Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Group Policy

advertisement 
MS Windows 2000 Group Policy
Presented by
Howard Hultgren, Chad Hinkle, and Howard Barnes
With Special Thanks to Julie Evans
MS Win 2K Group Policy
•
•
•
•
•
•
•
Introduction to Group Policy
Group Policy Overview
Group Policy Processing
Group Policy Delegation
Group Policy Security Settings
Design and Other Group Policy Issues
References
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Introduction to Group Policy
by Howard Hultgren
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Group Policy Overview
by Howard Hultgren
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
• What is it – in general?
– A management technology provided for change and configuration
management in Microsoft Windows® 2000 operating system.
• Who uses it?
– Administrators - to specify options for managed configurations for
groups of computers and users.
– Users (sometimes) for local computer configuration
• Features – in general?
– options for registry-based policy settings, security settings,
software installation, scripts, folder redirection, Remote Installation
Services, and Internet Explorer maintenance.
Copyright, University of Tulsa, 2002
Group Policy Uses
• Manage registry-based policy through
Administrative Templates.
– workstation or server settings – written to registry
under HKEY_CURRENT_USER (HKCU)
– computer-specific settings – written to registry
under HKEY_LOCAL_MACHINE (HKLM)
•
•
•
•
Assign scripts
Redirect folders
Manage applications
Specify security options.
Copyright, University of Tulsa, 2002
Group Policy Management
• Group Policy Microsoft Management Console
(MMC). Snap-ins are administrative
components integrated into the MMC
interface.
• Secedit.exe is a command line version for
administering group policy.
Copyright, University of Tulsa, 2002
Group Policy Management
• Or, go to the Start/Programs/Administrative
Tools menu and find the console1.msc option:
Copyright, University of Tulsa, 2002
Policy Specification Options
• Registry-based policies.
• Security options.
• Software installation and
maintenance options.
• Scripts options.
• Folder redirection options.
Copyright, University of Tulsa, 2002
Windows 2000
Active Directory
• directory service designed for distributed
computing environments
– allows organizations to centrally manage and
share information on network resources and users
while acting as the central authority for network
security
– is designed to be a consolidation point for
isolating, migrating, centrally managing, and
reducing the number of directories that companies
require
Copyright, University of Tulsa, 2002
Active Directory &
Group Policy
• Active Directory & Group Policy are very
interconnected. Group Policy is a feature of
Active Directory.
– Group Policy settings created are contained in a
Group Policy Object (GPO), which is in turn
associated with selected Active
Directory containers, such as sites, domains, or
organizational units (OUs).
– Don’t tackle Active Directory without mastering
Group Policy.
Copyright, University of Tulsa, 2002
mmc.exe default GUI
Copyright, University of Tulsa, 2002
mmc – Adding Snap-Ins
Copyright, University of Tulsa, 2002
Ways to Open the Group
Policy Snap-In
• You can open Group Policy in several ways,
depending on what action you want to
perform with the snap-in.
• You can apply Group Policy to:
–
–
–
–
–
the local computer
another computer
a site
a domain
an organizational unit
Copyright, University of Tulsa, 2002
Group Policy - How to:
• Apply Group Policy to the local
computer
– Open Group Policy (one way is to click
Start, click Run, type gpedit.msc, and
then press ENTER).
– Make whatever policy setting you want in
the Group Policy console.
Copyright, University of Tulsa, 2002
Group Policy - How to:
•
Apply Group Policy to another computer
1. Open Microsoft Management Console.
2. On the MMC console's menu bar, click Console,
and then click Add/Remove Snap-in.
3. On the Standalone tab, click Add.
4. In the Add Standalone Snap-in dialog box,
click Group Policy, and then click Add.
5. In the Select Group Policy object dialog box,
browse to find the Group Policy object you want.
6. Click Finish, and then click OK. The Group
Policy snap-in now opens the specified Group
Policy object for editing.
Copyright, University of Tulsa, 2002
Group Policy - How to:
• Apply Group Policy to a site
– Active Directory must be set up (To open
Active Directory Sites and Services, click Start,
point to Programs, point to Administrative
Tools, and then click Active Directory Sites
and Services).
