Upload
mike
View
218
Download
1
Embed Size (px)
DESCRIPTION
MCP
Citation preview
SectionAImplementingGroupPolicy1. DescribethecomponentsofGroupPolicy.
GroupPolicysettingsareconfigurationsettingsthatallowadministratorstoenforcesettingsbymodifyingthecomputerspecificanduserspecificregistrysettingsondomainbasedcomputers.YoucangrouptogetherGroupPolicysettingstomakeGPOs,whichyoucanthenapplytosecurityprinciples(users,groupsorcomputers).GPOsAGPOisanobjectthatcontainsoneormorepolicysettingsthatapplyconfigurationsettingforusers,computers,orboth.GPOsarestoredinSYSVOL,andcanbemanagedbyusingtheGroupPolicyManagementConsole(GPMC).WithintheGPMC,youcanopenandeditaGPObyusingtheGroupPolicyManagementEditor.GPOsarelogicallylinkedtoActiveDirectorycontainerstoapplysettingstotheobjectsinthosecontainers.GroupPolicySettingsAGroupPolicysettingisthemostgranularcomponentofGroupPolicy.Itdefinesaspecificconfigurationchangetoapplytoanobject(acomputerorauser,orboth)withinActiveDirectoryDomainServices(ADDS).GroupPolicyhasthousandsofconfigurablesettings.Thesesettingscanaffectnearlyeveryareaofthecomputingenvironment.Notallsettingscan
beappliedtoallolderversionsofWindowsServerandWindowsoperatingsystems.Eachnewversionintroducesnewsettingsandcapabilitiesthatonlyapplytothatspecificversion.IfacomputerhasaGroupPolicysettingappliedthatitcannotprocess,itsimplyignoresit.Mostpolicysettingshavethreestates:NotConfigured.TheGPOwillnotmodifytheexistingconfigurationoftheparticularsettingfortheuserorcomputer.
Enabled.Thepolicysettingwillbeapplied.Disabled.Thepolicysettingisspecificallyreversed.Bydefault,mostsettingsaresettoNotConfigured.Theeffectsoftheconfigurationchangedependsonthepolicysetting.Forexample,ifyouenabletheProhibitAccesstoControlPanelpolicysetting,userswillbeunabletoopenControlPanel.Ifyoudisablethepolicysetting,youensurethatuserscanopenControlPanel.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,therebyallowingtheaction.GroupPolicySettingsStructureTherearetwodistinctareasofGroupPolicysettings:Usersettings.ThesearesettingsthatmodifytheHKeyCurrentUserhiveoftheregistry.Computersettings.ThesearesettingsthatmodifytheHKEYLocalMachinehiveoftheregistry.Userandcomputersettingseachhavethreeareasofconfiguration,asdescribedinthefollowingtable.
GroupPolicyManagementEditor
TheGroupPolicyManagementEditordisplaystheindividualGroupPolicysettingsthatareavailableinaGPO.Thesearedisplayedinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,andthenexpandstoshowtheComputerConfigurationnodeandtheUserConfigurationnode.TheGroupPolicyManagementEditoriswhereallGroupPolicysettingsandpreferencesareconfigured.
2. DescribemultiplelocalGPOs.
InWindowsoperatingsystemspriortoWindowsVista,therewasonlyoneavailable
userconfigurationinthelocalGroupPolicy.Thatconfigurationwasappliedtoalluserswhologgedonfromthatlocalcomputer.Thisisstilltrue,butWindowsVistaandnewerWindowsclientoperatingsystems,andWindowsServer2008andnewerWindowsServeroperatingsystemshaveanaddedfeaturemultiplelocalGPOs.
