You are on page 1of 31

www.technocorp.co.

in

Managing Enterprise Security and Configuration with Group Policy Settings

Module Overview
www.technocorp.co.in

Delegate the Support of Computers Manage Security Settings Manage Software with GPSI Auditing Software Restriction Policy and Applocker

Delegate the Support of Computers


www.technocorp.co.in

What Are Restricted Groups? Demonstration: Delegate Administration by Using Restricted Groups Policies Define Group Membership with Group Policy Preferences

What Are Restricted Groups?


www.technocorp.co.in

Restricted Groups policies enable you to manage the membership of groups

Member Of Policy is for a domain group Specify its membership in a local group Cumulative

Members Policy is for a local group Specify its members (groups and users) Authoritative

Demonstration: Delegate Administration by Using Restricted Groups Policies


www.technocorp.co.in

In this demonstration, you will see how to: Add a domain support group to the local Administrators group of client computers Define the authoritative membership of the local Administrators group of client computers

Define Group Membership with Group Policy Preferences


www.technocorp.co.in

Create, delete, or replace a local group Rename a local group Change the Description Modify group membership Local Group preferences are available in both Computer Configuration and User Configuration

Manage Security Settings


What Is Security Policy Management? Configure the Local Security Policy Manage Security Configuration with Security templates Demonstration: Create and Deploy Security Templates Use Security Configuration and Analysis Security Configuration Wizard Settings, Templates, Policies, and GPOs
www.technocorp.co.in

What Is Security Policy Management?


www.technocorp.co.in

Enterprise IT Security Policy security configuration settings Manage security configuration


Create the security policy Apply the security policy to one or more systems Analyze security settings against the policy Update the policy, or correct the discrepancies in the system Local Group Policy and Domain Group Policy Security Templates snap-in Security Configuration and Analysis snap-in Security Configuration Wizard

Tools

Configure the Local Security Policy


www.technocorp.co.in

Local Security Policy

Domain Group Policy

Manage Security Configuration with Security Templates


www.technocorp.co.in

Settings are a subset of domain GPO settings but different than local GPO Security Templates
Plain text files Can be applied directly to a computer Security Configuration and Analysis Secedit.exe Can be deployed with Group Policy Can be used to analyze a computer's current security settings against the security template's

Demonstration: Create and Deploy Security Templates


www.technocorp.co.in

In this demonstration, you will see how to: Build a custom MMC with the Security Templates snap-in Create a security template Import the template into the Security Settings node of a GPO

Use Security Configuration and Analysis


Modify Database

www.technocorp.co.in

Build your own MMC Create a database


Import template(s)

Import Template Export Template

Use the database


Analyze computer Correct discrepancies Configure computer Export as template

Analyze Computer

Secedit.exe

Import Policy

Group Policy

Security Configuration Wizard


www.technocorp.co.in

Security policy: An .xml file that configures


Role-based service configuration Network security, including firewall rules Registry values Audit policy Can incorporate a security template (.inf)

Create the policy Edit the policy Apply the policy Roll back the policy Transform the policy into a GPO
scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"

Settings, Templates, Policies, and GPOs


www.technocorp.co.in

Direct configuration of security-related settings Local Security Policy Security templates


.inf files that define a wide variety of security settings Security Templates, Security Configuration and Analysis Import into a GPO

Security policies
Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings Can include security templates Security Configuration Wizard or scwcmd.exe Transform into a GPO by using scwcmd

Modify GPO

Manage Software with GPSI


Understand GPSI Software Deployment Options Demonstration: Create a Software Distribution Point Create and Scope a Software Deployment GPO Maintain Software Deployed with GPSI GPSI and Slow Links
www.technocorp.co.in

Understand GPSI
www.technocorp.co.in

Client-side extension (CSE) Installs supported packages


Windows Installer packages (.msi) Optionally modified by Transform (.mst) or patches (.msp) GPSI automatically installs with elevated privileges Downlevel application package (.zap) Supported by publish option only Requires user to have admin privileges System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages

No feedback
No centralized indication of success or failure No built-in metering, auditing, license management

