Module 7: Implementing Security Using Group Policies

1

• Module 7 Implementing Security Using Group
  Policies

2
Module Overview

• Configuring Security Policies
• Implementing Fine-Grained Password Policies
• Restricting Group Membership and Access to
  Software
• Managing Security Using Security Templates

3
Lesson 1 Configuring Security Policies

• What Are Security Policies?
• What Is the Default Domain Security Policy?
• What Are the Account Policies?
• What Are Local Policies?
• What Are Network Security Policies?
• What Is Windows Firewall With Advanced Security?
• Demonstration Overview of Additional Security
  Settings
• Demonstration What Is the Default Domain
  Controller Security Policy?

4
What Are Security Policies?
5
What Is the Default Domain Security Policy?

• Provides account policies for the domain other
  settings are not configured by default
• Use to provide security settings that will affect
  the entire domain
• Use domain policy to provide security settings,
  as a best practice. Use separate GPOs to provide
  other types of settings

Account and security settings
Default domain policy
6
What Are the Account Policies?
Account policies mitigates the threat of brute
force guessing of account passwords
7
What Are Local Policies?
Local Policies determine the security options
for a user or service account
Every computer running Windows 2000 and later
has a local security policy that is part of
local Group Policy
ü
In a workgroup, you must configure local
security policies to provide security
ü
Domain policy will override local policies in
cases of conflict
ü
You can assign local rights through local Group
Policies
ü
Security options control many different aspects
of a computers security
ü
8
What Are Network Security Policies?
Define the available networks and authentication
methods for wireless connections for Windows
Vista and Windows XP clients, and LAN
authentication for Windows Vista and Windows
Server 2008 clients
Separate wireless policies for Windows XP and
Windows Vista
ü
Windows Vista policies contain more options for
wireless
ü
Windows Vista wireless policies can deny access
to wireless networks
ü
802.1x authentication can be configured via Group
Policy
ü
Only Vista and later can receive wired network
policies
ü
GPO
Wired
Windows Vista
Wireless
Windows XP
Wireless only
9
What Is Windows Firewall With Advanced Security?
A stateful host-based firewall that allows or
blocks network traffic according to its
configuration
Supports filtering for both incoming and
outgoing traffic
ü
Used for advanced settings configuration
ü
Provides integrated firewall filtering and IPsec
protection settings
ü
Allows rule configuration for various criteria,
such as users, groups, and TCP and UDP ports
ü
Provides network location-aware profiles
ü
Can import or export policies
ü
Windows Server 2008
Internet
Firewall rules control inbound and outbound
traffic
LAN
Firewall
10
Demonstration Overview of Additional Security
Settings

• In this demonstration, you will see how to
  configure additional security settings

11
Demonstration What Is the Default Domain
Controller Security Policy?
Provides an extra layer of security for domain
controllers
ü
Provides enabled auditing
ü
Allows many user rights to be configured
ü

• In this demonstration, you will see the default
  domain controller policy settings

12
Lesson 2 Implementing Fine-Grained Password
Policies

• What Are Fine-Grained Password Policies?
• How Fine-Grained Password Policies Are
  Implemented
• Implementing Fine-Grained Password Policies
• Demonstration Implementing Fine-Grained Password
  Policies

13
What Are Fine-Grained Password Policies?
Fine grained password allow multiple password
policies to exist in the same domain
Password changes 7 days
Administrator group
Password changes 14 days
Password changes 30 days
Manager group
End user group
14
How Fine-Grained Password Policies Are
Implemented
Considerations when implementing PSOs
Password Settings Container and Password
Setting Objects are new schema object classes
ü
PSOs can be created through ADSI Edit or LDIFDE
ü
PSOs can only be applied to users or global
groups
ü
A PSO has the following settings available

• Password policies
• Account lockout policies
• PSO Link
• Precedence

15
Implementing Fine-Grained Password Policies

• Shadow groups can be used to apply a PSO to all
  users that do not already share a global group
  membership
• A user or group could have multiple PSOs linked
  to them
• The precedence attribute is used to resolve
  conflicts
• Lower precedence values have higher priority
• PSOs linked directly to user objects override
  PSOs linked to a users global groups
• If there are no PSOs, normal domain account
  policies apply

16
Demonstration Implementing Fine-Grained Password
Policies

• In this demonstration, you will see how to create
  and apply PSOs

17
Lesson 3 Restricting Group Membership and Access
to Software

• What Is Restricted Group Membership?
• Demonstration Configuring Restricted Group
  Membership
• What Is a Software Restriction Policy?
• Options for Configuring Software Restriction
  Policies
• Demonstration Configuring Software Restriction
  Policies

18
What Is Restricted Group Membership?
Group Policy can control group membership

• For any group on a local computer by applying a
  GPO to the OU that holds the computer account
• For any group in Active Directory by applying a
  GPO to the domain controller

