Group Policy

Download Report

Transcript Group Policy

70-294: MCSE Guide to Microsoft
Windows Server 2003 Active
Directory, Enhanced
Chapter 11:
Group Policy for Corporate
Policy
Objectives
• Understand and describe the purpose of Group
Policy
• Describe how Group Policy is applied
• Manage desktop computers using Group Policy
• Analyze and configure security settings using
Group Policy
Guide to MCSE 70-294, Enhanced
2
Objectives (continued)
• Install and use the Group Policy Management
Console
• Troubleshoot Group Policy
Guide to MCSE 70-294, Enhanced
3
Group Policy
• Introduced in Windows 2000
• Enhanced in:
• Windows XP
• Windows Server 2003
• Largely collection of registry entries
• Enhancements in Windows Server 2003:
• Transient policy settings
• Expanded capabilities
Guide to MCSE 70-294, Enhanced
4
Administrative Templates
• Files with .adm extension
• Describe registry settings
• Can be configured in policy or Group Policy
• Included with Windows Server 2003:
•
•
•
•
•
System.adm
Inetres.adm
Wmplayer.adm
Conf.adm
Wuau.adm
Guide to MCSE 70-294, Enhanced
5
Client-side Extensions
• Allow for more advanced control and
configuration
• Included with Windows Server 2003 and Windows
XP:
•
•
•
•
EFS (encrypting file system) recovery
Folder redirection
Internet Explorer maintenance
IP security
Guide to MCSE 70-294, Enhanced
6
Client-side Extensions
(continued)
• Included with Windows Server 2003 and Windows
XP:
•
•
•
•
•
•
Microsoft Disk Quota
QoS Packet Scheduler
Scripts
Security
Software installation
Wireless
Guide to MCSE 70-294, Enhanced
7
Group Policy Storage
• Stored on
• Domain controllers
• Local computers
• Local policy object
•
•
•
•
Stored in hidden folder
Referred to as local computer policy
Applies only to local computer
Great for workgroup environment
Guide to MCSE 70-294, Enhanced
8
Group Policy Storage
(continued)
• GPOs
•
•
•
•
Stored on domain controllers
Centrally managed
Single GPO typically affects many users and computers
One part stored in Active Directory database
• Called group policy container (GPC)
• Other stored in SYSVOL share
• Referred to as group policy template (GPT)
Guide to MCSE 70-294, Enhanced
9
Group Policy Storage
(continued)
• GPT subfolders:
•
•
•
•
•
Adm
USER
USER\applications
MACHINE
MACHINE\applications
Guide to MCSE 70-294, Enhanced
10
Creating a Group Policy Object
• Tools for creating GPOs:
• Group Policy standalone Microsoft Management
Console (MMC) snap-in
• Group Policy extension in Active Directory Users and
Computers
Guide to MCSE 70-294, Enhanced
11
Activity 11-1: Creating a Group
Policy Object Using the MMC
• Objective: Use the Group Policy Object Editor
MMC snap-in to create GPOs
• Follow directions to create GPOs
Guide to MCSE 70-294, Enhanced
12
Group Policy Processing
• GPOs linked to sites, domains, and organizational
units using GPO links
• Applies to user and computer objects that exist in
container to which they are linked
• Can be linked with multiple organizational units, sites,
or even domains
• Only stored on domain controllers in domain where
created
Guide to MCSE 70-294, Enhanced
13
Group Policy Priority
• Processing order:
•
•
•
•
First policy to be applied is the local computer policy
Any GPOs linked to site are applied
GPOs linked to domain are applied
GPOs linked to organizational units are applied
Guide to MCSE 70-294, Enhanced
14
Group Policy Priority
(continued)
• Process is followed twice
• Once for Computer Configuration
• When computer starts up
• Once for User Configuration
• When user logs on
Guide to MCSE 70-294, Enhanced
15
Default GPO Processing Order
Guide to MCSE 70-294, Enhanced
16
Dealing with Conflict
• Options for policy settings
• Enabled
• Disabled
• Not Configured
• Policy settings from multiple GPOs can be
combined
• As long as they do not conflict
• In case of conflict:
• GPO to be applied last wins
Guide to MCSE 70-294, Enhanced
17
Modifying Group Policy
Priority
• Modify priority by configuring settings:
• No Override
• Block Policy Inheritance
• Loopback Processing Mode
Guide to MCSE 70-294, Enhanced
18
Controlling Group Policy
Application with Permissions
• GPOs cannot be linked to groups
• Application of Group Policy can be controlled
through permissions
Guide to MCSE 70-294, Enhanced
19
Controlling Group Policy
Application with Permissions
(continued)
• Standard permissions available to GPO:
•
•
•
•
•
•
Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Apply Group Policy
Guide to MCSE 70-294, Enhanced
20
Activity 11-5: Filtering Group
Policy Objects Using Security
Permissions
• Objective: Use security permissions to filter and
control the application of policy settings
• Follow instructions to stop settings in Marketing
Policy GPO from applying to Administrators
group
Guide to MCSE 70-294, Enhanced
21
Windows Management Instrumentation
Filters
• Used to restrict application of GPOs
• Control GPO application based on computer
configuration, such as:
•
•
•
•
Hardware configuration
File existence or attributes
Applications being installed
Amount of free hard drive space
• Written in WMI Query Language (WQL)
• Does not apply to Windows 2000
Guide to MCSE 70-294, Enhanced
22
Slow Link Detection
• When working over slow link
• May be undesirable to apply parts of Group Policy
• Client pings domain controller several times
• To determine link speed
• 500 Kbps or less is considered slow
Guide to MCSE 70-294, Enhanced
23
Default Slow Link Behavior
Guide to MCSE 70-294, Enhanced
24
Desktop Management with
Group Policy
• Desktop management
• One of primary goals that can be accomplished with
Group Policy
