Configuring Group Policy
Exam Objectives
Configuring Software Deployment
Configuring Account Policies
Configuring Audit Policies
Configuring Additional Security-Related Policies

Copyright line.
Configuring Software
Deployment




Three things must occur for any software deployment using group
policy: The software distribution point must be created, the GPO that
will be used must be created or decided upon, and the GPO must be
configured for the deployment.
You can use group policy to manage the entire software life cycle:
preparation, deployment, maintenance, and removal. The maintenance
cycle includes the ability to redeploy software with service packs and to
fix issues, as well as being able to upgrade to new versions.
Redeployment is mandatory but upgrades can be mandatory or
optional.
Group policies can be published or assigned to users, and assigned to
computers. Publishing allows users to install software from document
activation and the Control Panel. Assignment includes these as well as
the capability to advertise the availability of the uninstalled application
through the Start menu and Desktop icons.
Administrators can specify whether software removal will be forced or
optional. If forced, software is removed at the next computer startup or
user logon. If optional, users can remove the software at any time using
the Control Panel.
Copyright line.
Slide 2
Configuring Account Policies




Windows Server 2008 creates a Default Domain Policy GPO for every
domain in the forest. This domain is the primary method used to set some
security-related policies such as password expiration and account lockout.
You can use fine-grain password and account lockout policy to apply
custom password and account lockout policy settings to individual users
and global security groups within a domain.
The domain password policy allows you to specify a range of password
security options, including how frequently users change their passwords,
how long passwords must be, how many unique passwords must be used
before a user can reuse one, and how complex passwords must be.
You can use account lockout to prevent successful brute force password
guessing. If it’s not enabled, someone can keep attempting to guess
username/password combinations very rapidly using a software-based
attack. The proper combination of settings can effectively block these
types of security vulnerabilities.
Copyright line.
Slide 3
Configuring Audit Policies



Auditing is used to track authorized and unauthorized
resource access, usage, and change within Windows
Server 2008.
You can audit the success and/or failure for a variety
of tracked events. Examples of what can be tracked
include logons, changes to policy, use of privileges,
directory service or file access, and so forth.
Some objects such as directory services, the file
system, Registry keys, and printers require two steps
to enable auditing. You must enable auditing in group
policy and on the specific objects you want to track.
Copyright line.
Slide 4
Configuring Additional
Security-Related Policies





Administrators can grant a wide array of user rights, including the ability to log
on to a server locally or from a network connection, the ability to shut down a
server, the ability for certain accounts to be able to log on as a service, and
many others.
Microsoft provides administrators with a large list of security parameters that can
be defined using group policy, including preventing users from installing printer
drivers, blocking access to the CD-ROM drive, specifying various digital signing
and encryption settings, restricting access to the Registry, and many more.
The Restricted Groups object allows you to exert some control over group
membership using group policy. You can use it to strictly enforce the
membership of groups it is configured to manage, and to add the managed
groups to other groups.
The Administrative Templates group policy settings control a large number of
Registry-based settings on the workstations and servers to which they apply.
Pre-Windows Vista computers exclusively used ADM files, which were stored
within each GPO in an Active Directory environment. You can still use ADM files
with Windows Vista and Server 2008; however, Microsoft recommends using the
newer ADMX and ADML file formats. You can create a central store for ADMX
and ADML files under the sysvol%\<your domain name>\policies\ folder.
You can convert ADM files to ADMX using the ADMX Migrator utility.
Copyright line.
Slide 5
FAQ


Q: What methods of software deployment
are available at the user level?
A: Administrators can assign and publish
software to users, but only assign
software to computers.
Copyright line.
Slide 6
FAQ


Q: What permissions should be set for the
software distribution point?
A: At a minimum, share-level permissions
should be set with those responsible for
administering the files having full control
of them, and users having read-only
access. NTFS permissions are preferred
over share-level permissions and should
be set similarly.
Copyright line.
Slide 7
FAQ


Q: What is the difference between
software redeployment and upgrades?
A: Redeployment is used when the current
application version needs to be reinstalled,
or when a service pack needs to be
applied. Upgrades are used to move from
one version of the software to another.
Copyright line.
Slide 8
FAQ


