a computer • Security Configuration & Analysis • Secedit.exe • Can be deployed with Group Policy • Can be used to analyze a computer'scurrent security settings against thesecurity template's

  12. Use Security Configuration and Analysis • Build-your-own MMC • Create a database • Import template(s) • Use the database • Analyze computer • Correct discrepancies • Configure computer • Export as template • Secedit.exe ModifyDatabase ImportTemplate ExportTemplate AnalyzeComputer Configure ImportPolicy GroupPolicy

  13. The Security Configuration Wizard Demo • Security policy: .xml file that configures • Role-based service configuration • Network security, including firewall rules • Registry values • Audit policy • Can incorporate a security template (.inf) • Create the policy • Edit the policy • Apply the policy • Roll back the policy • Transform the policy into a Group Policy object • scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"

  14. Understand Group Policy Software Installation (GPSI) • Client-side extension (CSE) • Installs supported packages • Windows Installer packages (.msi) • Optionally modified by Transform (.mst) or patches (.msp) • GPSI automatically installs with elevated privileges • Downlevel application package (.zap) • Supported by “publish” option only • Requires user has admin privileges • SCCM and other deployment tools can support a wider variety of installation and configuration packages • No “feedback” • No centralized indication of success or failure • No built-in metering, auditing, license management

  15. Assigning Software Assigning in User Configuration The application is installed the next time the user activates the application Start Assigning in Computer Configuration The application is installed the next time the computer starts up Software Distribution Point

  16. Publishing Software Add/Remove Programs The application is installed when the user selects it from Add/Remove Programs in Control Panel ? Document Activation The application is installed when the user double-clicks an unknown file type Software Distribution Point

  17. Software Deployment Tasks Acquire a Windows Installer package file  .msi file Place the package on a software distribution point Create or modify a GPO Configure the GPO

  18. Create and Scope a Software Deployment GPO • Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation • Right-click  New  Package • Browse to .msi file through network path (\\server\share) • Choose deployment optionrecommend: Advanced • Managing the scope of asoftware deployment GPO • Typically easiest to manage withsecurity group filtering • Create an app group, for exampleAPP_XML Notepad • Put users into the group • Put computers into the group if assigning to computers

  19. Maintain Software Deployed with GPSI • Redeploy application • After successful install, client will not attempt to reinstall app • You might make a change to the package • Package  All Tasks  Redeploy Application • Upgrade application • Create new package in same or different GPO. • Advanced  Upgrades  Select package to upgrade • Uninstall old version first; or install over old version • Remove application • Package  All Tasks  Remove • Uninstall immediately (forced removal) orPrevent new installations (optional removal) • Don’t delete or unlink GPO until all clients have applied setting

  20. An Overview of Audit Policies • Audit events in a category of activities • Access to NTFS files/folders • Account or object changes in Active Directory • Logon • Assignment or use of user rights • By default, DCs audit success events for most categories • Goal: Align audit policies with corporate security policies and reality • Over-auditing: logs are too big to find the events that matter • Under-auditing: important events are not logged • Tools that help you consolidate and crunch logs can be helpful

  21. Account Logon and Logon Events Account Logon Event Logon Event Logon Event • Account logon events • Registered by the system that authenticates the account • domain controllers • local computer • Logon events • Registered by the machine at which (or to which) a user logged on • Interactive logon: user's system • Network logon: server • Access a network share

  22. Scoping Audit Policies Default Domain Controllers Policy Account LogonEvents CustomGPO LogonEvents RemoteDesktopServers DomainControllers HR Clients

  23. Recommended Audit Events

  24. Setting Up Auditing -- Two Steps Step 1 - Set the audit policy: Enables auditing of objects but does not activate auditing of specific types Stept 2 - Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified

  25. Step 1 - Setting Up an Audit Policy Categories of events Configuration settings: Track successful or failed attempts Audit policies are set in the Group Policy snap-in.

  26. 50 new Sub-Categories in 2008 E.g. Object Access have 11 sub-categories: § File System § Registry § Kernel Object § SAM § Certification Services § Application Generated § Handle Manipulation § File Share § Filtering Platform Packet Drop § Filtering Platform Connection § Other Object Access Events Enable Audit using Group Policy Management Console will enable all Sub-Categories a lot un-wanted auditing Use AuditPol.exe to manually enable sub-category

  27. Step 2 – Enable Auditing Specific Resources Files and folders to be audited must be on Microsoft Windows NTFS volumes. Auditing for specific files and folders is enabled from Advanced Properties sheet of the object to be audited Specify which types of access to audit, either by users or by groups. Same method for auditing Printers or other Active Directory Objects Demo

  28. Audit Policy Guidelines Determine the computers on which to set up auditing. Plan the events to audit on each computer. Audit resource access by the Everyone group instead of the Users group. Determine whether to audit the success of events, failure of events, or both. Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning. Tracking failed events may alert the administrator of possible security breaches.

  29. View Logon Events • Security log of the system that generated the event • The DC that authenticated the user: account logon • Note: Not replicated to other DCs • The system to which the user logged on or connected: logon

  30. Evaluate Events in the Security Log • Security Log • The security log is limited in size. • The amount of disk space to devote to the security log must be considered. • Review the log frequently • The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log.

  31. Group Policy Tools

  32. Resultant Set of Policy • Inheritance, filters, loopback, and other policy scope and precedence factors are complex! • RSoP • The "end result" of policy application • Tools to help evaluate, model, and troubleshoot the application of Group Policy settings • RSoP analysis • The Group Policy Results Wizard • The Group Policy Modeling Wizard • GPResult.exe

  33. Generate RSoP Reports • Group Policy Results Wizard • Queries WMI to report actual Group Policy application • Requirements • Administrative credentials on the target computer • Access to WMI (firewall) • User must have logged on at least once • RSoP report • Can be saved • View in Advanced mode • Shows some settings that do not show in the HTML report • View Group Policy processing events • GPResult.exe /s ComputerName /h filename

  34. Perform What-If Analyses with the Group Policy Modeling Wizard • Group Policy Modeling Wizard • Emulates Group Policy application to report anticipated RSoP

  35. Examine Policy Event Logs Demo • System log • High-level information about Group Policy • Errors elsewhere in the system that could impact Group Policy • Application log • Events recorded by CSEs • Group Policy Operational log • Detailed trace of Group Policy application

More Related