InWindows8andWindowsServer2012,youcanalsonowhavedifferentusersettingsfordifferentlocalusers,butthisisonlyavailablefortheusersconfigurationsthatareinGroupPolicy.Infact,thereisonlyonesetofcomputerconfigurationsavailableinWindows8andWindowsServer2012thataffectsallusersofthecomputer.Windows8andWindowsServer2012providethisabilitywiththefollowingthreelayersoflocalGPOs:LocalGroupPolicy(containsthecomputerconfigurationsettings)AdministratorandNonAdministratorGroupPolicyUserspecificLocalGroupPolicyHowtheLayersAreProcessedThelayersoflocalGPOsareprocessedinthefollowingorder:
1.LocalGroupPolicy2.AdministratorsandNonAdministratorsGroupPolicy3.UserspecificLocalGroupPolicyWiththeexceptionofthecategoriesofAdministratororNonAdministrator,itisnotpossibletoapplylocalGPOstogroups,butonlytoindividuallocaluseraccounts.DomainusersaresubjecttothelocalGroupPolicy,ortheAdministratororNonAdministratorsettings,asappropriate.
3. DescribestorageoptionsfordomainGPOs.
GroupPolicysettingsarepresentedasGPOsintheGPMC,butaGPOisactuallytwocomponents:aGroupPolicytemplate,andaGroupPolicycontainer.GroupPolicyTemplateGroupPolicytemplatesaretheactualcollectionofsettingsthatyoucanchange.GroupPolicytemplatesarestoredinthe%SystemRoot%\PolicyDefinitionsfolder.WindowsServer2012containsGroupPolicytemplateswiththousandsofconfigurablesettings.WhenyoucreateanewGroupPolicy,theGroupPolicyManagementEditorpresentsthetemplatesinanewGPO.WhenyoueditandsavetheGPO,anewGroupPolicycontaineriscreated.GroupPolicyContainer
TheGroupPolicycontainerisanActiveDirectoryobjectthatisstoredintheActiveDirectorydatabase.EachGroupPolicycontainerincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinADDS.TheGroupPolicycontainerdefinesbasicattributesoftheGPOsuchaslinksandversionnumbers,butitdoesnotcontainanyofthesettings.Instead,thesettingsarecontainedintheGroupPolicytemplate,whichisacollectionoffilesstoredintheSYSVOLofeachdomaincontroller.
SYSVOLislocatedinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGroupPolicycontainer.WhenyoumakechangestothesettingsofaGPO,thechangesaresavedtotheGroupPolicytemplateoftheserverfromwhichtheGPOwasopened.Bydefault,whenGroupPolicyrefreshoccurs,theGroupPolicyclientsideextensions(CSEs)applysettingsinaGPOonlyiftheGPOhasbeenupdated.
TheGroupPolicyClientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGroupPolicycontainer,andinatextfile,GPT.ini,intheGroupPolicyTemplatefolder.TheGroupPolicyClientknowstheversionnumberofeachGPOthatithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyClientdiscoversthattheversionnumberoftheGroupPolicycontainerhasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.
WheneditingaGroupPolicy,theversiononthecomputerthathastheprimarydomaincontroller(PDC)emulatorFlexibleSingleMasterOperations(FSMO)roleistheversionbeingedited.Itdoesnotmatterwhatcomputeryouareusingtoperformtheediting,theGPMCisfocusedonthePDCemulatorbydefault.ItispossibletochangethefocusoftheGPMCtoeditaversiononadifferentdomaincontroller.
4. DescribetheGroupPolicyprocessingorder.
GPOsarenotappliedsimultaneouslyrather,theyareappliedinalogicalorder.GPOsthatareappliedlaterintheprocessofapplyingGPOsoverwriteanyconflictingpolicysettingsthatwereappliedearlier.GPOsareappliedinthefollowingorder:
1. LocalGPOs.EachoperatingsystemthatisrunningWindows2000ornewerpotentiallyalreadyhasalocalGroupPolicyconfigured.
2. SiteGPOs.Policiesthatarelinkedtositesareprocessednext.3. DomainGPOs.Policiesthatarelinkedtothedomainareprocessednext.Thereare
oftenmultiplepoliciesatthedomainlevel.Thesepoliciesareprocessedinorderofpreference.
4. OUGPOs.PolicieslinkedtoOUsareprocessednext.ThesepoliciescontainsettingsthatareuniquetotheobjectsinthatOU.Forexample,theSalesusersmighthavespecialrequiredsettings.YoucanlinkapolicytotheSalesOUtodeliverthosesettings.
5. ChildOUpolicies.AnypoliciesthatarelinkedtochildOUsareprocessedlast.Objectsinthecontainersreceivethecumulativeeffectofallpoliciesintheirprocessingorder.
