module 7: implementing security using group policy
TRANSCRIPT
Module 7: Implementing
Security Using Group Policy
Module Overview
• Configuring Security Policies
• Implementing Fine-Grained Password Policies
• Restricting Group Membership and Access to Software
• Managing Security Using Security Templates
Lesson 1: Configuring Security Policies
• What Are Security Policies?
• What Is the Default Domain Security Policy?
• What Are the Account Policies?
• What Are Local Policies?
• What Are Network Security Policies?
• Windows Firewall with Advanced Security
• Demonstration: Overview of Additional Security Settings
• Demonstration: What Is the Default Domain Controller Security Policy?
What Are Security Policies?
What Is the Default Domain Security Policy?
• Provides account policies for the domain; other settings are not configured by default
• Use to provide security settings that will affect the entire domain
• Use domain policy to provide security settings, as a best practice. Use separate GPOs to provide other types of settings
DomainDefault domain policy
Account and security settings
What Are the Account Policies?
Description
Password
Account lockout
Kerberos
Policies
• Enforce password history: 24 passwords• Max password age: 42 days• Min password age: 1 day• Min password length: 7 characters• Complex Password: enabled • Store password using reversible encryption: disabled
• Lockout duration: not defined • Lockout threshold: 0 invalid logon attempts• Reset account lockout after: not defined
Account policies consist of:
• Can only be applied at the domain level
Account policies mitigate the threat of brute force guessing of account passwords
What Are Local Policies?
Every computer running Windows 2000 and later has a local security policy that is part of local Group Policy
Domain policy will override local policies in cases of conflict
In a workgroup, you must configure local security policies to provide security
You can assign local rights through local Group Policies
Security options control many different aspects of a computer’s security
Local Policies determine the security options for a user or service account
What Are Network Security Policies?
Separate wireless policies for Windows XP and Windows Vista
Windows Vista policies contain more options for wireless Windows Vista wireless policies can deny access to
wireless networks
802.1x authentication can be configured via Group PolicyOnly Windows Vista and later can receive wired network policies
Define the available networks and authentication methods for wireless connections for Windows Vista and Windows XP clients, and LAN authentication for Windows Vista and Windows Server 2008 clients
Windows XP
Windows Vista
Wireless
Wired
Wireless only Windows XP
Windows Vista
Wireless
Wired
Wireless only
GPO
Windows Firewall with Advanced Security
Supports filtering for both incoming and outgoing traffic
Used for advanced settings configuration
Provides integrated firewall filtering and IPsec protection settings Allows rule configuration for various criteria, such as users, groups, and
TCP and UDP ports
Provides network location-aware profiles
Can import or export policies
A stateful host-based firewall that allows or blocks network traffic according to its configuration
Windows Server 2008
Internet
LANFirewall
Firewall rules control inbound and outbound traffic
Demonstration: Overview of Additional Security Settings
In this demonstration, you will see how to configure additional security settings
Demonstration: What Is the Default Domain Controller Security Policy?
In this demonstration, you will see the default domain controller policy settings
Provides an extra layer of security for domain controllers
Allows many user rights to be configured
Provides enabled auditing
Lesson 2: Implementing Fine-Grained Password Policies
• What Are Fine-Grained Password Policies?
• How Fine-Grained Password Policies Are Implemented
• Implementing Fine-Grained Password Policies
• Demonstration: Implementing Fine-Grained Password Policies
What Are Fine-Grained Password Policies?
Administrator group
Manager group
End user group
Password changes: 7
days
Password changes: 14
days
Password changes: 30
days
Fine-grained passwords allow multiple password policies to exist in the same domain
How Fine-Grained Password Policies Are Implemented
Considerations when implementing PSOs:
Password Settings Container and Password Setting Objects are new schema object classes
PSOs can only be applied to users or global groups
PSOs can be created through ADSI Edit or LDIFDE
A PSO has the following settings available:
• Password policies
• Account lockout policies
• PSO Link
• Precedence
Implementing Fine-Grained Password Policies
• Shadow groups can be used to apply a PSO to all users that do not already share a global group membership
• A user or group could have multiple PSOs linked to them
• The precedence attribute is used to resolve conflicts
• Lower precedence values have higher priority
• PSOs linked directly to user objects override PSOs linked to a user’s global groups
• If there are no PSOs, normal domain account policies apply
Demonstration: Implementing Fine-Grained Password Policies
In this demonstration, you will see how to create and apply PSOs
Lesson 3: Restricting Group Membership and Access to Software
• What Is Restricted Group Membership?
