Week 6 - Implement Group Policy Course 6425B Week 6 - Implement Group Policy Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Delegate the Support of Computers Manage Security Settings Manage Software with GPSI Auditing Troubleshooting -blank-

Delegation of Administration Means: Delegation of Control Delegation of Administration Means: Changing properties on a particular container Creating and deleting objects of a specific type under an organizational unit Updating specific properties on objects of a specific type under an organizational unit Domain OU1 OU2 OU3 Admin1 Admin2 Admin3

Using the Delegation of Control Wizard Tasks for Delegating Control to Users or Groups Start the Delegation of Control Wizard Select Users or Groups to Which to Delegate Control Assign Tasks to Delegate Select Active Directory Object Type Assign Permissions to Users or Groups

DELEGATION OF CONTROL WIZARD

Guidelines for Delegating Administrative Control Track the Delegation of Permission Assignments Use the Delegation of Control Wizard Assign Control at the OU Level Follow Organizational Guidelines for Delegating Control

View the ACL of an Active Directory Object Course 6425B View the ACL of an Active Directory Object Demo Module 8: Securing Administration Ensure Advanced Features are enabled in the View menu Properties  Security  Advanced  Edit 6

Understand Restricted Groups Policies Course 6425B Understand Restricted Groups Policies Demo Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Restricted Groups policies enable you to manage the membership of groups. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Right-click Restricted Groups, and choose Add Group. Exam Tip On the 70-640 exam, be able to identify the differences between restricted groups policies that use the Member Of setting and those that use the Members setting. Remember that Member Of settings are cumulative and that if GPOs use the Members setting, only the Members setting with the highest GPO processing priority will be applied, and its list of members will prevail. Member Of Policy is for a domain group Specify its membership in a local group Cumulative Members Policy is for a local group Specify its members (groups and users) Authoritative

Define Group Membership with Group Policy Preferences Course 6425B Define Group Membership with Group Policy Preferences Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Create, delete, or replace a local group Rename a local group Change the Description Modify group membership Local Group preferences are available in both Computer Configuration and User Configuration Discussion Questions QUESTION: In what scenarios, or for what reasons might you want to delete all members users or groups? ANSWER: Answers will vary, but one obvious scenario would be to clean up the membership of the local Administrators group of users who have been added to the group over time, as part of an effort to implement least privilege. QUESTION: Why might you want to add the currently logged on user? ANSWER: While it is not best practice for a user to be logged on as a member of the local Administrators group, there are still applications and functions that require administrative privilege to function properly. In these situations, you might want to allow a user to be a member of the local Administrators group on computers to which the user logs on. As a tip, you can implement the Delete All Members Users option and the At The Current User option. When the preference is processed, all existing user accounts are removed from the group first, and then the current user is added. The user must then log off and log on, at which point the user becomes a member of Administrators. During the next logon policy refresh, the Delete All Member Users setting removes the user's account, then re-adds it. So the user will remain a member of Administrators as long as the user is within the management scope of the GPO. QUESTION: In what scenario might you want to modify the membership of the local Administrators group of a computer using a Local Group preference in the User Configuration node of a GPO that scopes the preference not to specific computers but to specific users? ANSWER: Answers will vary. This is a fairly advanced question, but here's the scenario: there is a support organization dedicated to helping specific users, for example an Executive Support team that is on call to support executives of an organization. In this administrative model, when an executive has a problem, the Executive Support team should be a member of the Administrators group on whatever machine the executive is logged on to. So the definition of who should be in the Administrators group (Executive Support) should "follow" the executive users, rather than be locked (scoped) to a specific set of computers.

What Is Security Policy Management? Course 6425B What Is Security Policy Management? Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Enterprise IT Security Policy  security configuration  settings Manage security configuration Create the security policy Apply the security policy to one or more systems Analyze security settings against the policy Update the policy, or correct the discrepancies on the system Tools Local Group Policy and Domain Group Policy Security Templates snap-in Security Configuration and Analysis snap-in Security Configuration Wizard

Configure the Local Security Policy Course 6425B Configure the Local Security Policy Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Local Security Policy Domain Group Policy

Manage Security Configuration with Security Templates Course 6425B Manage Security Configuration with Security Templates Demo Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Settings are a subset of domain GPO settings but different than local GPO Security Templates Plain text files Can be applied directly to a computer Security Configuration & Analysis Secedit.exe Can be deployed with Group Policy Can be used to analyze a computer's current security settings against the security template's

