Configuring Group Policy Exam Objectives Configuring Software Deployment Configuring Account Policies Configuring Audit Policies Configuring Additional Security-Related Policies Copyright line. Configuring Software Deployment Three things must occur for any software deployment using group policy: The software distribution point must be created, the GPO that will be used must be created or decided upon, and the GPO must be configured for the deployment. You can use group policy to manage the entire software life cycle: preparation, deployment, maintenance, and removal. The maintenance cycle includes the ability to redeploy software with service packs and to fix issues, as well as being able to upgrade to new versions. Redeployment is mandatory but upgrades can be mandatory or optional. Group policies can be published or assigned to users, and assigned to computers. Publishing allows users to install software from document activation and the Control Panel. Assignment includes these as well as the capability to advertise the availability of the uninstalled application through the Start menu and Desktop icons. Administrators can specify whether software removal will be forced or optional. If forced, software is removed at the next computer startup or user logon. If optional, users can remove the software at any time using the Control Panel. Copyright line. Slide 2 Configuring Account Policies Windows Server 2008 creates a Default Domain Policy GPO for every domain in the forest. This domain is the primary method used to set some security-related policies such as password expiration and account lockout. You can use fine-grain password and account lockout policy to apply custom password and account lockout policy settings to individual users and global security groups within a domain. The domain password policy allows you to specify a range of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be. You can use account lockout to prevent successful brute force password guessing. If it’s not enabled, someone can keep attempting to guess username/password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities. Copyright line. Slide 3 Configuring Audit Policies Auditing is used to track authorized and unauthorized resource access, usage, and change within Windows Server 2008. You can audit the success and/or failure for a variety of tracked events. Examples of what can be tracked include logons, changes to policy, use of privileges, directory service or file access, and so forth. Some objects such as directory services, the file system, Registry keys, and printers require two steps to enable auditing. You must enable auditing in group policy and on the specific objects you want to track. Copyright line. Slide 4 Configuring Additional Security-Related Policies Administrators can grant a wide array of user rights, including the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. Microsoft provides administrators with a large list of security parameters that can be defined using group policy, including preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. The Restricted Groups object allows you to exert some control over group membership using group policy. You can use it to strictly enforce the membership of groups it is configured to manage, and to add the managed groups to other groups. The Administrative Templates group policy settings control a large number of Registry-based settings on the workstations and servers to which they apply. Pre-Windows Vista computers exclusively used ADM files, which were stored within each GPO in an Active Directory environment. You can still use ADM files with Windows Vista and Server 2008; however, Microsoft recommends using the newer ADMX and ADML file formats. You can create a central store for ADMX and ADML files under the sysvol%\<your domain name>\policies\ folder. You can convert ADM files to ADMX using the ADMX Migrator utility. Copyright line. Slide 5 FAQ Q: What methods of software deployment are available at the user level? A: Administrators can assign and publish software to users, but only assign software to computers. Copyright line. Slide 6 FAQ Q: What permissions should be set for the software distribution point? A: At a minimum, share-level permissions should be set with those responsible for administering the files having full control of them, and users having read-only access. NTFS permissions are preferred over share-level permissions and should be set similarly. Copyright line. Slide 7 FAQ Q: What is the difference between software redeployment and upgrades? A: Redeployment is used when the current application version needs to be reinstalled, or when a service pack needs to be applied. Upgrades are used to move from one version of the software to another. Copyright line. Slide 8 FAQ Q: What options are available when removing software using group policy? A: Software can be removed if it was installed using group policy. Administrators can force removal at the next computer start or user logon, or allow users to determine when they uninstall the software. Copyright line. Slide 9 FAQ Q: I created a GPO with specific password and account lockout settings and applied it to an OU in my Active Directory domain. Why weren’t the settings applied? A: A GPO with password and account lockout settings is applied only when linked at the domain level of Active Directory. Copyright line. Slide 10 FAQ Q: My security administrator is concerned about brute force password attacks. Are there any Windows Server 2008 features which can help to manage those risks? A: Account lockout can be used to minimize risks from brute force password attacks by setting an appropriate combination of values for the Account lockout duration, Account lockout threshold, and Reset account lockout counter after options. Copyright line. Slide 11 FAQ Q: I’m concerned about users going for too long without changing their passwords, or using passwords that are really simple and easy to guess. What can I do about this in Windows Server 2008? A: Windows Server 2008 group policy allows you to specify a range of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be when initially specified or changed. Copyright line. Slide 12 FAQ Q: How can I apply a different set of password and account lockout policy to administrators? A: In Windows Server 2008, a new feature called fine-grain password and account lockout policy can be used to apply custom password and account lockout policy settings to individual users and global security groups within a domain. Copyright line. Slide 13 FAQ Q: What can I monitor using auditing in Windows Server 2008? A: Auditing can be used to track successful and failed resource access, usage, and change, including logon events, directory service objects, file system objects, Registry objects, printers, exercise of user privileges and rights, system events, account management changes, and much more. Copyright line. Slide 14 FAQ Q: It seems like auditing file system and directory service objects would produce too many log entries to sort through. Is there a way to limit this? A: In addition to enabling auditing of these types of objects, you can also specify exactly what you want to