2008 R2 ADS Vocabulary - Session 3 Flashcards
Group Policy Processing
You can apply Group Policy settings at the local, site, domain, and OU levels.
All group policies that can apply to a user or computer do so,
blending their settings However, settings from different policies may directly conflict with each other.
Group Policy Processing
To prevent conflicts, policy settings in GPOs at different levels are processed in a specific order. That order is as follows (LSDOUC):
Local GPOs GPOs Linked to the Site Domain -Level GPOs GPOs Linked to OUs GPOs linked to Child OUs
You can choose to alter the default processing order using a variety of methods, including the following:
Block Inheritance
Enforced
Block Inheritance
The Block Inheritance option prevents an OU or domain from inheriting GPOs from any of its parent containers. However, GPOs that are marked as Enforced are always inherited.
Enforced
The Enforced option is a GPO link option that ensures the settings in the policy are applied regardless of blocked inheritance or the order of processing of linked GPOs.
GPO Status
The GPO Status option can be used to troubleshoot a set of applied policies if the desired end result of the policies is not what it should be by choosing to Disable the User portion, Computer portion, or all of a GPO. Separately, a GPO Link can also be disabled.
Link Order
The Link Order option controls the precedence order of multiple GPOs that are linked to the same particular container. The lower the link order, the higher its precedence. The GPO link with the link order of 1 has the highest precedence in that container.
GPO Filtering
Each GPO is set to apply to members of the Authenticated Users group, which contains all domain Users and Computers. If this group is replaced with a smaller group, then the Group Policy will be filtered to apply to only those members of the container who also are members of the security group referenced.
WMI Filtering
In the GPMC console a WMI script can be created to test for the absence or presence of system properties or values, such as Operating System, Service Pack, free disk space, RAM capacity, etc. This WMI script can then be bound to a GPO. If the receiving client does not meet the criteria of the WMI filter it will not receive ANY of the GPO settings.
Loopback Processing (Merge or Replace)
There is a Computer GPO Administrative Template Setting that will override the User logon’s normal GPO loading behavior. In “Replace” mode, when a user logs on to a Loopback Mode computer, the GPOs loaded will be the policies in the LDAP path of the Computer, not the User. This can enforce a kiosk-like consistent configuration of settings. In “Merge” mode, the Users settings are loaded, but the Computers path settings are also loaded, with the Computer’s path settings overriding the User’s.
Slow Link Detection
If the computer detects a slow connection (by default less than 500kbps, but the threshold can be changed or disabled) than certain portions of Group Policy, such as software deployment, will be skipped in Group Policy processing. Other portions of Group Policy, such as Security settings, cannot be skipped.
Credential Caching
Users’ credentials are automatically cached locally, based on previous logon attempts, to enable the user to log on if a DC fails and authentication on the domain is not possible. If a user logs on using locally cached credentials, Group Policy settings are not applied..
The configuration of Loopback Processing, Slow link detection, what will be loaded or skipped for a slow link, and Loopback Processing Mode are all configured in the following Administrative Template path:
“Computer
Configuration \Administrative Templates \System \Group Policy”
Creating a GPO
The GPMC provides a user-friendly interface that an administrator can use to create, view, and manage GPOs in an organization.
Starter Group Policy objects derive from a Group Policy object (GPO),
), allowing administrators to store a collection configured Administrative Template settings.
. A New GPO built from a Starter GPO will begin with all of the Administrative Template policy settings and values that were defined by the
Starter GPO
Starter GPOs can be exported to
other environments as needed.
By default, only members in the Domain Admins, Enterprise Admins, or Group Policy Creator Owners (GPCO) groups ca
create new GPOs and edit existing ones
A member of the Domain Admins group can choose to delegate the authority for creating and managing a GPO to
other users or groups in that GPO’s domain.
THE GROUP POLICY MANAGEMENT CONSOLE
Installing and Customizing the GPMC
The GPMC is a Microsoft Management Console (MMC) snap-in that you use in Windows Server 2008 R2 to configure group policy settings throughout various forests in an organization.
GPMC
GROUP POLICY MANAGEMENT CONSOLE
You can use the GPMC to perform several operations on GPOs, including the following:
- Searching for GPOs in a forest
- Backing up and restoring a GPO
- Importing settings from a backed up GPO to an existing GPO in the same forest
The GPMC enables you to plan the deployment of
a Group Policy using the Resultant Set of Policies (RSoP) data simulation, which is used to view the combined effect of a set of GPOs on systems and users.
