GROUP POLICY An overview of Microsoft Windows Group Policy
Slide 2
MY CREDENTIALS B.S Computer Science M.S. Information Technology
(2012) Certified Information Systems Security Professional (CISSP)
Network Admin at BCG Early NT 3.51 and 4.0 days Network Admin and
Instructor at Hilbert College Transition from NT4 to 2000 Accounts
and Profiles for all students (GPO Based) Taught Networking,
Databases, Programming in the Computer Security program there An
admins perspective who learned it on the job
Slide 3
WHAT IS GROUP POLICY Microsoft NT Technology Other NOS have
their own versions Centralized management of clients Security
management Application management Profile management Can be pushed
from domain Can be modified locally for individual clients Local
policy objects not as in depth Can be pushed as part of disc
imaging
Slide 4
WHAT CAN IT DO FOR ME Manage security Firewall and Networking
OS configuration restrictions Reduce workstation downtime Can
restrict users from modifying potentially damaging settings Manage
applications Whitelist available applications Control which
applications are visible Roaming profiles Centralized data storage
Full or partial
Slide 5
NOT A SILVER BULLET Only as effective as the Information
Security Policies it is enforcing Needs to be a part of security in
depth Can be complex to implement and manage Improper management
can interfere with business goals Easy to lock down a machine
tighter than it needs to be Applications typically use voluntary
enforcement Possible to modify or interfere an application reading
its policy
Slide 6
WHAT DO I NEED TO USE IT Domain Based PolicyLocal Policy Active
Directory Domain Install Group Policy Management Objects Server
Roles vary by OS version Can be managed using remote administration
tools from Vista (2003 Domains) or Windows 7 (2008 Domains) Windows
NT based OSs No domain needed Easily configured on XP and above Can
be used in conjunction with domain policies Configured locally on
the target client
Slide 7
MANAGEMENT TOOLS Group Policy Management Console (GPMC) Suite
of tools in 2003 Unified tool in 2008 Cmdlets Powershell extensions
that allow scripting Local Policy Editor Pre Win 7 one user policy
for all users Gpupdate Forces update of policy on machines (XP and
later)
Slide 8
WHAT IS A GPO? Collection of settings that can be used in a
Group Policy Most modify registry settings Can also be processed by
extending applications Can be applied to users or computers Can be
inherited Can be linked to multiple policies
Slide 9
POLICY OBJECT TYPES Computer PolicyUser Policy Applies based on
the Computer Account Useful to configure settings on a specific
workstation Same for all users on that machine Example: remove
start menu on public machine Applies based on the logged in User
Account Setting travel with the user Roaming Profiles go here
Example: Password policy
Slide 10
HOW IT WORKS Machine Boots up Machine policy downloaded and
applied User Logs in User Policy downloaded and applied Settings
may be cached 90 +/- 30 min for clients gpupdate to refresh
immediately
Slide 11
APPLYING MULTIPLE POLCIES Local Group Policy objects -
Computer's local policy (accessed by running gpedit.msc). Site -
Group policies that are applied to the AD Site Lowest link order
processed last, overrides higher links Domain - Group policies
specified for the AD Domain Lowest link order processed last,
overrides higher links Organizational Unit - Policies for User or
Computer OUs Lowest link order processed last, overrides higher
links Inheritance - Inheritance can be blocked or enforced to
control what policies Use GPMC to see what will actually be
applied
Slide 12
TYPICAL POLICY COMPONENTS Administrative Templates Security
Settings IP Security Policy Software Restriction Policies Wireless
Network Policies Public Key Policies Software Installation Remote
Installation Services Scripts Internet Explorer Maintenance Folder
Redirection Disk Quotas QoS Packet Scheduler Custom Registry
Modifications
Slide 13
CREATING A POLICY Demonstration
Slide 14
ROAMING PROFILES Can redirect some or all user data Can
redirect different sections to different locations Administrators
do not have access to redirected profiles (by default) Allows for
centralized backup User is no longer dependent on specific machine
for user data Typically redirected profile folders My Documents,
Application Data, Desktop, Start Menu Folder redirection is under
User Settings, Windows Settings
Slide 15
TIPS AND TRICKS Lock down Regedit Be extremely careful when
applying policy to admins and domain controllers Calculate space
requirements before trying to redirect folders Consider
implementing quotas Gpanswers.com Learn to use MSDN and Technet Set
up a lab environment and play
Slide 16
GETTING STARTED WITH COMMON DEPLOYMENT SCENARIOS Lightly
Managed Mobile Multi-User App Station Task Station Kiosk GPOs can
be obtained for these from: Implementing Common Desktop Management
Scenarios with the Group Policy Management Console
http://technet.microsoft.com/en-us/library/cc758350(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc758350(WS.10).aspx
Slide 17
LIGHTLY MANAGED Power Users and Developers Is the least managed
of all of the scenarios. Allows users to customize most settings
that affect them but prevents them from making harmful system
changes. Includes settings that reduce help desk costs and user
downtime. Full Roaming Profiles with local caching speeds up
login/logout Core set of applications which are always available.
Users can also install applications
Slide 18
MOBILE Laptop and Mobile User Support disconnected user who
frequently needs to work offline Does not require high speed link
Offline files Partial Roaming to support offline files Allows users
to disconnect from the network without logging off or shutting
down.
Slide 19
MULTI-USER Computer laboratory or library Allows basic
customization of the desktop environment. Allows screen saver,
background, etc. but no hardware or OS configuration Full Roaming
Profiles with no caching to protect privacy Restricted write access
to the local computer Can only write data to their own profile
Highly secure.
Slide 20
APP AND TASK STATION Highly restricted configurations with only
a few applications. Vertical applications such as marketing,
claims, and customer-service scenarios. Allows minimal
customization by the user. Allows users to access a small number of
applications appropriate to their job role. Does not allow users to
add or remove applications. Full Roaming Profiles with caching
Provides a simplified desktop and Start menu. Restricted write
access to the local computer Can only write data to their user
profile and to redirected folders. Is highly secure. Task Station
Only one app available and no start menu
Slide 21
KIOSK Unattended machine in a public area, highly secure Is a
public workstation. Runs only one application. Uses only one user
account and automatically logs on. The system automatically resets
to a default state at the start of each session. Runs unattended.
Is highly secure. Does not allow users to make changes to the
default user or system settings. Does not save data to the disk. Is
always on (no log off or shutdown).