Inthecaseofaconflictbetweensettings,thelastpolicyappliedtakeseffect.Forexample,adomainlevelpolicymightrestrictaccesstoregistryeditingtools,butyoucouldconfigureanOUlevelpolicyandlinkittotheITOUtoreversethatpolicy.BecausetheOUlevelpolicyisappliedlaterintheprocess,accesstoregistrytoolswouldbeavailable.
5. DescribeaGPOlink.
OnceyouhavecreatedaGPOanddefinedallthesettingsthatyouwantitto
deliver,thenextstepistolinkthepolicytoanActiveDirectorycontainer.AGPOlinkisthelogicalconnectionofthepolicytoacontainer.YoucanlinkasingleGPOtomultiplecontainersbyusingtheGPMC.YoucanlinkGPOstothefollowingtypesofcontainers:Sites
DomainsOUs
OnceaGPOislinkedtoacontainer,bydefaultthepolicyisappliedtoalltheobjectsinthecontainer,andsubsequentlyallthechildcontainersunderthatparentobject.ThisisbecausethedefaultpermissionsoftheGPOaresuchthatAuthenticatedUsershaveReadandApplyGroupPolicypermission.YoucanmodifythisbehaviorbymanagingpermissionsontheGPO.
Youcandisablelinkstocontainers,whichremovestheconfigurationsettings.Youcanalsodeletelinks.DeletinglinksdoesnotdeletetheactualGPO,onlythelogicalconnectiontothecontainer.GPOscannotbelinkeddirectlytousers,groups,orcomputers.Inaddition,GPOscannotbelinkedtothesystemcontainersinADDS,includingBuiltIn,Computers,Users,orManagedServiceAccounts.TheADDSsystemcontainersreceiveGroupPolicysettingsfromGPOsthatarelinkedtothedomainlevelonly.
6. DescribetheCentralStore.
Ifyourorganizationhasmultipleadministrationworkstations,therecouldbepotential
issueswheneditingGPOs.IfyoudonothaveaCentralStoreinwhichtocontainthetemplatefiles,thentheworkstationyouareeditingfromwillusethe.admx(ADMX)and.adml(ADML)filesthatarestoredinthelocalPolicyDefinitionsfolder.Ifdifferentadministrationworkstationshavedifferentoperatingsystemsorareatdifferentservicepacklevels,theremightbedifferencesintheADMXandADMLfiles.Forexample,theADMXandADMLfilesthatarestoredonaWindows7workstationwithnoservicepackinstalledmightnotbethesameasthefilesthatarestoredonaWindowsServer2012domaincontroller.
TheCentralStoreaddressesthisissue.TheCentralStoreprovidesasinglepointfromwhichadministrationworkstationscandownloadthesameADMXandADMLfileswheneditingaGPO.TheCentralStoreisdetectedautomaticallybyWindowsoperatingsystemsthataretheWindowsVistaversionornewer,andWindowsServer2008operatingsystems.
Assuch,thelocalworkstationthattheadministratorusestoperformadministrationalwayscheckstoseeifaCentralStoreexistsbeforeloadingthelocalADMXandADMLfilesintheGroupPolicyObjectEditor.WhenthelocalworkstationdetectsaCentralStore,itthendownloadsthetemplatefilesfromthere.Inthisway,thereisaconsistentadministrationexperienceamongmultipleworkstations.
YoumustcreateandprovisiontheCentralStoremanually.Firstyoumustcreateafolderonadomaincontroller,namethefolderPolicyDefinitions,andstorethefolderatC:\Windows\SYSVOL\sysvol\{DomainName}\Policies\.ThisfolderwillnowbeyourCentralStore.YoumustthencopyallthecontentsoftheC:\Windows\PolicyDefinitionsfoldertotheCentralStore.TheADMLfilesinthisfolderarealsoinalanguagespecificfolder(suchasenUS).SectionBSecuringWindowsServer2012withGPO
1. DescribebestpracticesforincreasingWindowsServer2012security.
Considerthefollowingbestpracticesforincreasingsecurity:
Applyallavailablesecurityupdatesasquicklyaspossiblefollowingtheirrelease.Youshouldstrivetoimplementsecurityupdatesassoonaspossibletoensurethatyoursystemsareprotectedfromknownvulnerabilities.Microsoftpubliclyreleasesthedetailsofanyknownvulnerabilitiesafteranupdatehasbeenreleased,whichcanleadtoanincreasedvolumeofmalwareattemptingtoexploitthevulnerability.However,youmuststillensurethatyouadequatelytestupdatesbeforetheyareappliedwidelywithinyourorganization.
