GROUP POLICY An overview of Microsoft Windows Group Policy MY CREDENTIALS B.S Computer Science M.S. Information Technology (2012) Certified Information Systems Security Professional (CISSP) Network Admin at BCG Early NT 3.51 and 4.0 days Network Admin and Instructor at Hilbert College Transition from NT4 to 2000 Accounts and Profiles for all students (GPO Based) Taught Networking, Databases, Programming in the Computer Security program there An admins perspective who learned it on the job WHAT IS GROUP POLICY Microsoft NT Technology Other NOS have their own versions Centralized management of clients Security management Application management Profile management Can be pushed from domain Can be modified locally for individual clients Local policy objects not as in depth Can be pushed as part of disc imaging WHAT CAN IT DO FOR ME Manage security Firewall and Networking OS configuration restrictions Reduce workstation downtime Can restrict users from modifying potentially damaging settings Manage applications Whitelist available applications Control which applications are visible Roaming profiles Centralized data storage Full or partial NOT A SILVER BULLET Only as effective as the Information Security Policies it is enforcing Needs to be a part of security in depth Can be complex to implement and manage Improper management can interfere with business goals Easy to lock down a machine tighter than it needs to be Applications typically use voluntary enforcement Possible to modify or interfere an application reading its policy WHAT DO I NEED TO USE IT Domain Based Policy Local Policy Active Directory Domain Windows NT based OS’s Install Group Policy No domain needed Management Objects Server Roles vary by OS version Can be managed using remote administration tools from Vista (2003 Domains) or Windows 7 (2008 Domains) Easily configured on XP and above Can be used in conjunction with domain policies Configured locally on the target client MANAGEMENT TOOLS Group Policy Management Console (GPMC) Suite of tools in 2003 Unified tool in 2008 Cmdlets Powershell extensions that allow scripting Local Policy Editor Pre Win 7 one user policy for all users Gpupdate Forces update of policy on machines (XP and later) WHAT IS A GPO? Collection of settings that can be used in a Group Policy Most modify registry settings Can also be processed by extending applications Can be applied to users or computers Can be inherited Can be linked to multiple policies POLICY OBJECT TYPES Computer Policy Applies based on the Computer Account Useful to configure settings on User Policy Applies based on the logged in User Account Setting travel with the user a specific workstation Roaming Profiles go here Same for all users on that Example: Password policy machine Example: remove start menu on public machine HOW IT WORKS Machine Boots up Machine policy downloaded and applied User Logs in User Policy downloaded and applied Settings may be cached 90 +/- 30 min for clients gpupdate to refresh immediately APPLYING MULTIPLE POLCIES Local Group Policy objects - Computer's local policy (accessed by running gpedit.msc). Site - Group policies that are applied to the AD Site Lowest link order processed last, overrides higher links Domain - Group policies specified for the AD Domain Lowest link order processed last, overrides higher links Organizational Unit - Policies for User or Computer OUs Lowest link order processed last, overrides higher links Inheritance - Inheritance can be blocked or enforced to control what policies Use GPMC to see what will actually be applied TYPICAL POLICY COMPONENTS Administrative Templates Security Settings IP Security Policy Software Restriction Policies Wireless Network Policies Public Key Policies Software Installation Remote Installation Services Scripts Internet Explorer Maintenance Folder Redirection Disk Quotas QoS Packet Scheduler Custom Registry Modifications CREATING A POLICY Demonstration ROAMING PROFILES Can redirect some or all user data Can redirect different sections to different locations Administrators do not have access to redirected profiles (by default) Allows for centralized backup User is no longer dependent on specific machine for user data Typically redirected profile folders My Documents, Application Data, Desktop, Start Menu Folder redirection is under User Settings, Windows Settings TIPS AND TRICKS Lock down Regedit Be extremely careful when applying policy to admins and domain controllers Calculate space requirements before trying to redirect folders Consider implementing quotas Gpanswers.com Learn to use MSDN and Technet Set up a lab environment and play GETTING STARTED WITH COMMON DEPLOYMENT SCENARIOS Lightly Managed Mobile Multi-User App Station Task Station Kiosk GPOs can be obtained for these from: Implementing Common Desktop Management Scenarios with the Group Policy Management Console http://technet.microsoft.com/en-us/library/cc758350(WS.10).aspx LIGHTLY MANAGED Power Users and Developers Is the least managed of all of the scenarios. Allows users to customize most settings that affect them but prevents them from making harmful system changes. Includes settings that reduce help desk costs and user downtime. Full Roaming Profiles with local caching speeds up login/logout Core set of applications which are always available. Users can also install applications MOBILE Laptop and Mobile User Support disconnected user who frequently needs to work offline Does not require high speed link Offline files Partial Roaming to support offline files Allows users to disconnect from the network without logging off or shutting down. MULTI-USER Computer laboratory or library Allows basic customization of the desktop environment. Allows screen saver, background, etc. but no hardware or OS configuration Full Roaming Profiles with no caching to protect privacy Restricted write access to the local computer Can only write data to their own profile Highly secure. APP AND TASK STATION Highly restricted configurations with only a few applications. Vertical applications such as marketing, claims, and customer-service scenarios. Allows minimal customization by the user. Allows users to access a small number of applications appropriate to their job role. Does not allow users to add or remove applications. Full Roaming Profiles with caching Provides a simplified desktop and Start menu. Restricted write access to the local computer Can only write data to their user profile and to redirected folders. Is highly secure. Task Station Only one app available and no start menu KIOSK Unattended machine in a public area, highly secure Is a public workstation. Runs only one application. Uses only one user account and automatically logs on. The system automatically resets to a default state at the start of each session. Runs unattended. Is highly secure. Does not allow users to make changes to the default user or system settings. Does not save data to the disk. Is always on (no log off or shutdown). Q &A Questions, comments? My contact info again: Patrick Lupiani plupiani@gmail.com or plupiani@BuffaloComputerGraphics.com 716-822-8668