Use Security Configuration and Analysis Course 6425B Use Security Configuration and Analysis Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Build-your-own MMC Create a database Import template(s) Use the database Analyze computer Correct discrepancies Configure computer Export as template Secedit.exe Modify Database Import Template Templates neither directly affect a computer nor are used directly in the "analysis" procedure. The red arrows indicate a change occurring. The database is changed by importing a template or making direct modifications; the computer’s settings are changed by configuring the computer with the database or using group policy. Question: Describe the procedure used to apply a security template to a computer. Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template into the database, and then apply the database settings to the computer by using the Configure Computer Now command. Export Template Analyze Computer Configure Import Policy Group Policy

The Security Configuration Wizard Course 6425B The Security Configuration Wizard Demo Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Security policy: .xml file that configures Role-based service configuration Network security, including firewall rules Registry values Audit policy Can incorporate a security template (.inf) Create the policy Edit the policy Apply the policy Roll back the policy Transform the policy into a Group Policy object scwcmd transform /p:"MySecurity.xml" /g:"My New GPO" The SCW is the "next generation" security management tool, the successor to the Security Configuration And Analysis tool. As such, Microsoft has enhanced the functionality but some of the concepts remain the same. Draw parallels between the security template/database and the security policy. Point out that a security template is an .inf file whereas the newer security policy is an XML file. The SCW is role-based and makes recommendations by using a set of defined rules for various server roles. The SCW scans a server and produces a set of baseline settings based on that server's role. You can then modify the settings and save the result as a security policy. The settings scanned and baselined by the SCW include services, registry settings, audit policy, and firewall rules. An SCW policy can incorporate a security template. Ask students why would this be helpful? The answer is that security templates can define settings not considered by the SCW including file system ACLs, restricted groups, and local policies. Any settings that conflict between the SCW's settings and those defined in an imported template are resolved in favor of the SCW's settings. The SCW allows you to roll back an applied policy. You can transform a security policy into a GPO using the scwcmd command. This requires that you are logged on as a domain administrator.

Understand Group Policy Software Installation (GPSI) Course 6425B Understand Group Policy Software Installation (GPSI) Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Client-side extension (CSE) Installs supported packages Windows Installer packages (.msi) Optionally modified by Transform (.mst) or patches (.msp) GPSI automatically installs with elevated privileges Downlevel application package (.zap) Supported by “publish” option only Requires user has admin privileges SCCM and other deployment tools can support a wider variety of installation and configuration packages No “feedback” No centralized indication of success or failure No built-in metering, auditing, license management GPSI can install only Windows Installer packages. However, since many applications are available as Windows Installer packages, and since there are tools that allow one to create Windows Installer packages, this is enough to allow GPSI to serve as a valuable software deployment mechanism for many organizations. GPSI can, technically, deploy any application that supports an unattended installation command using a down level application package (“.zap file”). This file is basically a .ini file that specifies the unattended installation command. However, .zap files can only be deployed using the “publish” option (assign versus publish will be discussed on the next slide). So applications deployed with the .zap files can only appear in the Programs And Features applet in Control Panel. Furthermore, installing applications from .zap files requires that users are local administrators on their computers. Therefore .zap files are very rarely used in the real world. SCCM and other deployment tools can deploy applications and configuration using a much wider variety of package types. Commercial software deployment tools also provide reporting and feedback mechanisms that support software metering, auditing, and license management. However, even organizations with tools like SCCM might use GPSI for certain scenarios—they can each serve a role in a software deployment infrastructure. 14

Assigning in User Configuration Assigning Software Assigning in User Configuration The application is installed the next time the user activates the application Start Software Distribution Point Assigning in Computer Configuration The application is installed the next time the computer starts up

Software Distribution Point Publishing Software Add/Remove Programs The application is installed when the user selects it from Add/Remove Programs in Control Panel ? Software Distribution Point Document Activation The application is installed when the user double-clicks an unknown file type

Software Deployment Tasks Acquire a Windows Installer package file  .msi file Place the package on a software distribution point Create or modify a GPO Configure the GPO