– then link a Group Policy object to the
intended site.
Copyright, University of Tulsa, 2002
Group Policy - How to:
• To apply Group Policy to a domain
– Open Group Policy from Active Directory Sites and
Services, and then link a Group Policy object to
the intended domain.
• To apply Group Policy to an organizational
unit
– Open Group Policy from Active Directory Sites and
Services, and then link a Group Policy object to
the intended organizational unit.
– You can also link a Group Policy object to an
organizational unit higher in the Active Directory
hierarchy, so that the organizational unit can
inherit Group Policy settings.
Copyright, University of Tulsa, 2002
Group Policy - How to:
• To apply Group Policy to any existing
Group Policy object or set of Group
Policy objects
– Create and save your own custom MMC
console.
Copyright, University of Tulsa, 2002
Group Policy Snap-In
Copyright, University of Tulsa, 2002
User & Computer Policy
• Users and Computers are the only types
of Active Directory objects that receive
policy
– User Policy settings are located under User
Configuration and are obtained when a
user logs on
– Computer policy settings are located under
Computer Configuration, and are obtained
when a computer boots.
Copyright, University of Tulsa, 2002
Group Policy Objects
• Policy settings are stored in Group
Policy objects
– Non-local Group Policy Objects
– Local Group Policy Objects
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Group Policy Processing
by Chad Hinkle
Copyright, University of Tulsa, 2002
Order of Application
• Policies are applied in this order:
1.The unique local Group Policy object.
2.Site Group Policy objects, in administratively
specified order.
3.Domain Group Policy objects, in administratively
specified order.
4.Organizational unit Group Policy objects, from
largest to smallest organizational unit (parent to
child organizational unit), and in administratively
specified order at the level of each organizational
unit.
Copyright, University of Tulsa, 2002
Filtering Policy
• Policy can be filtered by security group
membership
– A security group access control entry (ACE)
on a Group Policy object can be set to Not
configured (no preference), Allowed, or
Denied. Denied takes precedence over
allowed.
Copyright, University of Tulsa, 2002
Policy Inheritance
• In general, group policy is passed down from
parent to child containers.
– If a parent OU has policy settings that are not
configured, the child OU doesn’t inherit them.
– If a parent policy and a child policy are
compatible, the child inherits the parent policy,
and the child's setting is also applied.
– If a policy configured for a parent OU is
incompatible with the same policy configured for a
child OU, the child does not inherit the policy
setting from the parent. The setting in the child is
applied.
Copyright, University of Tulsa, 2002
Blocking Inheritance
• Inheritance of policies can be blocked at
the site, domain or OU level using the
Block Inheritance check box.
• Group Policy must be opened from
Active Directory Sites and Services to
use this feature.
Copyright, University of Tulsa, 2002
Enforcing Inheritance
• The No Override check box forces all
child policy containers to inherit the
parent's policy even if those policies
conflict with the child's policies, and
even if Block Inheritance has been
set for the child.
• Group Policy must be opened from
Active Directory Sites and Services to
use this feature.
Copyright, University of Tulsa, 2002
Group Policy:
Best Practices
• Disable unused parts of a Group Policy object
• Use the Block Policy Inheritance and No Override
features sparingly
• Minimize the number of Group Policy objects
associated with users in domains or organizational
units
• Filter policy based on security group membership
• Override user-based Group Policy with computerbased Group Policy only when necessary
• Limit the overall number of domain and enterprise
administrators
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Group Policy Delegation
by Howard Barnes
Copyright, University of Tulsa, 2002
Group Policy Delegation
Ways that administrators can manage and
delegate control over Group Policy:
• Manage Group Policy links for a
container object
• Create GPOs
• Edit GPOs
• Restrict access to certain snap-ins
Copyright, University of Tulsa, 2002
Managing GPO Links
• Properties: gPLink, gPOptions
• By default: Domain and Enterprise
Administrators can manage
• Can delegate to other users or groups
• Need Read and Write permissions
• Recommended: groups, not individuals
• Caution on non-administrative groups
Copyright, University of Tulsa, 2002
Granting a Group Ability to
Manage Group Policy Links
• Start  Programs  Administrative Tools 
Active Directory Users and Computers
• Right click on the container to delegate
• Select Delegate Control from pull-down menu
• Click Next
• Click the Add button to add users and/or groups
• Select each group to have the ability to manage links
• Click Add for each one
• Click OK
• Click Next
Copyright, University of Tulsa, 2002
Granting Ability to
Manage Links (continued)
• Delegate the following
common tasks must be
selected
• Click the Manage Group
Policy Links check box
• Click Next
• Click Finish
Copyright, University of Tulsa, 2002
Creating GPOs
•
•
•
•
Who can create a new GPO?