You can also use the GPMC to obtain
RSoP data and to troubleshoot Group Policy deployments.
(RSoP)
the Resultant Set of Policies
To launch the GPMC
use the Run dialog box, which you access by selecting Start - Run. Type gpmc.msc in the Open text box and click OK.
The Group Policy Editor Window allows
administrators to navigate the topology of Computer and User settings in order to modify values that will be set in the particular group policy being edited.
GROUP POLICY OBJECT TEMPLATES
Administrative Templates
You are
doing it! You will pass with flying colors!
Two types of Group Policy settings are stored in each GPO
- user configuration and computer configuration settings
In Windows Server 2008 R2, registry-based policy settings are stored as
ADMX files, XML-based, containing language-specific settings.
In domain-based enterprises, ADMX files can be stored
stored in a central location, accessible to anyone with permission to create or edit GPOs.
You can filter administrative templates using either of these two views:
- The local view for a template modifies the view only for that template
- The global view modifies the view for all administrative templates
You can filter administrative templates based on their
type, using keywords, and - by using requirement filters - based on the platform or applications to which they apply.
You can use a starter GPO to create multiple GPOs with the same baseline configuration
each new GPO inherits the template settings from the starter GPO.
A security template is a
file that defines a security configuration that can be applied to a local computer, imported to a GPO, and used to analyze security.
Security Templates does not
It does not introduce new security parameters, but organizes the existing security attributes
Security Templates is a text file
It is a text-based file with an .inf extension that enables you to copy, paste, import, and export some or all the attributes of a template.
Security templates can be used with
Security Configuration and Analysis snap-ins to examine a system for security holes or policy violations.
You can use security templates to define the following:
- Account Policies
- Local Policies
- Event Log Settings
- Restricted Groups
- System Services Settings
- File and Registry Permissions
You can download and install the GPOAccelerator from
Microsoft to obtain the predefined templates.
The following are examples of the types of predefined security templates included with the GPOAccelerator:
- Default Security (Setup security.inf)
- Domain Controller Default Security (DC security.inf)
- Compatible (Compatws.inf)
- Secure (Secure*.inf)
- Highly Secure (hisec*.inf)
The secedit command-line tool is the command-line version of the
Security Configuration and Analysis snap-in.
Configuring the .admx Central Store
Administrative templates are XML-based files with the file extension .admx that contain group policies settings definitions for
the Group Policy Editor in Windows Server 2008 R2
.adm files.
The .admx files have replaced the original administrative template files -
To take advantage of the benefits of .admx files, you must create a
“Central Store” in the SYSVOL folder of your domain controller.
The Central Store is a location that is checked first by the
the Group Policy Editor to define available settings for an administrator to configure.
The files that are in the Central Store are automatically
replicated to all domain controllers in the domain.
When new Administrative templates are added for software such as Microsoft Office, or updated for new versions of the operating system, the templates only need to
to be updated once in the central store and all domain controllers will replicate the new version of the editor template automatically.
The default location for .admx files is
the %SYSTEMROOT%\PolicyDefinitions folder
Domain Controllers can be configured to replicate their Administrative Template .admx files using a
“Central Store by creating a PolicyDefinitions folder (or copying the existing one) in following location: %SYSTEMROOT%\SYSVOL\domain\policies\
To copy the local server 2008 R2’s existing policies and create a Central Store:
xcopy /E “°/0SYSTEMROOT%\PolicyDefinitions” “%SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions\
Deploying Software Using Group Policy
Together with AD DS and the Windows Installer, you can use Group Policy to install, maintain, publish, and remove software across an organization, site, or domain.
Windows Installer is an
extensible software management and installation service.
Using Group Policy, you can choose to
to advertise a software package by assigning it to particular users or computers, or by publishing it to users.
Using Group Policy,
Assigning software to a computer installs it at next boot.
• Assigning software to a user only installs it at next logon if a special feature is enabled in the deployment settings. Normally this configuration will, at next logon, advertise shortcuts in the start menu, enable document invocation of the file type, and make the software available in add/remove programs (in Windows Vista and later, “Programs and Features”, “Install a program from the network”
• Publishing software to a user will only, at next logon, enable document invocation and software availability in the control panel.