Create and Scope a Software Deployment GPO Course 6425B Create and Scope a Software Deployment GPO Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click  New  Package Browse to .msi file through network path (\\server\share) Choose deployment option recommend: Advanced Managing the scope of a software deployment GPO Typically easiest to manage with security group filtering Create an app group, for example APP_XML Notepad Put users into the group Put computers into the group if assigning to computers This slide is set to present the main points about creating and scoping a software deployment GPO. However, this topic is much more easily understood with a demonstration. Time allowing, do the following: Create a GPO in the Group Policy Objects container named XML Notepad. Edit the GPO and create a computer assigned package for XML Notepad. Point out that you are using a UNC to the software. Whatever path is used in the package is the path that the software installation CSE will use. If you use a local path (for example E:\Software…), that won’t work for clients when they try to access the installation files. Choose the ADVANCED deployment method. Step through the tabs in the package properties dialog box. Point out the following: Deployment Type Deployment Options Uninstall this application when it falls out of the scope… Upgrades: Students will experience this in the lab. Categories: If publishing, these create “groups” of applications in the Programs And Features “install from network” dialog box. Modifications: mention that transforms might be used to automate or customize installation. Link the GPO to the domain. Point out that it would now, theoretically, deploy XML Notepad to all computers. Create a group in Groups\Application called APP_XML Notepad if you did not do so already. Back on the GPO scope, remove Authenticated Users and add APP_XML Notepad. Open ADUC and add a computer (for example, DESKTOP101) to the APP_XML Notepad group. Make sure students understand the results, and the value of the management approach. Note: The demo described above is identical to Tasks 3 & 4 in Lab 07c. If you need more detailed instructions, refer to the Lab 07c Answer Key. Exam Tip On the 70-640 exam, you are likely to encounter questions that present software installation scenarios but are in fact testing your knowledge of how to scope a GPO effectively. As you read questions on the exam, try to identify what knowledge the question is really targeting. 18

Maintain Software Deployed with GPSI Course 6425B Maintain Software Deployed with GPSI Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Redeploy application After successful install, client will not attempt to reinstall app You might make a change to the package Package  All Tasks  Redeploy Application Upgrade application Create new package in same or different GPO. Advanced  Upgrades  Select package to upgrade Uninstall old version first; or install over old version Remove application Package  All Tasks  Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Don’t delete or unlink GPO until all clients have applied setting Talk through, or demonstrate, the tasks related to maintaining software that has been originally deployed with GPSI. Point out that you can redeploy an application simply by right clicking its package. Ensure that students understand why you might want to redeploy an application—perhaps you have changed the Windows Installer package. Discuss or demonstrate the process of creating an upgrade package. You can simulate upgrading XML Notepad by creating a new package that points to the same Windows Installer package, just name the package something like XML Notepad 2010 to suggest it is new. Spend a few moments talking about how to remove an application. Start off by reminding students that there is the option to “uninstall the application when it falls out of the scope of management.” If that option is chosen, the application will be uninstalled when the GPO is unlinked, deleted, or scoped in such a way to exclude a computer or user that had previously installed the application. In other words, if you choose that option when creating the original software package, it’s easy! If you don’t choose that option, you must use Group Policy to remove the application. Be sure to leave the group policy object active until all clients have applied this setting. If you unlink, delete, or descope the GPO too early, some clients will never remove the application. 19

An Overview of Audit Policies Course 6425B An Overview of Audit Policies Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Audit events in a category of activities Access to NTFS files/folders Account or object changes in Active Directory Logon Assignment or use of user rights By default, DCs audit success events for most categories Goal: Align audit policies with corporate security policies and reality Over-auditing: logs are too big to find the events that matter Under-auditing: important events are not logged Tools that help you consolidate and crunch logs can be helpful

Account Logon and Logon Events Course 6425B Account Logon and Logon Events Module 9: Improving the Security of Authentication in an AD DS Domain Account logon events Registered by the system that authenticates the account domain controllers local computer Logon events Registered by the machine at which (or to which) a user logged on Interactive logon: user's system Network logon: server Access a network share Account Logon Event Account logon events, registered only by the authenticating authority—in the case of domain accounts, a domain controller. Logon events, registered by the system to which a user logs on (interactive logon) or connects to (network logon). Logon Event Logon Event 21

Scoping Audit Policies Course 6425B Scoping Audit Policies Module 9: Improving the Security of Authentication in an AD DS Domain Default Domain Controllers Policy Account Logon Events Custom GPO Logon Events Use this slide to describe the best practices for scoping audit policies for logon and account logon events. First, the best practice for configuring account logon events is to modify the Default Domain Controllers Policy. For manageability purposes, there should only be one GPO that specifies auditing settings for domain controllers, and the Default Domain Controllers Policy already exists and contains policy setting definitions for Windows defaults. Modify the settings in this GPO to reflect the requirements of your organization. If you need to monitor logon events (or even account logon events for local accounts) on servers or clients in your environment, the key is to scope the GPO to affect only those clients, so that you are not putting either the performance burden for the log bloat on systems that do not require such auditing. This slide, and a student manual, reflect a scenario in which a business requirement drives the need to configure auditing for logon events on remote desktop servers and on computers in the human resources department. Domain Controllers Remote Desktop Servers HR Clients 22

Recommended Audit Events

Setting Up Auditing -- Two Steps Step 1 - Set the audit policy: Enables auditing of objects but does not activate auditing of specific types Stept 2 - Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified

Step 1 - Setting Up an Audit Policy Categories of events Configuration settings: Track successful or failed attempts Audit policies are set in the Group Policy snap-in.