Domain Administrators group
Enterprise Administrators group
SYSTEM group
Group Policy Creator Owners group
(member creating a new GPO becomes
Creator Owner of it).
Copyright, University of Tulsa, 2002
Editing GPOs
To grant edit access to a GPO:
• Open a GPO
– In the Group Policy snap-in or
– Through a container’s Properties  Group Policy tab
• Right click the GPO and select Properties
• Click the Security tab
• Click Add to add user and/or group to ACL
– Grant Read and Write permissions in Allow column for GPO
• Click OK
Copyright, University of Tulsa, 2002
Restricting the Use of
Sensitive Snap-ins (1)
To permit or allow access to certain snap-ins:
• Open a GPO
• If through Group Policy tab, highlight desired GPO
and click Edit button
• Navigate down to the User Configuration\Administrative
Templates\Windows Components\Microsoft Management Console node
• Double-click Restrict users to the explicitly permitted list of snap-ins in
right pane
• Click radio button
– Enabled to disallow most snap-ins, allow a few
– Disabled to allow most snap-ins, disallow a few
Copyright, University of Tulsa, 2002
Restricting the Use of
Sensitive Snap-ins (2)
To restrict or allow access to specific snap-in:
• Navigate down to the User Configuration\Administrative
Templates\Windows Components\Microsoft Management
Console\Restricted/Permitted snap-ins node
• Double click desired snap-in, in right pane
• Click radio button
– Enabled if explicitly allowing access to snap-in
– Disabled if explicitly denying access
• To restrict access to a Group Policy extension:
– Double-click Group Policy node
– Select snap-in from list
– Enable or disable it
Copyright, University of Tulsa, 2002
Which snap-ins to allow
for given group of users?
• Often environment and network specific
• Normal users restricted from several snap-ins by
default
– May need greater restriction
• For non-administrative users:
– May want to define snap-ins they can access
– Implicitly deny access to all others
– No access to Security Templates and Security
Configuration and Analysis snap-ins
• Groups of administrative users
– If delegated Active Directory abilities, can be limited to
certain tasks
Copyright, University of Tulsa, 2002
Recommendations
Summary
• Use caution when delegating Group Policy to groups
other than administrators.
• Assign Group Policy permissions to security groups
and not individual users.
• Full Control is not necessary to manage links or
modify GPOs; assign the fewest permissions needed.
• Limit the use of sensitive snap-ins, such as Group
Policy, Security Templates, and Security Configuration
and Analysis.
• In the case of non-administrative users, define GPOs
that deny access to all snap-ins except those deemed
necessary and explicitly listed as permitted.
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Group Policy Security Settings
by Howard Barnes
Copyright, University of Tulsa, 2002
Security Settings
Overview
• Under
Computer Configuration\Windows
within a GPO
• Can be accessed via Group Policy snapin
• Computer, not user specific
• Security Settings node expands to
reveal nine security areas.
Settings\Security Settings
Copyright, University of Tulsa, 2002
Security Settings Areas
(1)
•
•
•
•
•
•
•
•
•
Account Policies *
Local Policies *
Event Log *
Restricted Groups *
System Services *
Registry *
File System *
Public Key Policies
IP Security Policies on Active Directory
* Can be initially configured via Security Templates snap-ins
Copyright, University of Tulsa, 2002
Security Settings Areas
(2)
• Account Policies - computer security settings for:
– password policy
– lockout policy
– Kerberos policy
• Local Policies - security settings for:
– audit policy
– user rights assignment
– security options.
