Group Policy Flashcards
Group Policy Container
Lives in AD, and can access through ADUC. Used to store properties of GPOs. Contains sub-containers for users and computers.
Group Policy Template
contains all info, and policy settings of each GPO. Lives in the Sysvol. Find content of GP itself.
GP Container Location
View advanced features in ADUC. System/Policies.
Check attribute editor for display name of the GUID policy.
or
Windows Run command.
\company.pri\sysvol\company.pri
Group Policy Object
comprised of computer config and user config.
GP Computer Config
Used to manage settings for the computer. Associated with the HKEY localusers hive.
GP User Config
Things associated with users and the profiles. HKEYCurrent Users in the registry.
OU Organization
Separate OUs that contain computer objects, and thos that contain user objects specialized for GP.
GPME
Group Policy Management Editor.
Group Policy Precedence
- Local
- Site
- Domain
- Organization Unit - Last Writer. This will over right anything above.
Configure a Central Store
.ADM provided list of possible questions for a GPO’s settings.
.ADMX took all of the content that was in the ADM files and put it into XML to shrink the size of files. Reference happens through a GP central store that exists in the sysvol. Content exists on DC at c:\windows\Policy Definitions.
ADML human readable language for the ADMX files. Same location. In the folder of en-US.
Copy to domain sysvol in order to obtain the central store in other DCs.
Starter GPOs
Create GPO templates.
Get-GPO
Gets the GPO information
Backup-GPO
Backs up one GPO
Copy-GPO
Copies a GPO
Get-GPOReport
Generates a report for GPO.
Import-GPO
Imports GPO
Where GPO exist
Group Policy Objects container within the GPM tree.
WMI Filters
Take characteristics of users and computers and you can use those as mechanisms to apply group policy.
MLGPO
Multiple Local Group Policy Objects. Kiosk systems. Extremely locked down machines. Non Domain joined systems. The precedence order goes as folllows:
- Local GPO - local user and computer.
- Administrator vs. Non-Admin.
- Individual Users. (Last Writer Wins)
Group Policy Object Editor
Specific to the local machine group policy.
Disable local built-in admin and replace with “localadmin” user.
- Create new GPO in appropriate OU.
- Edit in the GPME.
- Policies/Windows Settings/Security/Restricted Groups
Or use GP Preferences:
- Control Panel settings/ Local Users and groups.
- Choose new Local user “localadmin”
Add IT Group to Administrators
- Go to control panel settings/local users and groups
- Choose new Local group
- Create New Local group as “Administrators”
- Add appropriate members
- Select a variable to add local admins into group. I.E.(%ComputerName%\localadmin)
Grant IT Backups group rights to perform remote backups
- Go to GPME
- Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment
- Add appropriate group to “back up files and directories”
- Add appropriate group to “Access this computer from the network” to allow backups remotely.
Enforce machine lock after 15 minutes of inactivity, and display user information once session is locked
- GPME. /Policies/Windows Settings/Security Settings/Local Policies/Security Options
- Choose Interactive Logon: Machine inactivity limit
- Choose Seconds parameter.
- Then Choose Interactive Logon: Display User information when the session is locked.
Audit logon and account logon failure events
-GPME. /Policies/Windows Settings/Security Settings/Local Policies/Audit Policy
Configure the granular audit policies instead of general listed above.
- Then check in the same directory for /Advanced Audit Policy Configuration/Audit Policies/Account Logon
- Then choose in the same directory /Logon/Logoff and choose the failure to report on.
Audit removable storage
- GPME. /Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access/Audit removable storage.
- Audit event on success and failure.
Ensure to force audit policy subcategory settings within the security options under “local Policies” in the GPME.
Enforce UAC for admins and remote OTS elevation prompt (access denied for non admins)
- GPME. /Policies/windows settings/security settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for administrators in admin approval mode.
- Choose Prompt for consent on the secure desktop.
- Go tp /UAC: behavior of the elevation prompt for standard users.
- Choose automatically deny users.
Disable UAC for software installations.
-GPME. /policies/Windows Settings/Security Settings/Local Policies/ Security Options/ UAC: Detect application installations and prompt for elevation.
Get Audit Policy in CLI
auditpol /get /category:*
Get Audit Policy in CLI
auditpol /get /category:*
Configure Security Templates
Export the security policy into an .inf file format. You can import a file that doesn’t have AD. Open an MMC, and add in the “Security Templates” & “Security Configuration”. View contents of the .inf file you created. Open the template in a database. Then analyze the computer in relation to the template.
Blacklisting
anti-malware solution. “I don’t want this code to execute on my systems.” Requires constant updating.
Whitelisting
identify what is allowed.
SRP
Software Restriction Policies.
- introduced with Windows 2003.
- Supported on all OS Versions.
- Scoped to all users.
- File hash, path, certificate, registry, path, and internet zone rules
- Blacklisting and whitelisting
- Always enforcing
AppLocker
- Introduced with Windows 7/2008r2
- Requires windows 7/8 enterprise or Windows Server STD/ENT/Datacenter
- Scoped to specific users or groups.
- File hash, path, and publisher rules.
- Whitelisting only.
- Enforcing or merely auditing.
SRP Location
GPME. /Policies/Windows settings/Security Settings/Software Restriction Policies.
Define Security Levels. “Disallowed, Basic User, Unrestricted”
Identify Additional Rules.
Certificate Rule in Defining SRP
Allows you to identify the certificate that is used to sign the app or exe.
Fairly unlikely you would have the cert that “Intuit” would use for their app.
Hash Rule for Defining SRP
Provide a mechanism to hash the file digitally that corresponds with the code in the file. Long list of numbers.
Hash Rule can be nice if you know every exe that is going to run.
Path Rule for Defining SRP
You identify a path that any content in that location is allowed to run. Any EXE can run in the folder.
A user could just add in that location. It could create some other problems.
Network Zone Rule for defining SRP
in IE you can determine network zones. You can determine which zone to classify. For example, ‘Internet’, ‘Local Computer’, ‘Local Intranet’, ‘ Restricted sites’, ‘Trusted Sites.’
AppLocker Policies
GPME. /Policies/Windows Settings/Security Settings/Application Control Policies/AppLocker
- Executable rules
- Windows Installer rules
- Script Rules
- Packaged app Rules.
Enforce or audit only.
Auto Create Applocker Rules
Right Click on Rule. Click Automatically generate rules. . Choose directory to scan executable files. Then choose publisher rules for files that are digitally signed.
Deploy AppLocker
Enable Application identity service. Add GPO into appropriate OU. Then Link it to the OU of test machines.
