Group Policy

advertisement
Policies and properties can be edited via the
Microsoft Management Console (MMC).
Some overlap exists between the settings of the MMC and the
settings of the registry.
The MMC is extensible.
general security controls
audit
user rights
password policies
accounts lockout
digital certificate management
Kerberos
public-key policies
IPSec policies
both local and Active-X user policies
device management
etc. etc. etc.
The MMC is a framework.
Using the MMC requires snap-ins.
File > Add/Remove Snap-ins
ActiveX Control
 manage domain users
Certificates
 manage digital certificates for users, computers, and/or services
Computer Management
 manage local/remote computers
includes elements of other snap-ins (event logs, shared folders
local users & groups, performance logs
Local Users & Groups
 create/modify local accounts
 disable local accounts
 set password expiration parameters
 create/modify/delete local groups
 assign local user(s) to groups
Device Manager
 troubleshoot local hardware
 install/update device drivers
 view/configure various hardware parameters
Disk Defragmenter
 analyze/defragment secondary storage volumes (a utility)
Disk Management
 view/configure partitions
format drives and assign drive letters
Event Viewer
 view application, security and/or system logs
Group Policy
 apply policy settings to computers, users and/or groups
IP Security Policy Management
 manage various policies associated with IP (e.g. authenticated protocols)
Local Users and Groups
 create/modify/delete local users and/or groups
create/modify user/group profiles
Performance Monitor
 view/manage performance logs
Resultant Set of Policy
 view policies set by selected other snap-ins
Security Templates
 create/modify security templates that can be applied to users
Services
 edit services (terminal services, telnet, smart card, RPC, net login, ICF)
 A policy
is a centralized collection of operational/security controls.

Policy application is accomplished via group policy objects (GPO).

GPOs can be applied to local, site, domain, organizational unit
 The
last applicable GPO that is applied takes precedent.

GPOs are inherited by default.

GPO settings include no override, enable, disable, allow/deny.

Limitation: user that is a member of more than 70 to 80 groups.

EXAMPLE POLICIES
 password age, complexity, size
 account lockout duration
 auditing of logon, directory access, processes, policy changes
 user/group privileges
 IPSec
Download