Presentation is loading. Please wait.

Presentation is loading. Please wait.

L EVERAGING A CTIVE D IRECTORY G ROUP P OLICY TO P ATCH C OMMON W INDOWS A PPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University.

Published byAshlee Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "L EVERAGING A CTIVE D IRECTORY G ROUP P OLICY TO P ATCH C OMMON W INDOWS A PPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University."— Presentation transcript:

1 L EVERAGING A CTIVE D IRECTORY G ROUP P OLICY TO P ATCH C OMMON W INDOWS A PPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference

2 About The Presenter Working in IT since 1996 Started out assembling computers for free RAM VMware, Linux, and Windows sysadmin at UGA

3 About This Presentation Patch Management Windows Active Directory environment Brief Overview of Group Policy Objects (GPOs) Non-Microsoft Software – Java – Flash – Reader – Etc

4 Are You Current on Your Patches?

5 Best Malware Prevention Strategy Limit over-privileged users – UAC, standard user accounts User education – No more free screensavers Anti-virus software – Only as good as the latest definitions Update all software as soon as patches are available

6 The Results Average of 18.2 malware incidents per month in 250 PC environment prior to centralized patch management Down to 1 incident in 6 months

7 Options Microsoft Systems Center – Powerful, but complicated, and expensive Ninite Pro – Simple, effective, but still requires license outside of personal use LANDesk – Like Systems Center, powerful but complicated and expensive Active Directory Group Policy – Uses existing infrastructure, intermediate difficulty

8 O VERVIEW OF G ROUP P OLICY O BJECTS

9 Pre-requisites Active Directory – Rights to create GPOs and link to OUs Repository – Sysvol – File server Need a share readable by all “Authenticated Users”

10 Remote Server Administration Tools From a domain computer, install Remote Server Administration Tools – http://www.microsoft.com/en- us/download/details.aspx?id=7887 http://www.microsoft.com/en- us/download/details.aspx?id=7887 Active Directory Users and Computers Group Policy Management Console

11 How to Apply GPOs Link to an Organizational Unit (OU) – By default, GPOs apply to all child OUs Able to block inheritance on specific child OUs GPOs can override “block inheritance” by being set to “enforced” Can view effective GPOs on an OU

12 Group Policy Management Console

13

14 Group Policy Objects Policies broken down into 2 groups: Users and Computers Software installation should usually be performed at the Computer level

15 Software Deployment GPOs natively support MSI files You can deploy other executables, but you’ll need to script these – Batch files are usually effective – Scripts deployed at the computer level are run with “system” privileges (i.e. administrators)

16 Test, test, test! Testing strategy: start with a single machine, then test a group, then a larger group, and finally bulk deploy One GPO for each function – E.g. one GPO for Adobe Reader, another for Java, etc. – Easier to identify problematic GPOs Virtual machines are handy! – Create a local VM using Virtual Box and snapshot it in a “clean” state – GPOs tattoo a system, always best to start clean

17 S OFTWARE D EPLOYMENT

18 Software Sources Adobe Flash: http://www.adobe.com/products/flashplayer/distribution3. html http://www.adobe.com/products/flashplayer/distribution3. html Adobe Reader: ftp://ftp.adobe.com/pub/adobe/reader/win/ftp://ftp.adobe.com/pub/adobe/reader/win/ – Customization Wizard: http://www.adobe.com/support/downloads/detail.jsp?ft pID=4950 http://www.adobe.com/support/downloads/detail.jsp?ft pID=4950 Firefox: http://www.frontmotion.com/Firefox/http://www.frontmotion.com/Firefox/ Chrome: http://www.google.com/intl/en/chrome/business/browser/ http://www.google.com/intl/en/chrome/business/browser/ Java: Offline installer at http://java.comhttp://java.com

19 Adobe Flash Need to apply for a free Flash distribution license Create a GPO for Flash and assign the MSI file under “Software Installation”

20 Adobe Flash Suppress update notification: http://helpx.adobe.com/flash- player/kb/administration-configure-auto- update-notification.html http://helpx.adobe.com/flash- player/kb/administration-configure-auto- update-notification.html – Need to create a file on each workstation – Can accomplish this via Group Policy: Create the file and put it in your repository (Sysvol, file share, etc.) Deploy via Group Policy Preference: Computer Configuration -> Preferences -> Windows Settings -> Files

21 Adobe Reader Obtain installer from Adobe FTP Customize the installation via Adobe Customization Utility – Suppress EULA – Disable Update Checks – Generates MST file

22 Adobe Reader

23 Firefox Mozilla doesn’t provide MSI installers FrontMotion Firefox Community Edition – Different logo – Same browser Administrative Templates to manage – Default browser checks – Update checks – Default home page – Proxy settings – etc

24 Firefox

25 Google Chrome MSI available directly from Google Google also provides administrative templates

26 Java No MSI available directly from Oracle Problematic under normal conditions Newer versions require successful uninstallation of most recent installed version Uninstallation failures prevent installation of new versions Only recommended tool to remove failed installations is no longer available (MS Office Cleanup Utility) – And not scriptable

27 Java We need a script: – Check if Java is the latest version – Uninstall the previous version if a new version is available – Install the new version – Check to see that the new version works http://josephpfisher.com/2011/11/java-wont- uninstall-tips-for-end-users-and-enterprise-systems- administrators/ http://josephpfisher.com/2011/11/java-wont- uninstall-tips-for-end-users-and-enterprise-systems- administrators/ Assign the batch file as a startup script (computer level)

28 Java Still need to obtain MSI Still need to generate a transform (MST) Need Orca MSI editor – http://www.technipages.com/download-orca-msi- editor.html http://www.technipages.com/download-orca-msi- editor.html Run offline installer and monitor App Data folder – Start -> Run -> %APPDATA% – MSI installer should appear while offline installer is open

29 Java Open MSI in Orca Create new transform (Transform menu -> New Transform) – Better than modifying the MSI directly Go to “Property” table and modify: – AUTOUPDATECHECK = 0 – EULA = 0 – Iexplorer = 1 – JAVAUPDATE = 0 – JU = 0 – Mozilla = 1 – Systray = 0 Go to “Transform” menu and click “Generate Transform” and save the MST file

30 Java

31 C OMMON P ROBLEMS

32 Common Problems Windows XP & Vista requires hotfix – http://support.microsoft.com/kb/974266 http://support.microsoft.com/kb/974266 Latest NIC drivers for gigabit adapters – From NIC manufacturer (i.e. not Dell) Flush Group Policy history – Remove HKLM\Software\Microsoft\Windows\CurrentVer sion\Group Policy Remove from domain and re-join

33 Resources Microsoft Technet Forums – http://social.technet.microsoft.com/Forums/en- US/categories http://social.technet.microsoft.com/Forums/en- US/categories EduGeek – http://edugeek.net http://edugeek.net IT Ninja – http://www.itninja.com

34 Q UESTIONS ?

Download ppt "L EVERAGING A CTIVE D IRECTORY G ROUP P OLICY TO P ATCH C OMMON W INDOWS A PPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University."

Similar presentations

APP-V 5.0 SP2 (MDOP 2013 R2) Presenter - Fred

APP-V 5.0 SP2 (MDOP 2013 R2) Presenter - Fred
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
Managing User Settings with Group Policy

Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
Network Printing. Printer sharing Saves money by only needing one printer Increases efficiency of managing resources.

Network Printing. Printer sharing Saves money by only needing one printer Increases efficiency of managing resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407.

Introduction to Active Directory December 10th, pm Daniels 407.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.

Similar presentations

Ads by Google