Group Policy Management Console White Paper

advertisement
Session 5: COMP3122 SESSION 5: CONTROLLING LOCAL AND
DOMAIN SECURITY WITH GROUP POLICY TEMPLATES
Order of application of Windows 2003 policies is:
1. the local policy.
2. site level policies (if they exist…) in the administratively specified order.
3. domain level group policies, again in the specified order.
4. group policies associated with the organizational units. If a single organizational
unit contains multiple group policies, the policies are applied in an administratively
specified order.
First, local policies on a machine using Microsoft Management Console (MMC)
MMC does not itself perform Windows 2003 administrative functions, but it does host
many “snap-in” tools that do, by means of “console” files.
It can be used in:
user mode - working with existing MMC consoles to administer a system
author mode - creating new consoles or modifying existing MMC consoles.
In the exercise that follows, as local administrator, you will be able to “author” consoles on the local
machine.
Exercise 5(a): Starting up MMC & Installing the “Security Configuration and
Analysis” and “Security Templates” Snap-ins
MMC provides a wizard for accessing the various snap ins which control Windows
registry settings, including Security features. It also provides access to templates for
configuring/controlling all aspects of machine security policy and group security policy
1. MMC could be accessed from the desktop; in this case, we will use the
command line. Type MMC and press ENTER. The MMC window will appear.
2. The main MMC window will have a default name console1. On the console
menu, click File, then Add/Remove Snap-in. A new dialogue box should open.
3. Click on Add. A new dialogue box Add Standalone Snap in should open
4. Click on Security Configuration and Analysis, and click on Add.
1
1
5. Also click on Add for Security Templates, and Group Policy Object Editor.
Both “snap ins” should have been transferred on the screen to the add/remove
snap in window. Note that “Group Policy” is referring to the Local Computer.
6. Click Finish, Close, and then OK, to remove the open dialogue boxes
7. On the main console menu, click Save As and save the console file with a
suitable name (suffix will be added).
8. Right click on the security configuration and analysis snap in, and use Open
Database feature to create (give name… e.g. SecurityTools). Then save the
console database with an associated policy template (you choose…) to a
suitable folder a (The sdb suffix is added automatically).
9. Now right click on the security configuration and analysis snap in and click on
analyse computer now, to get a full run down of the current settings – which
make up the “local policy” (ie settings for the local machine).
10. Select local policies look at the options in each of the three categories. Plenty
of options available… are they all appropriately set?
11. When you select security settings, linger a little longer. You should now be
presented with a particularly large number of settings that control security
aspects of local policy. Note that each setting can be set to enabled, disabled,
or not configured.
The “local machine” settings (copied into registry and held there from boot up
onwards) interact with group policy security settings after domain logon to provide
a security profile that is appropriate for that group of users.
Exercise 5 (b): Creating a Policy from a Template
A group policy is particularly useful when it is applied at domain level, to provide local
control of settings whenever a user logs on based on the group(s) they belong to. Group
policies don’t just stop at the domain level, but can apply right across a domain tree.
The Group Policy Object Editor is divided into two basic sections, Computer
Configuration and User Configuration.
Computer configuration settings such as audit policy, (all) user rights assignments, and
security options) are associated with the local policy object
User Configuration relates to the settings that relate directly to user desktop settings.
2
2
1. Do a bit of exploring to find out where the security settings you looked at
through the analysis tool are actually stored.
You can only apply security settings via template to “local policy”. Nevertheless,
what follows is a useful exercise…
2. Double click on security templates… Now double click again to provide a list of
seven pre-prepared templates. Look at the contents of each in turn. In
particular, look at the three categories in “account policies” and “local policies”.
Also, note that “system services” contains settings for all of the Windows programs
offered as “services”, which may currently be “undefined”.
3. Make a note of the name, and double-click on one of these files. As you can see, it
is just a configuration file containing lots of settings, rather like a registry file. The
settings are divided into a series of sub-groups (e.g. account policy, local policies,
event log, restricted groups…), and provide the basis of a security policy for users
and groups of users. Double-click as necessary to look closely at all the settings.
4. Now repeat 3 with a different template file. Can you see how the template file
relates to its function?
5. Working with a partner, spend some time discussing the appropriateness of each of
these settings for users on a typical medium-security network connected to the
Internet. A print out of some settings is available, and might be helpful to you, but
if a setting is not currently defined, it will not be displayed at all.
6. Make a note of the agreed settings you would wish to impose on users as a local
policy. Be prepared to defend such changes in a discussion… Now change the
settings on one of the templates, and resave it with a different name. You can save
your template file to a USB stick if you wish. Notice that local policy is saved with
settings in the same two sections: user configuration & computer configuration.
7. Finally… [if someone without a domain lets you…] you may be able to use the
modified template file try out security settings applied locally to another computer.
Exercise 5(c) Applying security policies to domains
(For controlling security on a real network, this is the really important part… )
Principles as for local policies, but more to manage.
Implementation of group policies may be outside the time constraints of this session (you
can always come back another time…)
One way to investigate group policies is from Active Directory…
1. Open the Active Directory Management Console (Active Directory Users and
Computers).
2. Locate the container in which your user objects reside (usually an Organizational
Unit).
3. Right-click the container in the left panel tree view and click Properties.
3
3
4.
Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
Note the user/computer config divisions, as with local policy.
5.
In the Group Policy window, expand Computer Configuration, navigate to Windows
Settings, to Security Settings, and then to Local Policies.
6.
Select User Rights Assignment.
Note: All policies are either defined or not defined. That is, they are either configured
for use or not configured for use. A policy that is not defined in the current container
could be inherited from another container.
7. To configure user rights assignment, double-click a user right or right-click on it and
select Security. This opens a Security Policy Setting dialog box.
8. For a site, domain, or organizational unit, individual user rights can be configured by
completing the following steps:
9. Open the Security Policy Setting dialog box for the user right to be modified (ie log on
locally).
10. Select Define these policy settings to define the policy.
11. To apply the right to a user or group, click Add.
12. In the Add user or group dialog box, click Browse. This opens the Select Users Or
Groups dialog box. The right can now be applied to “domain users. It will also be
necessary to apply the right to Administrators, before the wizard can complete.
13. Click on properties, and look at each tab in turn… libks is useful for applying a GPO to
other domains. “General” can disable either user config settings or computer config
settings from the policy.
14. Click on “new”, and create a new group. Again, there are the user and computer
options. Don’t select a domain… we’ll leave it there for now!
4
4
Administering Group Policy & Group Policy Management Console (GPMC)
(Another snap in for MMC…) http://support.microsoft.com/kb/307882
GPMC helps administrators manage an enterprise more cost-effectively by improving
manageability and increasing productivity It also contains a set of scriptable interfaces for
managing Group Policy.
Simplifies the management of Group Policy by providing a single place for managing core aspects via:

