Creating and managing Group Policy Exam 70-410 Craig Zacker Chapter 6 Group policies attach to container objects and affect the objects within the container. GPOs are used to deploy a multitude of operating system settings to computers within your network. Creating Group Policy Objects (GPOs) GPOs allow the following benefits: Centralized configuration of user, application, and desktop settings A method of redirecting a user’s data to a network share for easier backups. The ability to automate the security of all computers instead of individually. Understanding Group Policy Objects Local GPOs – Local GPO’s are supported by all Windows Operating Systems. Changes made to the LGPOs only affect that one system. Local GPO settings are fewer than domain GPO settings. LGPO’s are used normally in workgroups and on kiosks. Ex. 1 Ex. 2 Nonlocal GPOs – Non LGPOs are created in Active Directory and linked to sites, domains, and OUs. Starter GPOs – Starter GPOs are more or less templates used to create more specific GPOs. Configuring a Central Store Administrative templates are used to create GPOs and now have a file extension of ADMX. Administrative templates define what registry settings are altered when the GPO is applied to a user object or computer object. Earlier Windows domains created a copy of the ADM files for each GPO created and placed them in the SYSVOL folder. This caused a lot of extra redundant storage and replication traffic between peer domain controllers. When the ADMX file format came out the GPO tools accessed them from a central store. The central store had only a single copy of the ADMX files stored on the DCs. By default the Group Policy Management Console stores the ADMX files in the C:\Windows\PolicyDefinitions folder. If you want to create a central store you need to copy the entire PolicyDefinitions folder to the C:\Windows\SYSVOL\sysvol\<Domain_Name>\Policies folder. Using the Group Policy Management Console The Group Policy Management Console is the tools used to manage all nonlocal GPOs. This tool is automatically installed when you promote a server to a domain controller. Creating and linking nonlocal GPOs The Group Policy Management Console is used to create and link a nonlocal GPO. You can link a nonlocal GPO to the domain root, sites, and OUs. You need to give the GPO a descriptive name before you can create it. Using security filtering GPOs have permissions like any object in a domain. These permissions determine if a user will or will not be affected by the GPO’s settings. There are two ways to filter GPOs: Scope tab when the GPO is selected. You can add the users, groups, and computers you want the GPO to affect. Delegation tab > Advanced button. Add the user, group, or computer and check the “Deny” Apply group policy. By default, regular user has the read and applies group policy permission set to allow. Managing starter GPOs Starter GPOs allow you to create a common baseline configuration(s) and then create normal GPOs off of the starter GPO. All GPOs created off the starter GPO will have the same baseline configuration settings enabled but the administrator can make other different changes to the normal GPOs. Starter GPOs are good if you want common settings affecting different users, groups, and computers but also additional different settings enabled. Starter GPOs do not have the full settings of normal GPOs just user and computer Administrative Templates. Create: Name it: Configure it: Create normal GPOs off of the starter: Configuring Group Policy settings There are thousands of GPO settings that can be used to affect your user and computer environment. GPOs consist of two sets of policy settings (User and Computer) User configuration affect user accounts and computer configuration affects the computer settings. Each of these two categories consists of three sections: Software settings – Software settings are used to automate the deployment of software over the network to users and computers. Software settings were designed for small to medium size networks. Windows Settings – Windows settings are commonly security and script related settings that affect users and computers. Administrative Templates – Administrative templates are used to customize the users or computers working environment. Each policy setting in a GPO can be set to the following three states: Not Configured – Not Configured is the default setting for majority of the policy settings which does not modify or change the policy setting. Enabled – Enable turns the policy on Disabled – Disabled explicitly turns off the policy setting. Configure security policies Security related group policy settings are located in the Windows Settings portion of the GPO. Defining local policies Local policies affect the local machine. Certain computer information has to be viewed on each individual computer. Planning and configuring an audit policy Audit policies are settings that log system activity that occurs on the local machine. There are several different audit policy settings and each one logs something different. When an audit event occurs it is logged in the Event Viewer’s security log. You don’t turn on auditing on every single computer in the domain. You must determine which computers (servers) you want to audit. The following guidelines should be noted: Audit only pertinent items – Determine which important events you want to audit. Archive security logs to provide a documented history - Audit logs should be saved and then cleared after some time. Saving audit logs helps you keep a history of events. Configure the size of your security logs carefully – You need to determine the maximum size your security logs can grow. You can configure the log file size manually or through group policy. Some common audit policies that exist are: Audit Directory Services Access - This will log information about accessing Active Directory objects. Audit Object Access –This will log access to folders, files, and printers. Auditing user rights Auditing user rights will log activities about user rights on the system. Configuring security options Auditing security options will log local security related event that occur on the system. Using security templates Security templates are files you can export from your systems current security setting and imported on other systems. Importing security templates into GPOs Once you create and customize a security template you can import it into your GPOs. You need to edit the specific GPO and expand “Computer Configuration > Polices > Windows Settings > Security Settings” Right click “Security Settings” and choose “Import”. To export your current local security settings into a template open the “Local Security policy” snap-in or type secpol.msc at the run command. Right click the Security settings and choose “Export” give it a name and save it. Configuring local users and groups Local users and groups only have power on the computer they were created on. They are not used in domain environments. Local users and groups can be created through “Control Panel” or “Computer Management”. Using the User Accounts control panel This method is for users who don’t know much about computer systems. Using the Local Users and Groups snap-in Local Users and Groups are accessed through “Computer Manager”. The follow check boxes exist when creating a local or domain user account: User must change password at next logon- Forces the user when the user the account for the first time to change the default password. User cannot change password – Stops user from changing the password. Password never expires – User can keep using the same password without being forced to change it. Account is disabled – Stops the account from being used. Understanding User Account Control (UAC) Most users log onto a system with more administrative power then they actually need to get their job done. Even the administrator should have a standard account and only use the administrator account when needed. In most cases users logon to the system as the administrator which is convenient. Microsoft uses a mechanism called User Account Control to combat this issue. Performing administrative tasks When a user logs onto a system they are issued a token which determines what they can or can’t do on the system. Standard users received standard tokens and administrators received administrator tokens. Now the standard user still receives the standard token but the administrator receives two tokens (one standard and one administrative). By default the administrator uses the standard token most of the time. When the administrator does something that requires elevated rights a credential prompt appears requesting administrative credentials to complete the request. After supplying the administrative credentials the program switches into Admin Approval Mode. Using secure desktop Server 2012 uses an alternative called secure desktop instead of interactive desktop. When Server 2012 issues an elevated prompt is switches to secure desktop. Secure desktop will lock all other desktop controls and focus only on the prompt interaction. This will stop malware from trying to elevate its level of permissions on the system. Configuring UAC The four settings that can be used are: Always Notify Me Notify Me Only When Apps Try to Make Changes To My Computer Notify Me Only When Apps Try to Make Changes To My Computer (Do Not Dim My Desktop) Never Notify Me Configuring Application restriction policies Application restriction is the ability to stop certain programs that the administrator deems dangerous from being run on the system. Using software restriction policies To enable software restriction policies via group policy you would need to modify the “Computer/User Configuration > Windows Settings > Security Settings”. There are three rules that you can use prior to making any “Additional Rules”: Disallowed – Prevents all apps from running except the ones under “Additonal Rules” set to “Allow”. Basic User – Stops applications from running that require administrative rights. Unrestricted –Allow all apps to run except the ones under “Additional Rules” set to “Disallowed”. Additional rules are the exceptions to the defaults listed above. They fall under four different ways you can allow or block apps from running. Hash Rule: A hash rule generates a math algorithm to the applicaton based on wheather to allow or block. Hash rules don’t apply if the coding of the app changes by updates. Certificate Rule – A certificate rule assigns a digital certificate to the application and determines wheather to allow or block it. Path Rule – Path rules are based on the location of the executable. Path rules become invalid if the application is moved to a different location. Network Zone Rule – Network Zone Rules are based on the web browser settings. You can allow or deny the running of any application from the Internet. The process of rule order is: Hash Certificate Network Zone Path If multiple rules are applied the Hash will win since it’s at the top of the priority list. If two rules exist at the same level and have conflicting configuration, the more restrictive wins. Configuring software restriction properties Enforcement Properties Enforcement determines if the software restriction policy affects all files or excludes .DLLs. Designated File Types Properties Determines what file types are considered executables. You can add files extensions if you need to. Trusted Publishers Properties Allows the administrator to determine which certificates to trust or manage trusts. Using AppLocker AppLocker is a much easier way of creating software restriction policies the former example. AppLocker is supported on Windows 7/Server2008 R2 and later. AppLocker is located in the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker. Configure rule enforcement Understanding rule types AppLocker supports four different rule types: Executable Rules – any file that ends with .exe or .com Windows Installer Rules – any file that ends with .msi or .msp Script Rules – any file that ends with .ps1, .bat, .cmd, .vbs, and .js Packaged App Rules – any application purchased from the Windows store The rules created can be allowed or blocked based on: Publisher – Applications that are code-signed by creator with a digital signature. Path – Deals with the location of the application in the file systems. File Hash – Similar to software restriction hash rules. Associates a math algorithm with the program which works even if the application is moved. Creating default rules By default AppLocker will block all executables, scripts, Installer packages, and packaged apps when enabled unless they are specifically set to “Allow”. Creating rules automatically You can automatically create rules using the “Automatically Generate Rules Wizard”. The wizard will let you specify a folder to be analyzed and the users and groups in which the rules apply Creating rules manually When you create AppLocker rules manually you will be asked to supply the following: Action-Allow or Block User or Group – Who rule affects Conditions – Publisher, Path, or Hash rule to create Exceptions – Exceptions to the rule.