• Event Log - controls security settings for:
– Application event log
– Security event log
– System event logs
Copyright, University of Tulsa, 2002
Security Settings Areas
(3)
• Restricted Groups – allows control of:
– Who should (not) belong
– Which groups can belong to
– Examples:
• Enterprise Administrators
• Payroll
• System Services - control:
– startup mode
– security options (security descriptors) for system
services.
Copyright, University of Tulsa, 2002
Security Settings Areas
(4)
• Registry – used to configure security settings
for registry keys including:
– Access Control
– Audit
– Ownership
• File System - used to configure security
settings for file-system objects, including:
– access control
– Audit
– ownership.
Copyright, University of Tulsa, 2002
Security Settings Areas
(5)
• Public Key Policies – includes:
– Encrypted Data Recovery Agents
– Automatic Certificate Request Settings
– Trusted Root Certification Authorities
– Enterprise Trust
• IP Security Policies on Active Directory
– includes settings for IPSec.
Copyright, University of Tulsa, 2002
Importing a Security
Template into a GPO
In Group Policy snap-in:
• Navigate to the Computer Configuration\Windows
Settings\Security node
• Right-click Security Settings
• Select Import Policy from the pull-down menu
• Select a template from the folder, or browse
• Click Open
• Can then view the settings by navigating
down through the Security Settings tree
Copyright, University of Tulsa, 2002
Design Considerations for
Security Settings
• Security Configuration Toolset miniguide provides templates for:
– Windows 2000 Servers
– Windows 2000 Workstations
• Recommendation:
– Group into separate OUs, based on role
Copyright, University of Tulsa, 2002
Recommendations
Summary
• Import security templates into GPOs.
• If separate account policies required,
consider a multiple-domain architecture.
• Computers fulfilling different roles
should be grouped into separate OUs.
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Design and Other Group Policy Issues
by Howard, Chad, and Howard
Copyright, University of Tulsa, 2002
Design Considerations
• User and computer objects should be in
separate OUs.
• Default Domain Policy GPO applied
– Very few security settings
– Some Public Key and IPSec policies
– Account Policies settings for whole domain
• Should limit number of GPOs applied to
users and computers
Copyright, University of Tulsa, 2002
Domain Controller Group
Policy
• Domain Controllers container created by
default
– All domain controllers placed in it as added
– Default Domain Controllers Policy GPO linked
– A domain controller specific template should be
imported
• Domain controllers share domain account
database
– Some settings must be the same
– Some settings in domain Group Policy applied on
all domain controllers
Copyright, University of Tulsa, 2002
Domain Group Policy applied to
domain controllers
• All settings in
Computer
Configuration\Windows Settings\Security
Settings\Account Policies
• Settings in
Computer
Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
– Automatically log off users when logon time expires
– Rename administrator account
– Rename guest account
Copyright, University of Tulsa, 2002
Group Policy
Management
• When new GPO is created
– Domain controller with PDC emulator role
does management operation
– Other domain controllers can be specified
to process GPOs
– Microsoft recommends maintaining PDC
emulator
Copyright, University of Tulsa, 2002
Local Group Policy Object
• Every computer has Local Group Policy
– First policy applied
– Subsequent policies may override
– Solid local policy is important
• Local Group Policy Object (LGPO)
– Saved in %SystemRoot%\System32\Group Policy
– Can be accessed and viewed by:
• Choosing Local Computer object in Group Policy snap-in
• Selecting Local Security Policy option under Administrative
Tools menu
– Does not have all settings available with Active Directory
Group Policy
Copyright, University of Tulsa, 2002
Loopback GPO
Processing
• Allows policy to be applied to users based on
computer logged on