Software Deployment Options


www.technocorp.co.in

Software deployment options


Assign application to users Start menu shortcuts appear Install-on-demand File associations made (optional Auto Install) Install-on-document invocation Optionally, configure to install at logon Publish application to users Advertised in Programs And Features (Control Panel) Install-on-request Assign to computers Install at startup

Demonstration: Create a Software Distribution Point


www.technocorp.co.in

In this demonstration, you will see how to: Create a software distribution point

Create and Scope a Software Deployment GPO


www.technocorp.co.in

Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation


Right-click New Package Browse to .msi file through network path (\\server\share) Choose deployment option (Recommended: Advanced)

Managing the scope of a software deployment GPO


Typically easiest to manage with security group filtering Create an app group such as APP_XML Notepad Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary Put computers into the group if assigning to computers

Maintain Software Deployed with GPSI


www.technocorp.co.in

Redeploy application
After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application

Upgrade application
Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version

Remove application
Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Dont delete or unlink GPO until all clients have applied setting

GPSI and Slow Links


www.technocorp.co.in

The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link
Less than 500 kbps by default

Each CSE uses the slow link determination to decide whether to process
By default, GPSI does not process over a slow link

You can change slow link processing behavior of each CSE


Computer Configuration\Policies\Administrative Templates\ System\Group Policy

You can change the slow link threshold


Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy

Auditing
www.technocorp.co.in

Overview of Audit Policies Specify Auditing Settings on a File or a Folder Enable Audit Policy Evaluate Events in the Security Log

Overview of Audit Policies


www.technocorp.co.in

Audit events in a category of activities


Access to NTFS files/folders Account or object changes in Active Directory Logon Assignment or use of user rights

By default, domain controllers audit success events for most categories Goal: Align audit policies with corporate security policies and reality
Over-auditing: Logs are too big to find the events that matter Under-auditing: Important events are not logged Tools that help you consolidate and crunch logs can be helpful

Specify Auditing Settings on a File or a Folder


www.technocorp.co.in

Modify the system access control list (SACL)


Properties Advanced Auditing Edit

www.technocorp.co.in

Enable auditing for Object Access: Success and/or Failure GPO must be scoped to the server Success/Failure policy setting must match auditing settings (success/failure)

Enable Audit Policy

Evaluate Events in the Security Log


www.technocorp.co.in

Security Log

Summary
Audit Object Access policy must be enabled to audit Success or Failure GPO must be scoped to the server SACL must be configured to audit successful or failed access Security Log must be examined

Software Restriction Policy and Applocker


www.technocorp.co.in

What Is a Software Restriction Policy? Overview of Application Control Policies Compare Applocker and Software Restriction Policies Demonstration: How to Configure Application Control Policies

What Is a Software Restriction Policy?


SRPs allow administrators to identify which applications are allowed to run on client computers

www.technocorp.co.in

SRPs can be based on the following: Hash

Certificate
Path Zone

SRPs are applied through Group Policy

Overview of Application Control Policies


www.technocorp.co.in
Application Control Policies are applied in Windows Server 2008 R2 and Windows 7 by using AppLocker AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs
Benefits of AppLocker: Controls how users can access and run all types of applications

Allows the definition of rules based on a wide variety of variables


Provides for importing and exporting entire AppLocker policies

Compare Applocker and Software Restriction Policies


Feature SRP
Rule scope Specific user or group (per GPO) File hash, path, certificate, registry path, Internet zone Allow and Deny Allow and deny No No

AppLocker

Specific users or groups (per rule) File hash, path, publisher Allow and Deny Implicit Deny Yes Yes

www.technocorp.co.in

Rule conditions provided

Rule types provided


Default Rule action Audit only mode Wizard to create multiple rules at one time Policy import or export Rule collection Windows PowerShell support Custom error messages

No
No No No

Yes
Yes Yes Yes

Demonstration: How to Configure Application Control Policies


www.technocorp.co.in
In this demonstration, you will see how to:

Create a GPO to enforce the default AppLocker Executable rules Apply the GPO to the domain Test the AppLocker rule