Understanding Group Policy

advertisement
Understanding Group Policy
James Michael Stewart
CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K,
iNet+
[email protected]
What is Group Policy?
 A centralized
collection of operational
and security controls
 Available in Active Directory domains
 Contains items previously found in
system policies and through editing the
Registry (i.e. Windows NT)
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
Elements of Group Policy

general security controls
 audit
 user rights
 passwords
 accounts lockout
 Kerberos
 Public key policies
 IPSec policies
Divisions of Group Policy
 Computer
Configuration
 User Configuration
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
Application of Group Policy
Policy Objects – GPOs
 Can be applied to any AD container
 Application order: LSDOU
 Group
 Local,
 Last
Site, Domain, Organizational Unit
GPO applied takes precedent
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
Group Policy Editors
 MMC
snap-in: Group Policy
 Active Directory Domains and Trusts
 Active Directory Sites and Services
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
GPO Application

Inheritance by default
 No Override – prevents other GPOs from
changing settings in this GPO
 Disabled – this GPO is not applied to this
container
 Multiple GPOs on same container –
application order
 Disable Computer Configuration or User
Configuration
 Set Allow/Deny for Apply Group Policy to
control user/group application
GPO Limitations
 If
a single user is a member of 70 to 80
groups, the respective GPOs may not
be applied
 Problem caused by Kerberos token size
– 70 to 80 groups fills the token and
causes an error
 Result is no GPOs are applied
GPO Uses
 Local
GPO
 Windows 2000, XP, .NET
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
Security Configuration and
Analysis

MMC snap-ins:



Security Configuration and Analysis
Security Templates
Used to customize Group Policies a.k.a.
security templates.
 Several pre-defined security templates for
client, server, and DC systems of basic,
compatible, secure, and high security.
 Analyze current security state
GPO: Password Policy
 Min
& max password age (0-999)
 Min password length (0-14)
 History (1 - 24 entries)
 Passwords must meet complexity
requirements
 Store passwords using reversible
encryption for all users in the domain
GPO: Accounts Policy
duration (0 – 99999 minutes)
 Failed logon attempts
 Counter reset after time limit
 Lockout
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
GPO: Audit Policy







Account logon events
Directory service access
Logon events
Policy change
Process tracking
Account management
Object access
Privilege use
System events
Object level controls accessed through Advanced
Security Properties
Audit policy must be enabled in order for audited
events to be recorded in the Security log
GPO: User Rights

To increase security settings, make the
following changes:





Log on locally: assigned only to Administrators on
Servers
Shutdown the System: assigned only to
Administrators, Power Users
Access computer from network: assigned to
Users, revoke for Administrators and Everyone
Restore files/directories: revoke for Backup
Operators
Bypass traverse checking: assigned to
Authenticated Users, revoke for Everyone
GPO: Security Options
 Numerous
security related controls
 Previous found only as Registry edits
Submit a question anytime by clicking on the Ask a Question
link in the bottom left corner of your presentation screen.
GPO: misc
 Scripts
 Public
Key – EFS
 IPSec
 Software
 Administrative
 Templates
Templates
for Registry alteration
Using GPOs
 Group
similar users
 Place similar users/groups in separate
containers (i.e. OUs)
 Define universal GPOs at domain level
 Define specific GPOs as far down the
organizational tree as possible
 Avoid changing default inheritance
mechanism
Questions?
Click on the Ask a Question link
in the lower left corner of your
screen to ask James Michael
Stewart a question.
Thank you
for your participation!
Did you like this Webcast?
Send us your feedback on this event
and ideas for other event topics
at [email protected]
Download