COMP3123 SESSION 5: CONTROLLING LOCAL AND DOMAIN SECURITY WITH GROUP POLICY TEMPLATES As with previous exercises, we will initially use Windows 2000 as the exemplar, and then move on with Windows 2003. Group Policies evolved from System Policies in the previous version of NT, used in the simulations. The reference to NetBIOS names during active directory installation referred ro pre-2000 versions which used a more primitive system of device naming than DNS. From Windows 2000 each machine, and each group of users has its own set of policies encapsulated into a policy object, and stored within active directory. Other equivalent “group policy” systems exist with other network operating systems. The order of application of Windows 2000 policies is… 1. the local policy. 2. site level policies (if they exist…) in the administratively specified order. 3. domain level group policies, again in the specified order. 4. group policies associated with the organizational units. If a single organizational unit contains multiple group policies, the policies are applied in an administratively specified order. It is difficult to look directly at group policies in this exercise, but we can easily manipulate local policies on a single server using Microsoft Management Console (MMC). MMC is also available on XP Professional, if you’d like to practice on your own machine with an XP partition. MMC does not itself perform Windows 2000 administrative functions, but it does host tools that do. Administrative tools that can be added to a console are called “snap-ins”. MMC can be used: EITHER in user mode, working with existing MMC consoles to administer a system OR in author mode, creating new consoles or modifying existing MMC consoles. On this occasion, as administrator, you will be able to “author” consoles on the local machine. RCH11 1 Exercise 5(a): Starting up MMC & Installing the “Security Configuration and Analysis” and “Security Templates” Snap-ins MMC provides a wizard for controlling Windows registry settings, including the security features. It also provides access to templates for configuring/controlling all aspects of machine security policy and group security policy 1. MMC can also be accessed from the desktop but in this case, we will use the command line. Type MMC and press ENTER. The MMC window will appear. 2. The main MMC window will have a default name console1. On the console File (or Console) menu, click Add/Remove Snap-in. A new dialogue box should open. 3. Click on Add. A new dialogue box Add Standalone Snap in should open 4. Scroll down and then click on Security Configuration and Analysis, and click on Add. 5. Also click on Add for Security Templates, and Group Policy Editor. The “snap ins” should have been transferred on the screen to the add/remove snap in window. If you are not using a domain controller, only a local policy editor will be transferred. 6. Click OK, to include the snap-ins and remove the dialogue boxes. 7. On the main console menu, click Save As 8. Use the Browse feature to save the console database to the default folder (but note the folder path…) as a file named SecurityTools (The msc suffix is added automatically). 9. Now right click on the security configuration and analysis snap in, click on open database and type an appropriate name for your policy settings information stores. Choose randomly a template file for the policy settings. The database will be saved. 10. Now, click on analyse computer now, to get a full run down of the current settings – which will make up the combined “local policy” (i.e. settings for the local machine) if implemented. 11. Open the “security configuration…” section and look inside each of the policy settings groups Plenty of settings options available… are they all appropriately set? RCH11 2 12. Under the security configuration… section, you should see a security templates section. Open this. You should now be presented with the same series of template files from which you chose an option just a few minutes ago. Look more closely at the names this time. Each file has a carefully chosen name to reflect the type of computer use and security level required. 13. Now look inside one of the template files – preferably the one you chose previously. They all contain a particularly large number of settings that together control security aspects of local policy. Note that each setting can be set to: enabled, disabled, or not configured. 14. Finally, locate the analyse computer now log file you created earlier, and have a quick look inside. If you were trying to create appropriate settings for a policy, this would be really useful information. As we’ve discussed in the lecture, the “local machine” settings (copied into registry and held there from boot up onwards) interact with group policy security settings after domain logon to provide a security profile that is appropriate for that group of users. Exercise 5 (b): Creating a Policy from a Template A group policy is particularly useful when it is applied at domain level, to provide local control of settings whenever a user logs on based on the group(s) they belong to. Group policies don’t just stop at the domain level, but can apply right across a domain tree. 1. The Group Policy Editor is divided into two basic sections, Computer Configuration and User Configuration. Computer configuration settings such as audit policy, (all) user rights assignments, and security options) are associated with the local policy object, whilst User Configuration relates to the settings that relate directly to user desktop settings. 2. Do a bit of exploring to find out where the security settings you looked at through the analysis tool are actually stored. As a first stage, you are recommended only to apply security settings via template to “local policy”. We will get on to group policies later… 3. Open security templates… again, and look again at that a list of seven pre-prepared templates. Within a particular template, look at the three categories in “account policies” and “local policies”. Also, note that “system services” contains settings for all of the Windows programs offered as “services”, which may currently be “undefined”. RCH11 3 4. Close the template, and choose another. Make a note of its name, and look more closely at the settings groups and sub-groups (e.g. account policy, local policies, event log, restricted groups…). Together, all these settings provide the basis of a security policy for users and groups of users. 5. Now repeat 4 with a different template file. Hopefully by now you’ve figured out what the template names mean. Can you see how the template file relates to its function? 