• Applications normally assigned to user not
automatically available
• Two modes
– Replace mode – processes only GPOs that apply to
the computer
– Merge mode – processes GPOs for user, then for
computer (overrides)
• Use only when absolutely necessary
Copyright, University of Tulsa, 2002
Support for Windows NT
and 9x Clients
• Group Policy replaces System Policy from Windows
NT
– Not backward compatible
– Does not support legacy clients
• Upgrading Windows NT clients to Windows 2000
clients
– Manually duplicate system policies or approximate in Group
Policy
• Legacy clients not recommended in Win2K networks
– Cannot use Group Policy
– System policy can be pushed out to them
• Refer to Guide to Securing Microsoft Windows NT/9x
Clients in a Windows 2000 Network
Copyright, University of Tulsa, 2002
Monitoring and Troubleshooting
Group Policy
• Group Policy event logging can be enabled
• Two types of event logging:
– Diagnostic – writes detailed Group Policy events
– Verbose – tracks:
• Group Policy changes
• Settings applied to local computer
• Settings applied to users logging on
• Verbose log file:
– %SystemRoot%\Debug\UserMode\Userenv.log
Copyright, University of Tulsa, 2002
Enabling Diagnostic
Logging
Add following registry key and value:
Hive:
Key:
Name:
Type:
Value:
HKEY_LOCAL_MACHINE
Software\Microsoft\WindowsNT\CurrentVersion\Diagnostics
RunDiagnosticLoggingGlobal
REG_DWORD
1
May need to increase size of Application log.
Copyright, University of Tulsa, 2002
Enabling Verbose Logging
Add following registry key value:
Hive:
HKEY_LOCAL_MACHINE
Key:
Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Name: UserEnvDebugLevel
Type: REG_DWORD
Value: 30000 (decimal) – logs nothing
30001 (decimal) – enables logging of errors
30002 (decimal) – enables verbose logging
Copyright, University of Tulsa, 2002
Group Policy –
Troubleshooting
• Various Group Policy tools that Microsoft provides?
–
–
–
–
–
–
–
–
–
–
–
Resultant Set of Policies (mmc snap-in)
GPResult
GPOTool
Active Directory Users and Computers
Group Policy Editor
Active Directory Sites and Services
Secedit
Local Security Policy
DCDiag and Netdiag
NSLookup and Netdiag
Repadmin
Copyright, University of Tulsa, 2002
Group Policy –
Troubleshooting
• Something is not working properly—how can
I troubleshoot Group Policy?
– Troubleshooting Group Policy in Windows 2000
(http://www.microsoft.com/Windows2000/techinfo
/howitworks/management/gptshoot.asp) is the
single best resource for troubleshooting general
Group Policy problems. For more information
specifically related to the troubleshooting of Group
Policy–based software installation, see Group
Policy Troubleshooting (Q250842)
(http://support.microsoft.com/default.aspx?scid=k
b;EN-US;Q250842) in the Microsoft Knowledge
Base.
Copyright, University of Tulsa, 2002
Group Policy –
Troubleshooting
• How do I export Group Policy settings to a text file?
– Windows 2K and the Windows 2K Resource Kits do not
include any tools for exporting Group Policy settings.
– Microsoft is developing the Group Policy Management
Console (GPMC) which will include this ability and many
other useful features.
• The GPMC is scheduled to be available as a free download shortly
after Windows .NET Server is released.
• Full Armor currently offers Fazam, a tool that can perform many
of the tasks that the GPMC will be able to do.
• For Windows 2000 only, the Windows 2000 Server Resource Kit
CD contains a version of Fazam that has limited functionality.
Copyright, University of Tulsa, 2002
Group Policy –
Troubleshooting
• Troubleshooting in general:
– An important part of troubleshooting Group Policy
problems is to consider dependencies between
components.
• Software Installation relies on Group Policy
• Group Policy relies on Active Directory
• Active Directory relies on proper configuration of network
services.
• When trying to fix problems that appear in one
component, it is generally helpful to check whether
components, services, and resources on which it relies
are working correctly.
• Event logs are useful for tracking down problems caused
by this type of hierarchical dependency.