Followtheprincipleofleastprivilege.Provideusersandserviceaccountswiththelowestpermissionlevelsrequiredtocompletetheirnecessarytasks.Thisensuresthatanymalwareusingthosecredentialsislimitedinitsimpact.Italsoensuresthatusersarelimitedintheirabilitytoaccidentallydeletedataormodifycriticaloperatingsystemsettings.
Restrictadministratorconsolelogon.Loggingonlocallyataconsoleisagreaterrisktoaserverthanaccessingdataremotely.Thisisbecausesomemalwarecanonlyinfectacomputerbyusingausersessionatthedesktop.IfyouallowadministratorstouseRemoteDesktopConnectionforserveradministration,ensurethatenhancedsecurityfeaturessuchasUserAccountControlareenabled.
Restrictphysicalaccess.Ifsomeonehasphysicalaccesstoyourservers,thatpersonhasvirtuallyunlimitedaccesstothedataonthatserver.Anunauthorizedpersoncoulduseawidevarietyoftoolstoquicklyresetthepasswordonlocaladministratoraccountsandallowlocalaccess,oruseaUSBdrivetointroducemalware.
2. DescribeSecurityComplianceManager(SCM).
TheSecurityComplianceManager(SCM)isafreetoolfromtheMicrosoft
SolutionAcceleratorsteamthatenablesyoutoquicklyconfigureandmanagethecomputersinyourenvironmentandyourprivatecloudusingGroupPolicyandMicrosoftSystemCenterConfigurationManager.
SCMprovidesreadytodeploypoliciesandDCMconfigurationpacksbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices,allowingyoutoeasilymanageconfigurationdriftandaddresscompliancerequirementsforWindowsoperatingsystems,Officeapplications,andotherMicrosoftapplications.
NowyoucaneasilyconfigurecomputersrunningWindowsServer2012,Windows8,MicrosoftOfficeapplications,andWindowsInternetExplorer10withindustryleadingknowledgeandfullysupportedtools.
Features:
BaselinesbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices:Thesebaselinesaredesignedtohelpyoumanageconfigurationdrift,addresscompliancerequirements,andreducesecuritythreats.
Centralizedsecuritybaselinemanagementfeatures:Theseincludeabaselineportfolio,customizationcapabilities,andsecuritybaselineexportflexibilitytoaccelerateyourorganizationsabilitytoefficientlymanagethesecurityandcomplianceprocessforthemostwidelyusedMicrosofttechnologies.
Goldmastersupport:ImportyourexistingGroupPolicytotakeadvantageofit,orcreateasnapshotofareferencemachinetokickstartyourproject.
Standalonemachineconfiguration:DeployyourconfigurationstonondomainjoinedcomputersusingthenewGPOPackfeature.
Updatedsecurityguides:Takeadvantageofthedeepsecurityexpertiseandbestpracticesintheupdatedsecurityguides,andtheattacksurfacereferenceworkbooks,tohelpreducethemostimportantsecurityrisksforyourorganization.
Comparisonsagainstindustrybestpractices:AnalyzeyourconfigurationsagainstprebuiltbaselinesforthelatestWindowsclientandserveroperatingsystems.
3. DescribethepurposeofAppLocker.
AppLocker,whichwasintroducedintheWindows7operatingsystemandWindows
Server2008R2,isasecuritysettingfeaturethatcontrolswhichapplicationsusersareallowedtorun.AppLockerprovidesadministratorsavarietyofmethodsfordeterminingquicklyandconciselytheidentityofapplicationsthattheymaywanttorestrict,ortowhichtheymaywanttopermitaccess.