6. Working with a partner, spend some time discussing the appropriateness of each of these settings for users on a typical medium-security network connected to the Internet. A print out of some settings is available, and might be helpful to you, but if a setting is not currently defined, it will not be displayed at all. 7. Make a note of the agreed settings you would wish to impose on users as a local policy. Be prepared to defend such changes in a discussion… Now change the settings on one of the templates, and resave it with a different name. You can save your template file to a USB stick if you wish. 8. Finally… (if someone lets you…) you may be able to use the modified template file try out security settings applied locally to another computer. Applying security policies to actual domains For controlling security on a real network, this is the really important part. Fortunately… the principles are the same as for local policies. Windows 2003 makes the process even easier using the Group Policy Management Console, as you’ll see a little later. Amongst other things, Group Policy settings define the various components of the user's desktop environment that needs to be managed by a system administrator: the programs that are available to users the programs that appear on the user's desktop Start menu options To create a specific desktop configuration for a particular group of users, a further addition to MMC is required. Group Policy is tied to the Active Directory service, and the Group Policy snap-in extends the Active Directory management tools using the MMC snap-in. RCH11 4 Testing out the implementation of group policies may be outside the time constraints of this session (you can always come back another time to finish off…) To make it work, you will need to work in partnership with another student and make sure you have a ready-configured domain controller connected to a machine that can log on to the domain. Once you have all this set up and working, you can continue… Exercise 5© To configure a custom console 1. Log on to the computer that will be domain controller as an administrator. 2. Click Start, click Run, type mmc, and then click OK. 3. On the Console menu, click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Available standalone snap-ins list box, click Active directory users and computers, and then click Add. 6. Double-click Active directory sites and services snap-in from the Available standalone snap-ins list box. 7. Finally, double-click Group Policy. 8. In the Select Group Policy object dialog box, Local computer is selected by default under Group Policy object. This is the one you want! Click Finish to edit the local Group Policy object. Click Close in the Add standalone snapin dialog box. 9. Back at the Add/Remove Snap-in dialog box, note, and then click the Extensions tab. Ensure that the Add all extensions check box is checked for each primary extension added to the MMC console (these are checked by default). Click OK. 10. To save console changes: In the MMC console, on the Console menu, click Save. In the Save As dialog box, in the File name text box, type GroupPolicyDemo, and then click Save. The suffix will be added automatically. Exercise 5(d) Scoping group policy Appropriate Active Directory tools can be used to access Group Policy while focused on any site, domain, or OU, from the options in Administrative Tools. RCH11 5 1. For example, with the GroupPolicyDemo MMC console tree still open, click the + next to Active Directory Sites and Services, and in the console tree, right-click the site for which to access Group Policy. Click Properties, and click Group Policy… 2. A similar sequence can also be used for Active Directory Users and Computers. Click + next to Active Directory Users and Computers and click + next to the DNS name to expand the tree. 4. Right-click the domain, and click Properties. 5. Click the Group Policy tab (this displays a potentially very powerful property page where the GPOs associated with the selected Active Directory container can be managed. It is used to add, edit, delete (or remove), and disable GPOs. to specify No Override options; and to change the order of the associated GPOs). 6. Select Edit to start the Group Policy snap-in…. don’t make any changes yet, though. Note: The Computers and Users containers are not organizational units in their own right; and it is not possible to apply Group Policy directly to them. Users or computers in these containers receive policies from GPOs scoped to the domain and site objects only. Exercise 5(e) Creating a Group Policy Object The Group Policy settings that are created are contained in a Group Policy Object (GPO) are in turn associated with selected Active Directory objects, such as sites, domains, or organizational units (OUs). To create the GPO: 1. Make sure the GroupPolicyDemo MMC console is open. 2. Again click the + next to Active Directory Users and Computers, and click the DNS name & click the + to expand the tree. 3. Right-click on the domain name (Headquarters in the example over the page), and select Properties from the context menu. 4. In the Headquarters Properties page, click the Group Policy tab. 5. Click New, and type HQ Policy. The Headquarters Properties page should appear as (PTO): RCH11 6 6. You could at this point create a new policy. If you have time, follow the screen instructions to do so. Otherwise, Close the properties page. You already have a group policy anyway! Remember that all Group Policy functionality is derived from the snap-in extensions. 7. Now, again if you have time, log on to the domain from the second computer. Can you see the new group policy in action? There is much, much more to Group Policy, but that’s enough for starters… Administering Group Policy with Group Policy Management Console (GPMC) GPMC helps administrators manage an enterprise more cost-effectively by improving manageability and increasing productivity. However, it can only be used on Windows 2003 and later versions… It consists of (yet another) Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy. It simplifies the management of Group Policy by providing a single place for managing core aspects: A more intuitive interface Backup/restore of Group Policy objects (GPOs). Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters. Simplified management of Group Policy-related security. HTML reporting of GPO settings and Resultant Set of Policy (RSoP) data. RCH11 7 Any scripting required for policy related tasks that are required and not covered by the wizards Those of you studying COMP3122 next semester will get more experience with GPMC… the following exercises are just a taster… Exercise 5(f) Installing GPMC A simple process that involves running a Windows Installer (.MSI) package for the CD. All necessary files are installed to the \Program Files\GPMC folder. 1. Reboot into your Windows 2003 Server partition. Double-click the gpmc.msi package, and click Next. 2. Accept the End User License Agreement (EULA), and click Next. 3. Click Close to complete the installation. Exercise 5(g) Using GPMC Upon completion of the installation, the Group Policy tab that appeared on the Property pages of sites, domains, and organizational units (OUs) in the Active Directory snap-ins is updated to provide a direct link to GPMC. To open the GPMC snap-in directly: 1. Click Start, click Run, type GPMC.msc, and then click OK 2. Click the Group Policy Management shortcut in the Administrative Tools folder on the Start Menu or in the Control Panel. 3. Create a custom MMC console - Click Start, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-in, click Add, highlight Group Policy Management, click Add, click Close, and then click OK. That’s probably enough for now. GPMC uses the system you investigated earlier to make the creation and management of group policy objects much easier, and especially eases the process of managing GPOs across a whole forest of domains. However, Group Policy is really useful (essential…) for imposing a security policy through Windows domains, and for imposing an information security policy to a “real world” setting. If you are aspiring to such a career, the more experience you get of setting up policies the better. RCH11 8