Copyright, University of Tulsa, 2002
Recommendations
Summary
•
•
•
•
•
Remove users and computers from built-in Users and Computers
containers and place in OUs
Set Account Policies and other domain-wide settings in a GPO linked to
domain controller
Minimize number of GPOs associated with user or computers
Group related settings in single GPO
Maintain PDC emulator domain controller as Group Policy manager
Set strong Local Group Policy for computers not part of domain
•
Use loopback processing only when absolutely necessary
•
Do not use legacy clients in Windows 2000 network
•
•
– Good LGPO can compensate for holes in subsequently applied Active
Directory GPOs
– Place all computers affected by loopback in same OU
– If necessary, investigate how to apply System Policy
Enable Group Policy diagnostic logging temporarily for troubleshooting
Copyright, University of Tulsa, 2002
MS Win 2K Group Policy
Group Policy References
Copyright, University of Tulsa, 2002
References (1)
• Babcock, Paul, et. Al., “Guide to Securing Microsoft
Windows 2000 Networks”, Version 4.1, National
Security Agency, September 6, 2000
• “Designing a Secure Microsoft Windows 2000
Network”, Microsoft Official Curriculum course
2150ACP, 2000
• Haney, Julie, “Guide to Securing Microsoft Windows
2000 Group Policy: Security Configuration Tool Set”,
Version 1.0, National Security Agency, May 2001
• Introduction to Windows 2000 Group Policy”,
http://www.microsoft.com/windows2000/techinfo/ho
witworks/management/grouppolicyintro.asp Microsoft
white paper, 1999
Copyright, University of Tulsa, 2002
References (2)
• McLean, Ian, Windows 2000 Security Little Black
Book, Coriolis Group, Scottsdale, Arizona, 2000
• Microsoft Web Site, http://www.microsoft.com/
• “Step-by-Step Guide to Understanding the Group
Policy Feature Set”,
http://www.microsoft.com/windows2000/techinfo/pla
nning/management/groupsteps.asp, Microsoft,
January 2000
• “Windows 2000 Group Policy”,
http://www.microsoft.com/windows2000/techinfo/ho
witworks/management/grouppolwp.asp, Microsoft
white paper, 2000
Copyright, University of Tulsa, 2002
Group Policy – FAQ1
• Third-party tools available for Group Policy
– Full Armor’s Fazam http://www.fullarmor.com/solutions/group
– Bindview’s BV-Admin for Windows 2000 http://www.bindview.com/products/Admin/win2
000.cfm
– Fastlane ActiveRoles from Quest Software http://www.quest.com/fastlane/activeroles/
Copyright, University of Tulsa, 2002
Group Policy – FAQ2
• Is there a way to do <some setting> using
Group Policy?
– The setting that you need may already be present
and manageable through Group Policy. You should
check using the GP Editor to see if the setting
already exists.
• How do I configure Group Policy for multiple
users without using Active Directory?
– The Local Group Policy Object, which can be used
to configure policy settings on stand-alone
computers, was not designed to work with
multiple users.
Copyright, University of Tulsa, 2002
Group Policy Summary
• Group Policy – What is it and why do I need it?
• Multiple ways of getting to the Group Policy Settings
• Summarized Windows 2000 Active Directory & its
relationship with Group Policy
• User Configuration vs. Computer Configuration
• Group Policy Objects
• Filtering
• Group Policy Inheritance (also blocking and forcing)
• Group Policy Best Practices
• Several Group Policy FAQs
• Group Policy Troubleshooting
Copyright, University of Tulsa, 2002
Questions, comments, corrections,
rebuttals?
Copyright, University of Tulsa, 2002
Related documents
Appeal/Comment Form
Appeal/Comment Form
Tulsa Model Walk-Through Form
Tulsa Model Walk-Through Form
Jo Bob Hille Memorial Scholarship
Jo Bob Hille Memorial Scholarship
course name - Tulsa Tech
course name - Tulsa Tech
TULSA COMMUNITY COLLEGE
TULSA COMMUNITY COLLEGE
GCSA SPECIAL BOARD MEETING February 10, 2001 PRESENT
GCSA SPECIAL BOARD MEETING February 10, 2001 PRESENT
Mary Crescenzo - Lifetime Arts
Mary Crescenzo - Lifetime Arts
Download
advertisement