SESSION 6: CREATING A GROUP POLICY TEMPLATE

advertisement
COMP3123 SESSION 5: CONTROLLING LOCAL AND
DOMAIN SECURITY WITH GROUP POLICY TEMPLATES
As with previous exercises, we will initially use Windows 2000 as the exemplar,
and then move on with Windows 2003. Group Policies evolved from System
Policies in the previous version of NT, used in the simulations. The reference to
NetBIOS names during active directory installation referred ro pre-2000 versions
which used a more primitive system of device naming than DNS. From Windows
2000 each machine, and each group of users has its own set of policies
encapsulated into a policy object, and stored within active directory.
Other equivalent “group policy” systems exist with other network operating
systems.
The order of application of Windows 2000 policies is…
1. the local policy.
2. site level policies (if they exist…) in the administratively specified order.
3. domain level group policies, again in the specified order.
4. group policies associated with the organizational units. If a single
organizational unit contains multiple group policies, the policies are applied in an
administratively specified order.
It is difficult to look directly at group policies in this exercise, but we can easily
manipulate local policies on a single server using Microsoft Management
Console (MMC). MMC is also available on XP Professional, if you’d like to
practice on your own machine with an XP partition.
MMC does not itself perform Windows 2000 administrative functions, but it does
host tools that do. Administrative tools that can be added to a console are called
“snap-ins”.
MMC can be used:
EITHER in user mode, working with existing MMC consoles to administer a
system
OR in author mode, creating new consoles or modifying existing MMC consoles.
On this occasion, as administrator, you will be able to “author” consoles on the
local machine.
RCH11
1
Exercise 5(a): Starting up MMC & Installing the “Security
Configuration and Analysis” and “Security Templates” Snap-ins
MMC provides a wizard for controlling Windows registry settings, including the
security features. It also provides access to templates for configuring/controlling
all aspects of machine security policy and group security policy
1. MMC can also be accessed from the desktop but in this case, we will use
the command line. Type MMC and press ENTER. The MMC window will
appear.
2. The main MMC window will have a default name console1. On the
console File (or Console) menu, click Add/Remove Snap-in. A new
dialogue box should open.
3. Click on Add. A new dialogue box Add Standalone Snap in should open
4. Scroll down and then click on Security Configuration and Analysis, and
click on Add.
5. Also click on Add for Security Templates, and Group Policy Editor. The
“snap ins” should have been transferred on the screen to the add/remove
snap in window. If you are not using a domain controller, only a local
policy editor will be transferred.
6. Click OK, to include the snap-ins and remove the dialogue boxes.
7. On the main console menu, click Save As
8. Use the Browse feature to save the console database to the default
folder (but note the folder path…) as a file named SecurityTools (The msc
suffix is added automatically).
9. Now right click on the security configuration and analysis snap in, click on
open database and type an appropriate name for your policy settings
information stores. Choose randomly a template file for the policy settings.
The database will be saved.
10. Now, click on analyse computer now, to get a full run down of the
current settings – which will make up the combined “local policy” (i.e.
settings for the local machine) if implemented.
11. Open the “security configuration…” section and look inside each of the
policy settings groups Plenty of settings options available… are they all
appropriately set?
RCH11
2
12. Under the security configuration… section, you should see a security
templates section. Open this. You should now be presented with the same
series of template files from which you chose an option just a few minutes
ago. Look more closely at the names this time. Each file has a carefully
chosen name to reflect the type of computer use and security level
required.
13. Now look inside one of the template files – preferably the one you chose
previously. They all contain a particularly large number of settings that
together control security aspects of local policy. Note that each setting can
be set to: enabled, disabled, or not configured.
14. Finally, locate the analyse computer now log file you created earlier,
and have a quick look inside. If you were trying to create appropriate
settings for a policy, this would be really useful information.
As we’ve discussed in the lecture, the “local machine” settings (copied into
registry and held there from boot up onwards) interact with group policy
security settings after domain logon to provide a security profile that is
appropriate for that group of users.
Exercise 5 (b): Creating a Policy from a Template
A group policy is particularly useful when it is applied at domain level, to provide
local control of settings whenever a user logs on based on the group(s) they
belong to. Group policies don’t just stop at the domain level, but can apply right
across a domain tree.
1. The Group Policy Editor is divided into two basic sections, Computer
Configuration and User Configuration.
Computer configuration settings such as audit policy, (all) user rights
assignments, and security options) are associated with the local policy
object, whilst User Configuration relates to the settings that relate
directly to user desktop settings.
2. Do a bit of exploring to find out where the security settings you looked at
through the analysis tool are actually stored.
As a first stage, you are recommended only to apply security settings via
template to “local policy”. We will get on to group policies later…
3. Open security templates… again, and look again at that a list of seven
pre-prepared templates. Within a particular template, look at the three
categories in “account policies” and “local policies”. Also, note that
“system services” contains settings for all of the Windows programs
offered as “services”, which may currently be “undefined”.
RCH11
3
4. Close the template, and choose another. Make a note of its name, and
look more closely at the settings groups and sub-groups (e.g. account
policy, local policies, event log, restricted groups…). Together, all these
settings provide the basis of a security policy for users and groups of
users.
5. Now repeat 4 with a different template file. Hopefully by now you’ve
figured out what the template names mean. Can you see how the
template file relates to its function?
6. Working with a partner, spend some time discussing the appropriateness
of each of these settings for users on a typical medium-security network
connected to the Internet. A print out of some settings is available, and
might be helpful to you, but if a setting is not currently defined, it will not
be displayed at all.
7. Make a note of the agreed settings you would wish to impose on users as
a local policy. Be prepared to defend such changes in a discussion… Now
change the settings on one of the templates, and resave it with a different
name. You can save your template file to a USB stick if you wish.
8. Finally… (if someone lets you…) you may be able to use the modified
template file try out security settings applied locally to another computer.
Applying security policies to actual domains
For controlling security on a real network, this is the really important part.
Fortunately… the principles are the same as for local policies. Windows 2003
makes the process even easier using the Group Policy Management Console, as
you’ll see a little later.
Amongst other things, Group Policy settings define the various components of
the user's desktop environment that needs to be managed by a system
administrator:

the programs that are available to users

the programs that appear on the user's desktop

Start menu options
To create a specific desktop configuration for a particular group of users, a
further addition to MMC is required. Group Policy is tied to the Active Directory
service, and the Group Policy snap-in extends the Active Directory
management tools using the MMC snap-in.
RCH11
4
Testing out the implementation of group policies may be outside the time
constraints of this session (you can always come back another time to finish
off…) To make it work, you will need to work in partnership with another student
and make sure you have a ready-configured domain controller connected to a
machine that can log on to the domain.
Once you have all this set up and working, you can continue…
Exercise 5© To configure a custom console
1. Log on to the computer that will be domain controller as an administrator.
2. Click Start, click Run, type mmc, and then click OK.
3. On the Console menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Available standalone snap-ins list box, click Active directory
users and computers, and then click Add.
6. Double-click Active directory sites and services snap-in from the
Available standalone snap-ins list box.
7. Finally, double-click Group Policy.
8. In the Select Group Policy object dialog box, Local computer is selected by
default under Group Policy object. This is the one you want! Click Finish to
edit the local Group Policy object. Click Close in the Add standalone snapin dialog box.
9. Back at the Add/Remove Snap-in dialog box, note, and then click the
Extensions tab. Ensure that the Add all extensions check box is checked for
each primary extension added to the MMC console (these are checked by default).
Click OK.
10. To save console changes:

In the MMC console, on the Console menu, click Save.