YouapplyAppLockerthroughGroupPolicytocomputerobjectswithinanOU.YoucanalsoapplyIndividualAppLockerrulestoindividualADDSusersorgroups.AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules.AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefromexecuting,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.
Itcanalsoreducethetotalcostofownershipbyensuringthatworkstationsarestandardizedacrosstheenterprise,andthatusersarerunningonlythesoftwareandapplicationsthatareapprovedbytheenterprise.UsingAppLockertechnology,companiescanreduceadministrativeoverheadandhelpadministratorscontrolhowusersYoucanuseAppLockertorestrictsoftwarethat:
Is not allowed to be used in the company. For example, software that can disrupt employees business productivity, such as social networking software, or software that
streams video files or pictures that can use a large amounts of network bandwidth and diskspace.
Is no longer used or it has been replaced with a newer version. For example, software thatisnolongermaintained,orforwhichlicenseshaveexpired.
Is no longer supported in the company. Software that is not updated with security updatesmightposeasecurityrisk.
Should be used only by specific departments. You can configure AppLocker settings by browsing in GPMC to: Computer Configuration \Policies\Windows Settings\Security Settings\ApplicationControlPolicies.
4. DescribeFirewallProfiles.
WindowsFirewallwithAdvancedSecurityusesfirewallprofilestoprovideaconsistentconfigurationfornetworksofaspecifictype,andallowsyoutodefineanetworkaseitheradomainnetwork,apublicnetwork,oraprivatenetwork.WithWindowsFirewallwithAdvancedSecurity,youcandefineaconfigurationsetforeachtypeofnetworkeachconfigurationsetisreferredtoasafirewallprofile.Firewallrulesareactivatedonlyforspecificfirewallprofiles.WindowsFirewallwithAdvancedsecurityincludestheprofilesinthefollowingtable.
Windows Server 2012 allows multiple firewall profiles to be active on a server simultaneously. This means that a multihomed server that is connected to both the internal network and the perimeter network can apply the domain firewall profile to the internal network, and the public orprivatefirewallprofiletotheperimeternetwork.
5. Describeconnectionsecurityrules.Aconnectionsecurityruleforcesauthenticationbetweentwopeercomputersbeforetheycanestablishaconnectionandtransmitsecureinformation.Theyalsosecurethattrafficbyencryptingthedatathatistransmittedbetweencomputers.WindowsFirewallwithAdvanced
SecurityusesIPsectoenforcetheserules.Theconfigurableconnectionsecurityrulesare: Isolation.Anisolationruleisolatescomputersbyrestrictingconnectionsthatarebased
oncredentialssuchasdomainmembershiporhealthstatus.Isolationrulesallowyoutoimplementanisolationstrategyforserversordomains.
AuthenticationExemption.Youcanuseanauthenticationexemptiontodesignateconnectionsthatdonotrequireauthentication.YoucandesignatecomputersbyaspecificIPaddress,anIPaddressrange,asubnet,orapredefinedgroupsuchasagateway.
ServertoServer.Aservertoserverruleprotectsconnectionsbetweenspecificcomputers.Thistypeofruleusuallyprotectsconnectionsbetweenservers.Whencreatingtherule,specifythenetworkendpointsbetweenwhichcommunicationsareprotected.Thendesignaterequirementsandtheauthenticationthatyouwanttouse.
Tunnel.Withatunnelrule,youcanprotectconnectionsbetweengatewaycomputers.Typically,youwoulduseatunnelrulewhenconnectingacrosstheInternetbetweentwosecuritygateways.
Custom.UseacustomruletoauthenticateconnectionsbetweentwoendpointswhenyoucannotsetupauthenticationrulesthatyouneedbyusingtheotherrulesavailableinthenewConnectionSecurityRuleWizard.
HowFirewallRulesandConnectionSecurityRulesWorkTogether
Firewallrulesallowtrafficthroughthefirewall,butdonotsecurethattraffic.TosecuretrafficwithIPsec,youcancreateconnectionsecurityrules.However,connectionsecurityrulesdonotallowtrafficthroughafirewall.Youmustcreateafirewallruletodothis.Connectionsecurityrulesarenotappliedtoprogramsandservicesinstead,theyareappliedbetweenthecomputersthatmakeupthetwoendpoints.