• Demonstration: Configuring Restricted Group Membership
• What Is a Software Restriction Policy?
• Options for Configuring Software Restriction Policies
• Demonstration: Configuring Software Restriction Policies
What Is Restricted Group Membership?
Group Policy can control group membership:
• For any group on a local computer, by applying a GPO to the OU that holds the computer account
• For any group in AD DS, by applying a GPO to the domain controller
Demonstration: Configuring Restricted Group Membership
In this demonstration, you will see how to configure restricted groups
What Is a Software Restriction Policy?
• A policy-driven mechanism that identifies and controls software on a client computer
• A mechanism restricting software installation and viruses
• A component with two parts:• A default rule with three options: Unrestricted, Basic,
and Disallowed• Exceptions to the default rule
Options for Configuring Software Restriction Policies
Certificate Rule
• Checks for digital signature on application
• Use when you want to restrict Win32 applications and ActiveX content
Certificate Rule
• Checks for digital signature on application
• Use when you want to restrict Win32 applications and ActiveX content
Internet Zone Rule
• Controls how Internet Zones can be accessed
• Use in high-security environments to control access to Web applications
Internet Zone Rule
• Controls how Internet Zones can be accessed
• Use in high-security environments to control access to Web applications
Hash Rule
• Use to employ MD5 or SHA1 hash of a file to confirm identity
• Use to allow or prohibit a certain file version from being run
Hash Rule
• Use to employ MD5 or SHA1 hash of a file to confirm identity
• Use to allow or prohibit a certain file version from being run
Path Rule
• Use when restricting a file path
• Use when multiple files exist for the same application
• Essential when SRPs are strict
Path Rule
• Use when restricting a file path
• Use when multiple files exist for the same application
• Essential when SRPs are strict
Demonstration: Configuring Software Restriction Policies
In this demonstration, you will see how to configure a software restriction policy
Lesson 4:Managing Security Using Security Templates
• What Are Security Templates?
• Demonstration: Applying Security Templates
• What Is the Security Configuration Wizard?
• Demonstration: Configuring Server Security Using the Security Configuration Wizard
• Options for Integrating the Security Configuration Wizard and Security Templates
• Demonstration: Importing Security Configuration Policies into Security Templates
What Are Security Templates?
Security templates:
Allow administrators to apply consistent security settings to multiple computers
Can be applied via Group Policy
Can be designed based on server roles
Demonstration: Applying Security Templates
In this demonstration, you will see how to create a security template and import it into a GPO
What Is the Security Configuration Wizard?
SCW provides guided attack surface reduction by:
• Disabling unnecessary services and Internet Information Services (IIS)Web extensions
• Blocking unused ports and securing ports that are left open using IPSec
• Reducing protocol exposure
• Configuring audit settings
SCW supports:
• Rollback
• Analysis
• Remote configuration
• Command-line support
• Active Directory integration
• Policy editing
Demonstration: Configuring Server Security Using the Security Configuration Wizard
In this demonstration, you will see how to create a security policy using the SCW
Options for Integrating the Security Configuration Wizard and Security Templates
Options:
• Policies created with the SCW can be applied individually
• Other Security templates can be incorporated into the SCW
Scwcmd.exe command-line utility can be used to convert the XML policy into a GPO
Demonstration: Importing Security Configuration Policies into Security Templates
In this demonstration, you will see how to transform the XML policy file into a GPO
Lab: Implementing Security Using Group Policies
• Exercise 1: Configuring Domain Security Settings
• Exercise 2: Implementing Fine-Grained Password Policies
• Exercise 3: Configuring Restricted Groups and Software Restriction Policies
• Exercise 4: Configuring Security Templates
• Exercise 5: Verifying the Security Configuration
Logon information
Virtual machine 6425A-NYC-DC1, NYC-CL1,NYC-SVR1
User name Administrator
Password Pa$$w0rd
Estimated time: 75 minutes
Lab Review
• You want to control which wireless networks your Windows Vista clients will have access to. What is the best way to accomplish this?
• You need to harden security on all the database servers across your organization. What tool is best suited for this task?
• You used the Security Configuration Wizard to create a policy for your servers running IIS. You transformed the policy into a GPO. You applied the GPO to the proper OU, but the IIS settings are not being deployed. What is the problem?
Module Review and Takeaways
• Considerations
• Review questions