Configuring Software Packages
Using Group Policy, you can configure the properties of software before you deploy it. You can also use Group Policy to install patches or service packs (.msp), or to upgrade software you have already installed. Transform (.mst) files allow for a delployment of the same .msi file twice with different .mst files to two different installations (ie: One French dictionary, one English)
PREVENTING SOFTWARE EXECUTION WITH GPOS
Software Restriction Policies:
Applocker :
Configuring Security Settings
Restricted Groups
Software Restriction Policies:
: Software Restriction Policies (SRP) are designed to control the installation and execution of executable programs — like a firewall it can block all software execution except what is allowed or allow all software execution except what is blocked. Rules can be defined by Hash Rule, Certificate Rule, Path rule, or Network zone rule.
Applocker :
More advanced software prevention technology, allows for auditing before deployment, import/export of rules, PowerShell management, flexible certificate value rules (ie: product name, but not version specific). Only applies to Windows 7 Enterprise & Ultimate and Server 2008 R2
Configuring Security Settings
Security templates in Windows Server 2008 R2 enable you to configure security-related policy settings. You can create custom security templates to suit your needs, or import and deploy an existing security template.
You use the Local Group Policy Editor to configure security for LGPOs. To configure security settings for AD GPOs, you use the Group Policy Management Editor.
Restricted Groups
Restricted groups enable you to control the security and access settings for users in local and domain user groups. Using restricted groups, you can set desired membership for a user group without changing the parent group to which the user belongs. You can apply restricted group settings to a GPO as a group policy, provided the GPO is linked to AD.
CONFIGURE ACCOUNT POLICY USING GROUP POLICY OBJECTS
You can protect your network from unauthorized users by
Implementing an Account Lockout Policy
Securing it with Strong Passwords
Password & Lockout Policies
Fine Grained & Lockout Policies
Implementing an Account Lockout Policy
An account lockout policy locks a user account after an incorrect password is entered a specific number of times over a specified time period. An account lockout policy reduces the possibility of an attack on your network by repeated logon attempts.
Securing it with Strong Passwords
A strong password uses alphanumeric characters as well as symbols, such as punctuation, to make it more complex. This minimizes the risk of guessing the password.
Password & Lockout Policies
Password Policies and Lockout Policies that are set at the Domain level will affect all domain users. These include password length, complexity, the number of failed attempts before an account is locked out, and the duration of a locked out account. Any of these account policies that are set at a non-domain level will only affect the behavior of local accounts of the computers within the containers that receive these settings.
Fine Grained & Lockout Policies
If an administrator wishes to have a different set of password and lockout standards for some users, whether more or less stringent than the domain standard, Password Settings Objects (PSO) must be configured separately from Group Policies. This must be done using the ADSIedit utility by creating an msDS-PasswordSettings object in the “CN=System,CN=Password Settings Container” path. This will launch a wizard that will configure all of the standard settings except msDS-PSOAppliesTo, which must be configured manually to link the PSO to the user or group to which it should apply. User-linked PSOs supersede group-linked PS0s, and if more than one PSO is applies to the same user via groups, the msDS¬PasswordSettingsPrecedence attribute value of each PSO is compared – the PSO with the lowest value (highest precedence) wins and that PSO in its entirety will be applied to the user
The AD DS Auditing Features
In Windows Server 2008 R2, AD DS provides auditing features that enable you to monitor the movement, deletion, and modification of AD objects. AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made.
The controls used to incorporate auditing features in Windows Server 2008 R2 are:
- Global audit policy
- An SACL
- A control schema
Audit policies are security templates that must be enabled for particular auditing activities to be carried out. The following are audit policies that you can choose to configure:
- Audit Logon Events
- Audit Account Logon Events
- Audit System Events
- Audit Account Management
- Audit Privilege Use
- Audit Directory Service Access
- Audit Object Access
- Audit Policy Change
- Audit Process Tracking
Windows Server 2008 R2 introduces audit policy subcategories. This allows for auditing more
specific events, which returns less data that is easier to analyze.
Configuring Audit Policies subcategories
You can use the auditpol command to display the current audit policy, display selectable policy elements and to set audit policy subcategories. You can disable auditing for the subcategories for which you do not want auditing set, using this command or enable filtered auditing categories for only a user or group. (ie: only observe the logons of the helpdesk group) This command works locally, so the only way to deploy it with group policy is to create an auditpol script and deploy that with the GPO.
Steps to configure a domain
- Install windows server
- Install DNS if not already one on network
- Install ADS (dcpromo.exe) to add the AD DS role and promote the server
- Promote server to a DC which manages security authentications from the domain requests
- run dcpromo from run line
- choose “Create a new domain in a forest
- Enter FQDN
- Choose windows server function level
9.