Scribd Logo
Upload

Welcome to Scribd!

  • Understanding Group Policy: James Michael Stewart

    Uploaded by

    kitkat reyes
    7 views19 pages

    Original Title

    Understanding_Group_Policy_1

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views19 pages

    Understanding Group Policy: James Michael Stewart

    Uploaded by

    kitkat reyes

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Understanding Group Policy

    James Michael Stewart


    CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K,
    iNet+

    michael@itinfopros.com
    What is Group Policy?
    A centralized collection of operational
    and security controls
     Available in Active Directory domains
     Contains items previously found in
    system policies and through editing the
    Registry (i.e. Windows NT)

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    Elements of Group Policy
     general security controls
     audit
     user rights
     passwords
     accounts lockout
     Kerberos
     Public key policies
     IPSec policies
    Divisions of Group Policy
     Computer Configuration
     User Configuration

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    Application of Group Policy
     Group Policy Objects – GPOs
     Can be applied to any AD container
     Application order: LSDOU
     Local, Site, Domain, Organizational Unit
     Last GPO applied takes precedent

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    Group Policy Editors
     MMC snap-in: Group Policy
     Active Directory Domains and Trusts
     Active Directory Sites and Services

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    GPO Application
     Inheritance by default
     No Override – prevents other GPOs from changing
    settings in this GPO
     Disabled – this GPO is not applied to this container
     Multiple GPOs on same container – application
    order
     Disable Computer Configuration or User
    Configuration
     Set Allow/Deny for Apply Group Policy to control
    user/group application
    GPO Limitations
     Ifa single user is a member of 70 to 80
    groups, the respective GPOs may not
    be applied
     Problem caused by Kerberos token size
    – 70 to 80 groups fills the token and
    causes an error
     Result is no GPOs are applied
    GPO Uses
     LocalGPO
     Windows 2000, XP, .NET

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    Security Configuration and
    Analysis
     MMC snap-ins:
     Security Configuration and Analysis
     Security Templates
     Used to customize Group Policies a.k.a.
    security templates.
     Several pre-defined security templates for
    client, server, and DC systems of basic,
    compatible, secure, and high security.
     Analyze current security state
    GPO: Password Policy
     Min & max password age (0-999)
     Min password length (0-14)
     History (1 - 24 entries)
     Passwords must meet complexity
    requirements
     Store passwords using reversible
    encryption for all users in the domain
    GPO: Accounts Policy
     Lockout duration (0 – 99999 minutes)
     Failed logon attempts
     Counter reset after time limit

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    GPO: Audit Policy
     Account logon events Account management
     Directory service access
     Logon events Object access
     Policy change Privilege use
     Process tracking System events

     Object level controls accessed through Advanced


    Security Properties
     Audit policy must be enabled in order for audited
    events to be recorded in the Security log
    GPO: User Rights
     To increase security settings, make the following
    changes:
     Log on locally: assigned only to Administrators on
    Servers
     Shutdown the System: assigned only to
    Administrators, Power Users
     Access computer from network: assigned to Users,
    revoke for Administrators and Everyone
     Restore files/directories: revoke for Backup Operators
     Bypass traverse checking: assigned to Authenticated
    Users, revoke for Everyone
    GPO: Security Options
     Numerous security related controls
     Previous found only as Registry edits

    Submit a question anytime by clicking on the Ask a Question


    link in the bottom left corner of your presentation screen.
    GPO: misc
     Scripts
     Public Key – EFS
     IPSec
     Software
     Administrative Templates
     Templates for Registry alteration
    Using GPOs
     Group similar users
     Place similar users/groups in separate
    containers (i.e. OUs)
     Define universal GPOs at domain level
     Define specific GPOs as far down the
    organizational tree as possible
     Avoid changing default inheritance
    mechanism
    Questions?

    Click on the Ask a Question link


    in the lower left corner of your
    screen to ask James Michael
    Stewart a question.
    Thank you
    for your participation!
    Did you like this Webcast?

    Send us your feedback on this event

    and ideas for other event topics

    at editor@searchwin2000.com.

    You might also like