In the Save As dialog box, in the File name text box, type
GroupPolicyDemo, and then click Save. The suffix will be added
automatically.
Exercise 5(d) Scoping group policy
Appropriate Active Directory tools can be used to access Group Policy while
focused on any site, domain, or OU, from the options in Administrative Tools.
RCH11
5
1. For example, with the GroupPolicyDemo MMC console tree still open,
click the + next to Active Directory Sites and Services, and in the
console tree, right-click the site for which to access Group Policy. Click
Properties, and click Group Policy…
2. A similar sequence can also be used for Active Directory Users and
Computers. Click + next to Active Directory Users and Computers and
click + next to the DNS name to expand the tree.
4.
Right-click the domain, and click Properties.
5. Click the Group Policy tab (this displays a potentially very powerful
property page where the GPOs associated with the selected Active
Directory container can be managed. It is used to add, edit, delete (or
remove), and disable GPOs. to specify No Override options; and to
change the order of the associated GPOs).
6. Select Edit to start the Group Policy snap-in…. don’t make any changes
yet, though.
Note: The Computers and Users containers are not organizational units in
their own right; and it is not possible to apply Group Policy directly to them.
Users or computers in these containers receive policies from GPOs scoped
to the domain and site objects only.
Exercise 5(e) Creating a Group Policy Object
The Group Policy settings that are created are contained in a Group Policy
Object (GPO) are in turn associated with selected Active Directory objects, such
as sites, domains, or organizational units (OUs). To create the GPO:
1.
Make sure the GroupPolicyDemo MMC console is open.
2.
Again click the + next to Active Directory Users and Computers, and
click the DNS name & click the + to expand the tree.
3.
Right-click on the domain name (Headquarters in the example over the
page), and select Properties from the context menu.
4.
In the Headquarters Properties page, click the Group Policy tab.
5.
Click New, and type HQ Policy. The Headquarters Properties page
should appear as (PTO):
RCH11
6
6.
You could at this point create a new policy. If you have time, follow the
screen instructions to do so. Otherwise, Close the properties page. You
already have a group policy anyway! Remember that all Group Policy
functionality is derived from the snap-in extensions.
7.
Now, again if you have time, log on to the domain from the second
computer. Can you see the new group policy in action?
There is much, much more to Group Policy, but that’s enough for starters…
Administering Group Policy with Group Policy
Management Console (GPMC)
GPMC helps administrators manage an enterprise more cost-effectively by
improving manageability and increasing productivity. However, it can only be
used on Windows 2003 and later versions…
It consists of (yet another) Microsoft Management Console (MMC) snap-in and a
set of scriptable interfaces for managing Group Policy. It simplifies the
management of Group Policy by providing a single place for managing core
aspects:

A more intuitive interface

Backup/restore of Group Policy objects (GPOs).

Import/export and copy/paste of GPOs and Windows Management
Instrumentation (WMI) filters.

Simplified management of Group Policy-related security.

HTML reporting of GPO settings and Resultant Set of Policy (RSoP) data.
RCH11
7

Any scripting required for policy related tasks that are required and not covered
by the wizards
Those of you studying COMP3122 next semester will get more experience with
GPMC… the following exercises are just a taster…
Exercise 5(f) Installing GPMC
A simple process that involves running a Windows Installer (.MSI) package for
the CD. All necessary files are installed to the \Program Files\GPMC folder.
1.
Reboot into your Windows 2003 Server partition. Double-click the gpmc.msi
package, and click Next.
2.
Accept the End User License Agreement (EULA), and click Next.
3.
Click Close to complete the installation.
Exercise 5(g) Using GPMC
Upon completion of the installation, the Group Policy tab that appeared on the
Property pages of sites, domains, and organizational units (OUs) in the Active
Directory snap-ins is updated to provide a direct link to GPMC.
To open the GPMC snap-in directly:
1.
Click Start, click Run, type GPMC.msc, and then click OK
2.
Click the Group Policy Management shortcut in the Administrative
Tools folder on the Start Menu or in the Control Panel.
3.
Create a custom MMC console - Click Start, click Run, type MMC, and
then click OK. Point to File, click Add/Remove Snap-in, click Add,
highlight Group Policy Management, click Add, click Close, and then
click OK.
That’s probably enough for now. GPMC uses the system you investigated earlier
to make the creation and management of group policy objects much easier, and
especially eases the process of managing GPOs across a whole forest of
domains.
However, Group Policy is really useful (essential…) for imposing a security policy
through Windows domains, and for imposing an information security policy to a
“real world” setting. If you are aspiring to such a career, the more experience you
get of setting up policies the better.
RCH11
8
Download