Guide to MCSE 70-294, Enhanced
25
Restricting Windows
• Can protect users from their own mistakes
• Remove access to features such as:
• Configuring proxy settings
• Setting desktop wallpaper
Guide to MCSE 70-294, Enhanced
26
Folder Redirection
• Allows administrator change location of default
Windows folders
• Locate on server:
• Allows users to access information from any computer
on network
Guide to MCSE 70-294, Enhanced
27
Folder Redirection (continued)
• Folders that can be redirected are:
•
•
•
•
Application data
Desktop
My Documents
Start menu
Guide to MCSE 70-294, Enhanced
28
Scripts
• GPOs can contain scripts for:
•
•
•
•
Logon
Logoff
Startup
Shutdown
• Can be written in languages such as
• VBScript (.vbs)
• JScript (.js)
• Must store scripts in location accessible to users
running them
Guide to MCSE 70-294, Enhanced
29
Security Management with
Group Policy
• Security policy
•
•
•
•
Collection of security-related settings
Located in all GPOs
Majority of security policy settings apply to computers
Found in Computer Configuration section
Guide to MCSE 70-294, Enhanced
30
Account Policies
• Includes configuration settings that may be the
initial step to securing computer network
• Must be configured in GPO linked to domain
• Subcategories:
• Password Policy
• Account Lockout Policy
• Kerberos Policy
Guide to MCSE 70-294, Enhanced
31
Local Policies
• Wide variety of settings
• Very flexible
• Categories:
• Audit policy
• User rights assignment
• Security options
Guide to MCSE 70-294, Enhanced
32
Restricted Groups
• Define users that are allowed membership to
specific groups
• When group policy applied:
• Any member of restricted group not listed in restricted
group’s member list removed
• Prevents administrators from accidentally adding users
to sensitive groups
Guide to MCSE 70-294, Enhanced
33
System Services
• Define which services are started, stopped, or
disabled on computers
• Can also configure security for services
• Effective way to disable unnecessary services on:
• Client computers
• Servers
Guide to MCSE 70-294, Enhanced
34
Registry Settings
• Define security permissions for registry entries
• Applied to all computers affected by GPO
Guide to MCSE 70-294, Enhanced
35
File System
• Defines NTFS permissions applied to local hard
drives of computers affected by GPO
• Enhance security by removing permissions to files
and folders
Guide to MCSE 70-294, Enhanced
36
Wireless Network Policies
• Define settings for wireless network connectivity
• Configure which wireless networks’ workstations
can connect to and automatically configure
Wireless Encryption Protocol (WEP)
Guide to MCSE 70-294, Enhanced
37
Public Key Policies
• Define configuration settings relating to use of
different public key-based applications such as:
• Encrypting file system (EFS)
• Automatic certificate enrolment settings
• Certificate Authority (CA) trusts
• Autoenrollment
• New feature
• Allows computers and users to request version 2
certificate templates automatically
Guide to MCSE 70-294, Enhanced
38
Software Restriction Policies
• Define security settings related to what programs
are allowed to run on system
• Individual rules can be based on:
•
•
•
•
File’s hash
Digital certificate used to sign executable
File’s path
Internet zone
Guide to MCSE 70-294, Enhanced
39
IP Security Policies
• Define IPSec settings
• Can enable IPSec for entire network with little
effort
Guide to MCSE 70-294, Enhanced
40
Security Templates
• Used to:
• Define, edit, and save baseline security settings
• Applied to computers with common security
requirements
• Meet organizational security standards
• Help ensure
• Consistent setting can be applied to multiple machines
• Easily maintained
• Stored in .inf files
Guide to MCSE 70-294, Enhanced
41
Security Templates (continued)
• Setup Security.inf.
• Default template
• Provides single file in which all original computer
security settings are stored
• Incremental templates
• Only apply to machines already running default
security settings
• Use Security Templates snap-in to create custom
templates
Guide to MCSE 70-294, Enhanced
42
Analyzing Security
• Security Configuration and Analysis utility
• Compare current system settings to previously
configured security template
• Identifies
• Changes to original security configurations
• Possible security weaknesses
Guide to MCSE 70-294, Enhanced
43
Using the Group Policy
Management Console
• Available as free download for Windows Server
2003 customers
• Brings together tools and options accessible from
number of different tools
• Adds new functionality
• Highly recommended
• Especially in large deployments
Guide to MCSE 70-294, Enhanced
44
Troubleshooting Group Policy
• Most important thing is interaction of:
•
•
•
•
•
•
•
Links to containers
Priority ordering by administrators
No Override
Block Inheritance
ACL permissions
Loopback Processing Mode
WMI filters
Guide to MCSE 70-294, Enhanced
45
Troubleshooting Tools
•
•
•
•
Resultant Set of Policy (RSoP)
Gpresult
Gpupdate
Dcgpofix
Guide to MCSE 70-294, Enhanced
46
Summary
• Group Policy applies settings to users and
computers in:
• Site
• Domain
• Organizational unit
• Order of application for GPOs is:
•
•
•
•
Local
Site
Domain
Organizational unit
Guide to MCSE 70-294, Enhanced
47
Summary (continued)
• User or computer must have Read and Apply
Group Policy permissions on a GPO in order for
the policy to apply
• To affect domain accounts, account policies must
be set at the domain level
• Security management using Group Policy is
accomplished with security templates
Guide to MCSE 70-294, Enhanced
48