GROUP POLICY An overview of Microsoft Windows Group Policy

MY CREDENTIALS  B.S Computer Science  M.S. Information Technology (2012)  Certified Information Systems Security Professional (CISSP)  Network Admin at BCG  Early NT 3.51 and 4.0 days  Network Admin and Instructor at Hilbert College  Transition from NT4 to 2000  Accounts and Profiles for all students (GPO Based)  Taught Networking, Databases, Programming in the Computer Security program there  An admins perspective who learned it on the job

WHAT IS GROUP POLICY  Microsoft NT Technology  Other NOS have their own versions  Centralized management of clients  Security management  Application management  Profile management  Can be pushed from domain  Can be modified locally for individual clients  Local policy objects not as in depth  Can be pushed as part of disc imaging

WHAT CAN IT DO FOR ME  Manage security  Firewall and Networking  OS configuration restrictions  Reduce workstation downtime  Can restrict users from modifying potentially damaging settings  Manage applications  Whitelist available applications  Control which applications are visible  Roaming profiles  Centralized data storage  Full or partial

NOT A SILVER BULLET  Only as effective as the Information Security Policies it is enforcing  Needs to be a part of security in depth  Can be complex to implement and manage  Improper management can interfere with business goals  Easy to lock down a machine tighter than it needs to be  Applications typically use voluntary enforcement  Possible to modify or interfere an application reading its policy

WHAT DO I NEED TO USE IT Domain Based PolicyLocal Policy  Active Directory Domain  Install Group Policy Management Objects  Server Roles vary by OS version  Can be managed using remote administration tools from Vista (2003 Domains) or Windows 7 (2008 Domains)  Windows NT based OS’s  No domain needed  Easily configured on XP and above  Can be used in conjunction with domain policies  Configured locally on the target client

MANAGEMENT TOOLS  Group Policy Management Console (GPMC)  Suite of tools in 2003  Unified tool in 2008  Cmdlets  Powershell extensions that allow scripting  Local Policy Editor  Pre Win 7 one user policy for all users  Gpupdate  Forces update of policy on machines (XP and later)

WHAT IS A GPO?  Collection of settings that can be used in a Group Policy  Most modify registry settings  Can also be processed by extending applications  Can be applied to users or computers  Can be inherited  Can be linked to multiple policies

POLICY OBJECT TYPES Computer PolicyUser Policy  Applies based on the Computer Account  Useful to configure settings on a specific workstation  Same for all users on that machine  Example: remove start menu on public machine  Applies based on the logged in User Account  Setting travel with the user  Roaming Profiles go here  Example: Password policy

HOW IT WORKS  Machine Boots up  Machine policy downloaded and applied  User Logs in  User Policy downloaded and applied  Settings may be cached  90 +/- 30 min for clients  gpupdate to refresh immediately

APPLYING MULTIPLE POLCIES  Local Group Policy objects - Computer's local policy (accessed by running gpedit.msc).  Site - Group policies that are applied to the AD Site  Lowest link order processed last, overrides higher links  Domain - Group policies specified for the AD Domain  Lowest link order processed last, overrides higher links  Organizational Unit - Policies for User or Computer OUs  Lowest link order processed last, overrides higher links  Inheritance - Inheritance can be blocked or enforced to control what policies  Use GPMC to see what will actually be applied

TYPICAL POLICY COMPONENTS  Administrative Templates  Security Settings  IP Security Policy  Software Restriction Policies  Wireless Network Policies  Public Key Policies  Software Installation  Remote Installation Services  Scripts  Internet Explorer Maintenance  Folder Redirection  Disk Quotas  QoS Packet Scheduler  Custom Registry Modifications

CREATING A POLICY  Demonstration

ROAMING PROFILES  Can redirect some or all user data  Can redirect different sections to different locations  Administrators do not have access to redirected profiles (by default)  Allows for centralized backup  User is no longer dependent on specific machine for user data  Typically redirected profile folders  My Documents,  Application Data,  Desktop,  Start Menu  Folder redirection is under User Settings, Windows Settings

TIPS AND TRICKS  Lock down Regedit  Be extremely careful when applying policy to admins and domain controllers  Calculate space requirements before trying to redirect folders  Consider implementing quotas  Gpanswers.com  Learn to use MSDN and Technet  Set up a lab environment and play

GETTING STARTED WITH COMMON DEPLOYMENT SCENARIOS  Lightly Managed  Mobile  Multi-User  App Station  Task Station  Kiosk  GPOs can be obtained for these from:  Implementing Common Desktop Management Scenarios with the Group Policy Management Console 

LIGHTLY MANAGED  Power Users and Developers  Is the least managed of all of the scenarios.  Allows users to customize most settings that affect them but prevents them from making harmful system changes.  Includes settings that reduce help desk costs and user downtime.  Full Roaming Profiles with local caching  speeds up login/logout  Core set of applications which are always available.  Users can also install applications

MOBILE  Laptop and Mobile User Support  disconnected user who frequently needs to work offline  Does not require high speed link  Offline files  Partial Roaming to support offline files  Allows users to disconnect from the network without logging off or shutting down.

MULTI-USER  Computer laboratory or library  Allows basic customization of the desktop environment.  Allows screen saver, background, etc. but no hardware or OS configuration  Full Roaming Profiles with no caching to protect privacy  Restricted write access to the local computer  Can only write data to their own profile  Highly secure.

APP AND TASK STATION  Highly restricted configurations with only a few applications.  Vertical applications such as marketing, claims, and customer-service scenarios.  Allows minimal customization by the user.  Allows users to access a small number of applications appropriate to their job role.  Does not allow users to add or remove applications.  Full Roaming Profiles with caching  Provides a simplified desktop and Start menu.  Restricted write access to the local computer  Can only write data to their user profile and to redirected folders.  Is highly secure.  Task Station  Only one app available and no start menu

KIOSK  Unattended machine in a public area, highly secure  Is a public workstation.  Runs only one application.  Uses only one user account and automatically logs on.  The system automatically resets to a default state at the start of each session.  Runs unattended.  Is highly secure.  Does not allow users to make changes to the default user or system settings.  Does not save data to the disk.  Is always on (no log off or shutdown).

Q & A  Questions, comments?  My contact info again:  Patrick Lupiani  or 