50 new Sub-Categories in 2008 E.g. Object Access have 11 sub-categories: § File System § Registry § Kernel Object § SAM § Certification Services § Application Generated § Handle Manipulation § File Share § Filtering Platform Packet Drop § Filtering Platform Connection § Other Object Access Events Enable Audit using Group Policy Management Console will enable all Sub-Categories a lot un-wanted auditing Use AuditPol.exe to manually enable sub-category

Step 2 – Enable Auditing Specific Resources Demo Files and folders to be audited must be on Microsoft Windows NTFS volumes. Auditing for specific files and folders is enabled from Advanced Properties sheet of the object to be audited Specify which types of access to audit, either by users or by groups. Same method for auditing Printers or other Active Directory Objects

Audit Policy Guidelines Determine the computers on which to set up auditing. Plan the events to audit on each computer. Audit resource access by the Everyone group instead of the Users group. Determine whether to audit the success of events, failure of events, or both. Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning. Tracking failed events may alert the administrator of possible security breaches.

Security log of the system that generated the event Course 6425B View Logon Events Module 9: Improving the Security of Authentication in an AD DS Domain Security log of the system that generated the event The DC that authenticated the user: account logon Note: Not replicated to other DCs The system to which the user logged on or connected: logon It is recommended that you open the Security log on HQDC01 and show examples of account logon events. You can point out the event that was logged when you log on to the system at the beginning of this module. After you have demonstrated the access events, you can demonstrate failures if you showed students how to turn on auditing of failed account logon events earlier in this lesson. Run gpupdate /force as an administrator, then use the Switch User command to generate a failed logon (try to log on with a user name such as Aaron.Painter with an incorrect password). Return to the Security log, refresh the view, and you should see the failure entries at the top of the log. Discuss the challenge of reviewing logs of authentication activity: the logs are distributed across all domain controllers and any domain members are performing logon auditing. Mention to students that in a later module, they will learn to configure Event Forwarding. This feature of the Windows Server 2008 event log enables admins to centrally collect events for audit and analysis. 29

Evaluate Events in the Security Log Course 6425B Evaluate Events in the Security Log Module 07: Managing Enterprise Security and Configuration with Group Policy Settings Security Log The security log is limited in size. The amount of disk space to devote to the security log must be considered. Review the log frequently The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log. <We will be inserting a screenshot of an audit event during revision> Exam Tip Auditing access to objects such as files and folders requires three components. First, the Audit Object Access policy must be enabled and configured to audit Success or Failure events as appropriate for the scenario. Second, the SACL of the object must be configured to audit successful or failed access. Third, you must examine the Security log. The audit policy is often managed using a GPO, so the GPO must be scoped to apply to the server with the file or folder, which is usually a file server rather than a domain controller. Some exam questions that appear to be testing your knowledge of auditing are actually testing your ability to scope a GPO with the audit policy to the correct servers.

Group Policy Tools Diagnostic tool Purpose GPUpdate 3131 Group Policy Tools Diagnostic tool Purpose GPUpdate Refresh / Load Group Policy. GPLogView Free download from Microsoft Export GP-related events from the system and operational logs, into text, HTML, or XML files. DCGPOFix Restore the default GPOs to their original state GPResult Display information about the user, the computer, the GP affecting them, and domain controller supplied the GP.

Resultant Set of Policy Course 6425B Resultant Set of Policy Module 06: Implementing a Group Policy Infrastructure Inheritance, filters, loopback, and other policy scope and precedence factors are complex! RSoP The "end result" of policy application Tools to help evaluate, model, and troubleshoot the application of Group Policy settings RSoP analysis The Group Policy Results Wizard The Group Policy Modeling Wizard GPResult.exe 32

Group Policy Results Wizard Requirements Course 6425B Generate RSoP Reports Module 06: Implementing a Group Policy Infrastructure Group Policy Results Wizard Queries WMI to report actual Group Policy application Requirements Administrative credentials on the target computer Access to WMI (firewall) User must have logged on at least once RSoP report Can be saved View in Advanced mode Shows some settings that do not show in the HTML report View Group Policy processing events GPResult.exe /s ComputerName /h filename 33

Perform What-If Analyses with the Group Policy Modeling Wizard Course 6425B Perform What-If Analyses with the Group Policy Modeling Wizard Module 06: Implementing a Group Policy Infrastructure Group Policy Modeling Wizard Emulates Group Policy application to report anticipated RSoP 34

Examine Policy Event Logs Course 6425B Examine Policy Event Logs Demo Module 06: Implementing a Group Policy Infrastructure System log High-level information about Group Policy Errors elsewhere in the system that could impact Group Policy Application log Events recorded by CSEs Group Policy Operational log Detailed trace of Group Policy application 35