Q: What options are available when
removing software using group policy?
A: Software can be removed if it was
installed using group policy.
Administrators can force removal at the
next computer start or user logon, or allow
users to determine when they uninstall the
software.
Copyright line.
Slide 9
FAQ


Q: I created a GPO with specific password
and account lockout settings and applied
it to an OU in my Active Directory domain.
Why weren’t the settings applied?
A: A GPO with password and account
lockout settings is applied only when
linked at the domain level of Active
Directory.
Copyright line.
Slide 10
FAQ


Q: My security administrator is concerned
about brute force password attacks. Are
there any Windows Server 2008 features
which can help to manage those risks?
A: Account lockout can be used to
minimize risks from brute force password
attacks by setting an appropriate
combination of values for the Account
lockout duration, Account lockout
threshold, and Reset account lockout
counter after options.
Copyright line.
Slide 11
FAQ


Q: I’m concerned about users going for too long
without changing their passwords, or using
passwords that are really simple and easy to
guess. What can I do about this in Windows
Server 2008?
A: Windows Server 2008 group policy allows you
to specify a range of password security options,
including how frequently users change their
passwords, how long passwords must be, how
many unique passwords must be used before a
user can reuse one, and how complex passwords
must be when initially specified or changed.
Copyright line.
Slide 12
FAQ


Q: How can I apply a different set of
password and account lockout policy to
administrators?
A: In Windows Server 2008, a new feature
called fine-grain password and account
lockout policy can be used to apply custom
password and account lockout policy settings
to individual users and global security groups
within a domain.
Copyright line.
Slide 13
FAQ


Q: What can I monitor using auditing in
Windows Server 2008?
A: Auditing can be used to track successful
and failed resource access, usage, and
change, including logon events, directory
service objects, file system objects, Registry
objects, printers, exercise of user privileges
and rights, system events, account
management changes, and much more.
Copyright line.
Slide 14
FAQ


Q: It seems like auditing file system and
directory service objects would produce too
many log entries to sort through. Is there a
way to limit this?
A: In addition to enabling auditing of these
types of objects, you can also specify exactly
what you want to track on an object-by-object
basis. This includes both who changed an
object and what was specifically changed.
Copyright line.
Slide 15
FAQ


Q: I see that two types of logon events can be
audited. What is the difference between them?
A: The Audit account logon events policy is used
for credential validation, and the events audited relate
to the computer which is authoritative for the
credentials. For most users in a domain, this will be
the DC which processes their logon regardless of the
location of the resources being accessed. The Audit
logon events policy relates directly to where the
resources being accessed are located.
Copyright line.
Slide 16
FAQ


Q: I’d like to restrict some users from being able to
change their workstation’s time, shut down servers,
and so forth. This doesn’t seem to be configurable
with permissions. How can I accomplish this?
A: The User Rights Assignment node in group policy
can be used to configure options such as this.
Administrators can grant a wide array of user rights,
including the ability to log on to a server locally or
from a network connection, the ability to shut down a
server, the ability for certain accounts to be able to
log on as a service, and many others.
Copyright line.
Slide 17
FAQ


Q: How can I set the logon, signing, and encryption
options for all of my Windows Server 2008 servers
and Windows Vista Enterprise workstations at once,
rather than having to configure the Local Security
Policy on each computer?
A: Group policy can be used to enforce these types
of settings across a wide range of Windows 2000 and
later workstations and servers using the Security
Options node in a GPO. A significant range of
security settings can be defined, including preventing
users from installing printer drivers, blocking access
to the CD-ROM drive, specifying various digital
signing and encryption settings, restricting access to
the Registry, and many more.
Copyright line.
Slide 18
FAQ


Q: It seems like my organization is constantly
having problems with inappropriate accounts
being added to sensitive groups within Active
Directory. What can be done to help prevent
this?
A: The group policy Restricted Groups node
can be used to strictly enforce the
membership of groups it is configured to
manage, and to add the managed groups to
other groups.
Copyright line.
Slide 19
FAQ


