Module 7: Implementing
Security Using Group
Policies
Module Overview
• Configuring Security Policies
• Implementing Fine-Grained Password Policies
• Restricting Group Membership and Access to Software
• Managing Security Using Security Templates
Lesson 1: Configuring Security Policies
• What Are Security Policies?
• What Is the Default Domain Security Policy?
• What Are the Account Policies?
• What Are Local Policies?
• What Are Network Security Policies?
• What Is Windows Firewall With Advanced Security?
• Demonstration: Overview of Additional Security Settings
• Demonstration: What Is the Default Domain Controller
Security Policy?
What Are Security Policies?
What Is the Default Domain Security Policy?
• Provides account policies for the domain; other settings
are not configured by default
• Use to provide security settings that will affect the
entire domain
• Use domain policy to provide security settings, as a
best practice. Use separate GPOs to provide other
types of settings
Account and security
settings
Domain
Default domain policy
What Are the Account Policies?
Account policies mitigates the threat of brute force guessing of
account passwords
Account policies consist of:
Policies
Description
Password
•
•
•
•
•
•
Account lockout
• Lockout duration: not defined
• Lockout threshold: 0 invalid logon attempts
• Reset account lockout after: not defined
Kerberos
• Can only be applied at the domain level
Enforce password history: 24 passwords
Max password age: 42 days
Min password age: 1 day
Min password length: 7 characters
Complex Password: enabled
Store password using reversible encryption: disabled
What Are Local Policies?
Local Policies determine the security options for a user or service account

Every computer running Windows 2000 and later has a local
security policy that is part of local Group Policy

In a workgroup, you must configure local security policies to
provide security

Domain policy will override local policies in cases of conflict

You can assign local rights through local Group Policies

Security options control many different aspects of a
computer’s security
What Are Network Security Policies?
Define the available networks and authentication methods for wireless
connections for Windows Vista and Windows XP clients, and
LAN authentication for Windows Vista and Windows Server 2008 clients

Separate wireless policies for Windows XP and Windows Vista

Windows Vista policies contain more options for wireless

Windows Vista wireless policies can deny access to
wireless networks

802.1x authentication can be configured via Group Policy

Only Vista and later can receive wired network policies
GPO
Wired
Wireless
Wireless only
Windows
Vista
Windows XP
What Is Windows Firewall With
Advanced Security?
A stateful host-based firewall that allows or blocks network traffic
according to its configuration

Supports filtering for both incoming and outgoing traffic

Used for advanced settings configuration

Provides integrated firewall filtering and IPsec protection settings

Allows rule configuration for various criteria, such as users, groups, and
TCP and UDP ports

Provides network location-aware profiles

Can import or export policies
Firewall rules control inbound
and outbound traffic
Windows
Server 2008
Firewall
Internet
LAN
Demonstration: Overview of Additional
Security Settings
In this demonstration, you will see how to configure
additional security settings
Demonstration: What Is the Default Domain
Controller Security Policy?

Provides an extra layer of security for domain controllers

Provides enabled auditing

Allows many user rights to be configured
In this demonstration, you will see the default domain
controller policy settings
Lesson 2: Implementing Fine-Grained Password
Policies
• What Are Fine-Grained Password Policies?
• How Fine-Grained Password Policies Are Implemented
• Implementing Fine-Grained Password Policies
• Demonstration: Implementing Fine-Grained Password
Policies
What Are Fine-Grained Password Policies?
Fine grained password allow multiple password policies to
exist in the same domain
Password
changes: 7 days
Administrator
group
Password
changes: 14
days
Manager
group
End user
group
Password
changes: 30
days
How Fine-Grained Password Policies
Are Implemented
Considerations when implementing PSOs:

Password Settings Container and Password Setting Objects
are new schema object classes