track on an object-by-object basis. This includes both who changed an object and what was specifically changed. Copyright line. Slide 15 FAQ Q: I see that two types of logon events can be audited. What is the difference between them? A: The Audit account logon events policy is used for credential validation, and the events audited relate to the computer which is authoritative for the credentials. For most users in a domain, this will be the DC which processes their logon regardless of the location of the resources being accessed. The Audit logon events policy relates directly to where the resources being accessed are located. Copyright line. Slide 16 FAQ Q: I’d like to restrict some users from being able to change their workstation’s time, shut down servers, and so forth. This doesn’t seem to be configurable with permissions. How can I accomplish this? A: The User Rights Assignment node in group policy can be used to configure options such as this. Administrators can grant a wide array of user rights, including the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. Copyright line. Slide 17 FAQ Q: How can I set the logon, signing, and encryption options for all of my Windows Server 2008 servers and Windows Vista Enterprise workstations at once, rather than having to configure the Local Security Policy on each computer? A: Group policy can be used to enforce these types of settings across a wide range of Windows 2000 and later workstations and servers using the Security Options node in a GPO. A significant range of security settings can be defined, including preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. Copyright line. Slide 18 FAQ Q: It seems like my organization is constantly having problems with inappropriate accounts being added to sensitive groups within Active Directory. What can be done to help prevent this? A: The group policy Restricted Groups node can be used to strictly enforce the membership of groups it is configured to manage, and to add the managed groups to other groups. Copyright line. Slide 19 FAQ Q: I looked for the ADMX central store on my server under %sysvol%\<your domain name>\policies\ but did not find the PolicyDefinitions folder. Was my Active Directory installation completed properly? A: No ADMX central store is created by default in Windows Server 2008. To manually create one, copy a Windows Server 2008 or Vista’s %systemroot%\PolicyDefinitions folder to your %sysvol%\<your domain name>\policies\ folder. Copyright line. Slide 20 Exam Warning One often overlooked detail about computer software assignment is that you cannot assign software to a domain controller (DC). Be sure to carefully examine questions that show an Active Directory hierarchy that includes computer accounts for DCs in it, and asks whether the computer software assignment policy settings will apply to all computers in the hierarchy. Copyright line. Slide 21 Test Day Tip One feature of Windows installer (MSI) files is that software installed with them can be self-healing. If an error occurs, as long as the original installation software is available these applications can often compare their current state to the original and correct any differences. Even if optional removal is used, this self-healing capability is retained as long as the application remains installed, it was installed from an MSI file, and it still has access to the original installation software. It is recommended that you not remove these files from the software distribution point, even if you have removed the software deployment from group policy, until the application has been uninstalled from all computers. Copyright line. Slide 22 Test Day Tip Account lockout policies apply to every domain user except the Administrator account. This is a practical concession. If an attacker was brute-forcing all of your accounts, no one would be able to unlock them if the Administrator account was also locked out. Copyright line. Slide 23 Exam Warning It’s important to remember that only one set of GPO account and lockout policies applies to a domain. This functionality is unchanged from Windows 2000 Server and Server 2003. Although fine-grain policies can override the settings that are configured using a GPO at the domain level, they are not GPO-based. Copyright line. Slide 24 Exam Warning Don’t be surprised to find an option on the exam that does not allow you to select just Failure auditing for logon events. Microsoft often recommends auditing both Success and Failure events for these policy items. Many administrators choose not to audit Success events because of the number of events generated. Hardcore security administrators, however, prefer to audit these events—and their feedback is often incorporated into Microsoft exams. They make the argument that auditing Failure does not enable you to spot potentially fraudulent successful logons that are uncharacteristic of users—for example, a successful logon from an overseas Internet Protocol (IP) address for a small company with one location in the United States. Copyright line. Slide 25 Exam Warning Not all user rights are tracked when Audit privilege use is enabled. This is because some events are so numerous that they can quickly fill up the security log. By default, the following rights are omitted: Bypass traverse checking, Debug programs, Create a token object, Replace process level token, Generate security audits, Back up files and directories, and Restore files and directories. To audit these user rights, you must enable the FullPrivilegeAuditing Registry key. Copyright line. Slide 26 Test Day Tip Group policy options such as User Rights Assignment, Security Options, and Administrative Templates have large numbers of possible configuration options. There is no way for a study guide to cover them all or to know which ones Microsoft will consider important to know for the exam. Be sure to familiarize yourself with as many as possible. Copyright line. Slide 27 Test Day Tip Microsoft has received considerable feedback on the confusing differences between these two options. Make sure you are clear on what is and isn’t enforced by each on the exam, because Microsoft considers it important to know. The Members of this group setting strictly controls who can be a member of the group. The This group is a member of setting does not strictly enforce membership. The group you are configuring will be added to any groups you configure here. Copyright line. Slide 28 Exam Warning It’s important to remember that group nesting rules apply when configuring Restricted Groups. For example, you cannot configure a global group in one domain to be a member of a global group in another domain. Copyright line. Slide 29 Test Day Tip Microsoft often uses default settings that are different from their recommended settings. It’s important for you to know not only what Microsoft recommends, but also what the default settings are when they differ. Copyright line. Slide 30 Exam Warning New features, such as the ADMX central store, that Microsoft considers to be an improvement are often heavily tested. Pay special attention to information and consider reading more about them on Microsoft’s Web site. Copyright line. Slide 31