Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
ch23

ch23

Ratings: (0)|Views: 97 |Likes:
Published by api-27605687

More info:

Published by: api-27605687 on Oct 16, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

23
CHAPTER
Managing and Maintaining
Group Policy

In this chapter, you will learn how to
\ue000Configure User and Computer Security settings Group Policy
\u2022Configure an audit policy
\u2022Deploy software through Group Policy
\u2022Troubleshoot issues related to Group Policy application and deployment

Once you have the basics down about Group Policy behavior, Security settings and Soft- ware settings are just two more examples of the capabilities that a Group Policy can be set to manage. If it sounds simple, stay tuned. There\u2019s still quite a bit to learn about im- plementing both of these technologies. Each requires specialized knowledge that you\u2019re sure to encounter on the 70-294 exam.

This chapter will help you use Group Policy Objects to configure a system\u2019s Security set- tings, as well as to deploy and manage software. The software managed with Group Policy can be made available to both users and computers in the Active Directory enterprise.

Configuring User and Computer
Security Settings Group Policy

In Chapter 22, we examined several ways that Group Policies could manage the com- puting environment. Yet another example of the settings a Group Policy can be used for include the Security settings. Several areas of the computing environment can be se- cured with Group Policy\u2019s many settings. You access the security areas from the Win- dows Settings folder in each of the User Configuration and Computer Configuration nodes, as shown in Figure 23-1.

1
MCSE Windows Server 2003 All-in-One Exam Guide
2
The settings include the following:
\u2022Account PoliciesThese settings apply to user accounts, including password,
account lockout, and Kerberos-related settings.

\u2022Local PoliciesThese settings are based on the computer you are logged on
to, and they affect the abilities a user has over that system. The Local Policies
settings include Audit Policies, User Rights Assignments, and Security Options.

\u2022Event LogThese settings define the properties of the Application, Security, and System logs in the Event Viewer, along with access rights to each log file and retention settings.

\u2022Restricted GroupsThese settings are used to govern group membership. One
significant security issue Microsoft found was that users, especially in larger

environments, would be added to groups and then never removed. This also
applied to former administrators: the person would leave the company, but the
account would remain, leaving a security hazard to the domain. With Restricted
Groups, you can control the membership of groups like Administrators, Power
Users, Print Operators, and Domain Admins through Group Policy settings.
Configuring Restricted Groups ensures the group memberships are set as
specified by the editor of the Group Policy and are not subject to change.

Figure 23-1The multitude of security-related settings
Chapter 23: Managing and Maintaining Group Policy
3
PARTIV

\u2022System ServicesThese settings are used to configure the startup behavior of services running on a computer. The configurable startup settings include Automatic, Manual, and Disabled. They also define which user accounts will have permission to read, write, delete, start, stop, or execute the service.

\u2022RegistryThese settings are used to configure security on specific registry keys.

\u2022File SystemThese settings are employed to configure security on specific
file paths. The Access Control List (ACL) to a file or folder is set through
a Group Policy.

\u2022Wireless Network PoliciesThese settings allow you to create and manage
wireless network policies. A wizard interface will help you create each policy.
They can be used to define which wireless networks a system can communicate

with by using a wireless network number known as a service set identifier (SSID).
\u2022Public Key PoliciesThese settings are used to define encrypted data recovery
agents, domain roots, and trusted certificate authorities.

\u2022Software Restriction PoliciesThese policies let you manage which software
can run on a particular computer. This can be an important security level if
you are worried about users downloading and running untrusted software in
your network. For example, you can use these policies to block certain file type
attachments from running in your e-mail program. Software Restriction Policies
settings are set by first configuring a default security level of Unrestricted, which
allows all programs to run within the context of the user currently logged on, or
Disallowed, which does not allow programs to run. You then set up rules that
provide exceptions to default security level. These rules can be based on hash
algorithms or certificates, both of which are used to uniquely identify software.
Other rules include path rules, which potentially let users use software if it is
located in a specific directory or registry path, or Internet Zone rules, which
identify software from a certain zone specified through Internet Explorer.

\u2022IP Security PoliciesThese settings are for configuring secure IP traffic. You

can use this area to set encryption rules for inbound and outbound traffic, and also specify particular networks or individual computers with which your system can communicate. Much like the Software Restriction Policies settings, IP Security Policies settings are exception-based, configured by either accepting or rejecting traffic based on a set of conditions. The different permutations of IP Security

Policies are virtually infinite. There are three editable, preconfigured policies
to help you on your way: Server, Client, and Secure Server.

As you can see, hundreds of settings can affect the security of a system or a network. Memorizing all of these settings is impossible and would not be helpful for purposes of the exam. However, you still need to be familiar with some of the configurable settings. Each of the Security settings could have several pages or even entire chapters of material explaining the various purposes of the settings here. Covering each of them in exhaus- tive detail is outside the scope of this book.

As mentioned at the beginning of Chapter 22, it would be in your best interest to ex-
periment with some of the settings in a test environment. Of special import are the Software

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->