19
Demonstration Configuring Restricted Group
Membership

• In this demonstration, you will see how to
  configure restricted groups

20
What Is a Software Restriction Policy?

• A policy-driven mechanism that identifies and
  controls software on a client computer
• A mechanism restricting software installation and
  viruses
• A component with two parts
• A default rule with three options Unrestricted,
  Basic, and Disallowed
• Exceptions to the default rule

21
Options for Configuring Software Restriction
Policies

• Certificate Rule
• Checks for digital signature on application
• Use when you want to restrict Win32 applications
  and ActiveX content

• Hash Rule
• Use to employ MD5 or SHA1 hash of a file to
  confirm identity
• Use to allow or prohibit a certain version of a
  file from being run

• Internet Zone Rule
• Controls how Internet Zones can be accessed
• Use in high-security environments to control
  access to Web applications

• Path Rule
• Use when restricting the path of a file
• Use when multiple files exist for the same
  application
• Essential when SRPs are strict

22
Demonstration Configuring Software Restriction
Policies

• In this demonstration, you will see how to
  configure a software restriction policy

23
Lesson 4Managing Security Using Security
Templates

• What Are Security Templates?
• Demonstration Applying Security Templates
• What Is the Security Configuration Wizard?
• Demonstration Configuring Server Security Using
  the Security Configuration Wizard
• Options for Integrating the Security
  Configuration Wizard and Security Templates
• Demonstration Importing Security Configuration
  Policies into Security Templates

24
What Are Security Templates?
Security templates
Allow administrators to apply consistent
security settings to multiple computers
ü
Can be designed based on server roles
ü
Can be applied via Group Policy
ü
25
Demonstration Applying Security Templates

• In this demonstration, you will see how to create
  a security template and import it into a GPO

26
What Is the Security Configuration Wizard
SCW provides guided attack surface reduction by
SCW supports

• Rollback
• Analysis
• Remote configuration
• Command-line support
• Active Directory integration
• Policy editing

• Disabling unnecessary services and IIS Web
  extensions
• Blocking unused ports and secure ports that are
  left open using IPSec
• Reducing protocol exposure
• Configuring audit settings

27
Demonstration Configuring Server Security Using
the Security Configuration Wizard

• In this demonstration, you will see how to create
  a security policy using the SCW

28
Options for Integrating the Security
Configuration Wizard and Security Templates
Options

• Policies created with the SCW can be applied
  individually
• Other Security templates can be incorporated into
  the SCW

Scwcmd.exe command-line utility can be used to
convert the XML policy into a GPO
29
Demonstration Importing Security Configuration
Policies into Security Templates

• In this demonstration, you will see how to
  transform the XML policy file into a GPO

30
Lab Implementing Security by Using Group
Policies

• Exercise 1 Configuring Domain Security Settings
• Exercise 2 Implementing Fine-Grained Password
  Policies
• Exercise 3 Configuring Restricted Groups and
  Software Restriction Policies
• Exercise 4 Configuring Security Templates
• Exercise 5 Verifying the Security Configuration

Logon information
Virtual machine 6425A-NYC-DC1, NYC-CL1, NYC-SVR1
User name Administrator
Password Paw0rd
Estimated time 75 minutes
31
Lab Review

• You want to control which wireless networks your
  Windows Vista clients will have access to. What
  is the best way to accomplish this?
• You need to harden security on all the database
  servers across your organization. What tool is
  best suited for this task?
• You used the Security Configuration Wizard to
  create a policy for your servers running IIS. You
  transformed the policy into a GPO. You applied
  the GPO to the proper OU, but the IIS settings
  are not being deployed. What is the problem?

32
Module Review and Takeaways

• Considerations
• Review questions

33
Beta Feedback Tool

• Beta feedback tool helps
• Collect student roster information, module
  feedback, and course evaluations.
• Identify and sort the changes that students
  request, thereby facilitating a quick team
  triage.
• Save data to a database in SQL Server that you
  can later query.
• Walkthrough of the tool

34
Beta Feedback

• Overall flow of module
• Which topics did you think flowed smoothly, from
  topic to topic?
• Was something taught out of order?
• Pacing
• Were you able to keep up? Are there any places
  where the pace felt too slow?
• Were you able to process what the instructor said
  before moving on to next topic?
• Did you have ample time to reflect on what you
  learned? Did you have time to formulate and ask
  questions?
• Learner activities
• Which demos helped you learn the most? Why do you
  think that is?
• Did the lab help you synthesize the content in
  the module? Did it help you to understand how you
  can use this knowledge in your work environment?
• Were there any discussion questions or reflection
  questions that really made you think? Were there
  questions you thought werent helpful?