PSOs can be created through ADSI Edit or LDIFDE

PSOs can only be applied to users or global groups
A PSO has the following settings available:
• Password policies
• Account lockout policies
• PSO Link
• Precedence
Implementing Fine-Grained Password Policies
• Shadow groups can be used to apply a PSO to all users
that do not already share a global group membership
• A user or group could have multiple PSOs linked to them
• The precedence attribute is used to resolve conflicts
• Lower precedence values have higher priority
• PSOs linked directly to user objects override PSOs linked
to a user’s global groups
• If there are no PSOs, normal domain account policies apply
Demonstration: Implementing Fine-Grained
Password Policies
In this demonstration, you will see how to create and
apply PSOs
Lesson 3: Restricting Group Membership and
Access to Software
• What Is Restricted Group Membership?
• Demonstration: Configuring Restricted Group Membership
• What Is a Software Restriction Policy?
• Options for Configuring Software Restriction Policies
• Demonstration: Configuring Software Restriction Policies
What Is Restricted Group Membership?
Group Policy can control group membership:
• For any group on a local computer by applying a GPO to the
OU that holds the computer account
• For any group in Active Directory by applying a GPO to the
domain controller
Demonstration: Configuring Restricted
Group Membership
In this demonstration, you will see how to configure
restricted groups
What Is a Software Restriction Policy?
• A policy-driven mechanism that identifies and controls software
on a client computer
• A mechanism restricting software installation and viruses
• A component with two parts:
• A default rule with three options: Unrestricted, Basic,
and Disallowed
• Exceptions to the default rule
Options for Configuring Software
Restriction Policies
Hash Rule
Use to employ MD5 or
SHA1 hash of a file to
confirm identity
Use to allow or prohibit
a certain version of a file
from being run
Path Rule
Certificate Rule
Checks for digital
signature on application
Use when you want to
restrict Win32
applications and
ActiveX content
Internet Zone Rule
Use when restricting the
path of a file
Controls how Internet
Zones can be accessed
Use when multiple files
exist for the same
application
Use in high-security
environments to control
access to Web
applications
Essential when SRPs are
strict
Demonstration: Configuring Software
Restriction Policies
In this demonstration, you will see how to configure a
software restriction policy
Lesson 4:Managing Security Using
Security Templates
• What Are Security Templates?
• Demonstration: Applying Security Templates
• What Is the Security Configuration Wizard?
• Demonstration: Configuring Server Security Using the
Security Configuration Wizard
• Options for Integrating the Security Configuration Wizard
and Security Templates
• Demonstration: Importing Security Configuration Policies
into Security Templates
What Are Security Templates?
Security templates:

Allow administrators to apply consistent security
settings to multiple computers

Can be designed based on server roles

Can be applied via Group Policy
Demonstration: Applying Security Templates
In this demonstration, you will see how to create a security
template and import it into a GPO
What Is the Security Configuration Wizard
SCW provides guided
attack surface
reduction by:
SCW supports:
• Rollback
• Disabling unnecessary
services and IIS
Web extensions
• Analysis
• Blocking unused ports
and secure ports that are
left open using IPSec
• Command-line support
• Reducing protocol
exposure
• Policy editing
• Configuring audit settings
• Remote configuration
• Active Directory
integration
Demonstration: Configuring Server Security
Using the Security Configuration Wizard
In this demonstration, you will see how to create a security
policy using the SCW
Options for Integrating the Security Configuration
Wizard and Security Templates
Options:
• Policies created with the SCW can be applied individually
• Other Security templates can be incorporated into the SCW
Scwcmd.exe command-line utility can be used to convert the XML policy
into a GPO
Demonstration: Importing Security Configuration
Policies into Security Templates
In this demonstration, you will see how to transform the
XML policy file into a GPO
Lab: Implementing Security by Using Group
Policies
• Exercise 1: Configuring Domain Security Settings
• Exercise 2: Implementing Fine-Grained Password Policies
• Exercise 3: Configuring Restricted Groups and Software
Restriction Policies
• Exercise 4: Configuring Security Templates
• Exercise 5: Verifying the Security Configuration
Logon information
Virtual machine
6425A-NYC-DC1,
NYC-CL1,
NYC-SVR1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 75 minutes
Lab Review
• You want to control which wireless networks your Windows
Vista clients will have access to. What is the best way to
accomplish this?
• You need to harden security on all the database servers
across your organization. What tool is best suited for this
task?
• You used the Security Configuration Wizard to create a
policy for your servers running IIS. You transformed the
policy into a GPO. You applied the GPO to the proper OU,
but the IIS settings are not being deployed. What is the
problem?
Module Review and Takeaways
• Considerations
• Review questions
Beta Feedback Tool
Beta feedback tool helps:
•



•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
Beta Feedback
Overall flow of module:
•


Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
Pacing:
•



Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•



Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?