A user interface (UI) that makes Group Policy much easier to use.

Backup/restore of Group Policy objects (GPOs).

Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters.

Simplified management of Group Policy-related security.

HTML reporting of GPO settings and Resultant Set of Policy (RSoP) data.

Scripting of policy related tasks that are exposed within this tool (not scripting of settings within a GPO).
Exercise 5(d) Installing GPMC
A simple process that involves running a Windows Installer (.MSI) package for the CD. All necessary
files are installed to the \Program Files\GPMC folder.
1. Double-click the gpmc.msi package, and click Next.
2. Accept the End User License Agreement (EULA), and click Next.
3. Click Close to complete the installation.
Exercise 5(e) Using GPMC
Upon completion of the installation, the Group Policy tab that appeared on the Property pages of sites,
domains, and organizational units (OUs) in the Active Directory snap-ins is updated to provide a direct
link to GPMC.

Once GPMC has executed…
o
Either Click the Group Policy Management shortcut in the Administrative Tools
folder on the Start Menu or in the Control Panel. View the default policy, and examine
the settings
o
Or Create a custom MMC console - Click Start, click Run, type MMC, and then click
OK. Point to File, click Add/Remove Snap-in, click Add, highlight Group Policy
Management, click Add, click Close, and then click OK.
To repair or remove GPMC, use Add or Remove Programs in Control Panel. Alternatively, run the
gpmc.msi package, select the appropriate option, and click Finish.
5
5
Download