Q: I looked for the ADMX central store on my
server under %sysvol%\<your domain
name>\policies\ but did not find the
PolicyDefinitions folder. Was my Active
Directory installation completed properly?
A: No ADMX central store is created by
default in Windows Server 2008. To manually
create one, copy a Windows Server 2008 or
Vista’s %systemroot%\PolicyDefinitions
folder to your %sysvol%\<your domain
name>\policies\ folder.
Copyright line.
Slide 20
Exam Warning
One often overlooked detail about computer
software assignment is that you cannot
assign software to a domain controller (DC).
Be sure to carefully examine questions that
show an Active Directory hierarchy that
includes computer accounts for DCs in it, and
asks whether the computer software
assignment policy settings will apply to all
computers in the hierarchy.
Copyright line.
Slide 21
Test Day Tip

One feature of Windows installer (MSI) files is that
software installed with them can be self-healing. If an
error occurs, as long as the original installation
software is available these applications can often
compare their current state to the original and correct
any differences. Even if optional removal is used, this
self-healing capability is retained as long as the
application remains installed, it was installed from an
MSI file, and it still has access to the original
installation software. It is recommended that you not
remove these files from the software distribution
point, even if you have removed the software
deployment from group policy, until the application
has been uninstalled from all computers.
Copyright line.
Slide 22
Test Day Tip

Account lockout policies apply to every
domain user except the Administrator
account. This is a practical concession. If an
attacker was brute-forcing all of your
accounts, no one would be able to unlock
them if the Administrator account was also
locked out.
Copyright line.
Slide 23
Exam Warning

It’s important to remember that only one set
of GPO account and lockout policies applies
to a domain. This functionality is unchanged
from Windows 2000 Server and Server 2003.
Although fine-grain policies can override the
settings that are configured using a GPO at
the domain level, they are not GPO-based.
Copyright line.
Slide 24
Exam Warning

Don’t be surprised to find an option on the exam that does not
allow you to select just Failure auditing for logon events.
Microsoft often recommends auditing both Success and Failure
events for these policy items. Many administrators choose not to
audit Success events because of the number of events
generated. Hardcore security administrators, however, prefer to
audit these events—and their feedback is often incorporated
into Microsoft exams. They make the argument that auditing
Failure does not enable you to spot potentially fraudulent
successful logons that are uncharacteristic of users—for
example, a successful logon from an overseas Internet Protocol
(IP) address for a small company with one location in the United
States.
Copyright line.
Slide 25
Exam Warning

Not all user rights are tracked when Audit
privilege use is enabled. This is because
some events are so numerous that they can
quickly fill up the security log. By default, the
following rights are omitted: Bypass traverse
checking, Debug programs, Create a token
object, Replace process level token,
Generate security audits, Back up files and
directories, and Restore files and directories.
To audit these user rights, you must enable
the FullPrivilegeAuditing Registry key.
Copyright line.
Slide 26
Test Day Tip

Group policy options such as User Rights
Assignment, Security Options, and
Administrative Templates have large numbers
of possible configuration options. There is no
way for a study guide to cover them all or to
know which ones Microsoft will consider
important to know for the exam. Be sure to
familiarize yourself with as many as possible.
Copyright line.
Slide 27
Test Day Tip

Microsoft has received considerable feedback
on the confusing differences between these
two options. Make sure you are clear on what
is and isn’t enforced by each on the exam,
because Microsoft considers it important to
know. The Members of this group setting
strictly controls who can be a member of the
group. The This group is a member of
setting does not strictly enforce membership.
The group you are configuring will be added
to any groups you configure here.
Copyright line.
Slide 28
Exam Warning

It’s important to remember that group nesting
rules apply when configuring Restricted
Groups. For example, you cannot configure a
global group in one domain to be a member
of a global group in another domain.
Copyright line.
Slide 29
Test Day Tip

Microsoft often uses default settings that are
different from their recommended settings. It’s
important for you to know not only what
Microsoft recommends, but also what the
default settings are when they differ.
Copyright line.
Slide 30
Exam Warning

New features, such as the ADMX central
store, that Microsoft considers to be an
improvement are often heavily tested. Pay
special attention to information and consider
reading more about them on Microsoft’s Web
site.
Copyright line.
Slide 31