Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 6: Controlling Access to Local Hardware and Applications

Published byAlison Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 6: Controlling Access to Local Hardware and Applications"— Presentation transcript:

1 Lesson 6: Controlling Access to Local Hardware and Applications
MOAC : Configuring Windows 8.1

2 Overview Exam Objective 2.3: Control access to local hardware and applications Configure application restrictions, including Software Restriction Policies and AppLocker Manage installation of and access to removable devices Configure Assigned Access Lecture notes go here © 2013 John Wiley & Sons, Inc.

3 Configuring Hardware Restrictions
Lesson 6: Controlling Access to Local Hardware and Applications Lecture notes go here © 2013 John Wiley & Sons, Inc.

4 Controlling Device Installation
The Device Installation Restrictions folder in a GPO contains policy settings that enable you to prevent Windows computers from installing and updating device drivers under specific conditions. The policies in the Computer Configuration/Policies/Administrative Templates/System/Device Installation/Device Installation Restrictions folder enable you to specify if or when the computers on your network can install drivers for hardware devices. © 2013 John Wiley & Sons, Inc.

5 Controlling Device Installation
The Device Installation Restrictions policies © 2013 John Wiley & Sons, Inc.

6 Controlling Removable Storage Access
For control over access to specific types of removable storage at the computer level, you can use the policy settings in the Computer Configuration/Policies/Administrative Templates/System/Removable Storage Access folder. For control at the user level, the same policies appear in the User Computer Configuration/Policies/Administrative Templates/System/Removable Storage Access folder. © 2013 John Wiley & Sons, Inc.

7 Controlling Removable Storage Access
The Removable Storage Access policies © 2013 John Wiley & Sons, Inc.

8 Configuring Application Restrictions
Lesson 6: Controlling Access to Local Hardware and Applications Lecture notes go here © 2013 John Wiley & Sons, Inc.

9 Software Restriction Policies
Software restriction policies are Group Policy settings that enable administrators to specify the programs that are allowed to run on workstations by creating rules of various types. © 2013 John Wiley & Sons, Inc.

10 Software Restriction Policy Rules
The software restriction policy rules that you can create include the following: Certificate rules Hash rules Network zone rules Path rules Certificate rules – Identify applications based on the inclusion of a certificate signed by the software publisher. An application can continue to match this type of rule, even if the executable file is updated, as long as the certificate remains valid. Hash rules – Identify applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes Network zone rules – Identify Windows Installer (.msi) packages downloaded with Internet Explorer based on the security zone of the site from which they are downloaded Path rules – Identify applications by specifying a file or folder name or a registry key. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location. © 2013 John Wiley & Sons, Inc.

11 Creating Rules To create rules:
Open a Group Policy object (GPO) and browse to Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies. Right-click the Software Restriction Polices object. From the context menu, select New Software Restriction Policies. You create new rules of your own in the Additional Rules folder, using the dialog box. © 2013 John Wiley & Sons, Inc.

12 Software Restriction Policies
Creating Rules Software Restriction Policies © 2013 John Wiley & Sons, Inc.

13 The New Path Rule dialog box
Creating Rules The New Path Rule dialog box © 2013 John Wiley & Sons, Inc.

14 Rule Settings The three possible settings are as follows:
Disallowed – Prevents an application matching a rule from running. Basic user – Allows all applications not requiring administrative privileges to run. Allows applications that do require administrative privileges to run only if they match a rule. Unrestricted – Allows an application matching a rule to run. © 2013 John Wiley & Sons, Inc.

15 Using AppLocker AppLocker, also known as application control policies, is essentially an updated version of the concept implemented in software restriction policies. AppLocker uses rules, which administrators must manage. Process of creating the rules is much easier because of a wizard-based interface. © 2013 John Wiley & Sons, Inc.

16 Understanding Rule Types
The AppLocker settings are located in Group Policy objects in the Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker container. The AppLocker container in a GPO In the AppLocker container, there are four nodes that contain the basic rule types, as follows: Executable Rules Windows Installer Rules Script Rules Packaged app Rules Executable Rules – Contains rules that apply to files with .exe and .com extensions Windows Installer Rules – Contains rules that apply to Windows Installer packages with .msi and .msp extensions Script Rules – Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions Packaged app Rules – Contains rules that apply to applications purchased through the Windows Store. © 2013 John Wiley & Sons, Inc.

17 Understanding Rule Types
The AppLocker container in a GPO © 2013 John Wiley & Sons, Inc.

18 Creating Default Rules
To use AppLocker, you must create rules that enable users to access the files needed for Windows and the system’s installed applications to run. The simplest way to do this is to right-click each of the three rules containers and select Create Default Rules from the context menu. © 2013 John Wiley & Sons, Inc.

19 Creating Default Rules
The default AppLocker Executable Rules © 2013 John Wiley & Sons, Inc.

20 Creating Rules Automatically
When you right-click one of the three rules containers and select Create Rules Automatically from the context menu, an Automatically Generate Rules Wizard appears. After specifying the folder to be analyzed and the users or groups to which the rules should apply, a Rule Preferences page appears. The wizard then displays a summary of its results in the Review Rules page and adds the rules to the container. © 2013 John Wiley & Sons, Inc.

21 Creating Rules Automatically
The Folders and Permissions page of the Automatically Generate Executable Rules Wizard © 2013 John Wiley & Sons, Inc.

22 Creating Rules Automatically
The Rule Preferences page of the Automatically Generate Executable Rules Wizard © 2013 John Wiley & Sons, Inc.

23 Creating Rules Manually
You can create rules manually using a wizard. To start the wizard, select Create New Rule from the context menu for one of the three rule containers. The wizard prompts you for: Action User or group Conditions Exceptions Action – Specifies whether you want to allow or deny the user or group access to the resource. In AppLocker, explicit deny rules always override allow rules. User or group – Specifies the name of the user or group to which the policy should apply Conditions – Specifies whether you want to create a publisher, path, or file hash rule. The wizard generates an additional page for whichever option you select, enabling you to configure its parameters. Exceptions – Enables you to specify exceptions to the rule you are creating, using any of the three conditions: publisher, path, or file hash. © 2013 John Wiley & Sons, Inc.

24 Configuring Assigned Access
Assigned Access is a Windows 8.1 feature that enables you to configure a Windows 8.1 system to function as a kiosk, running a single application in a protected environment. It is now possible, in Windows 8.1, to associate a local user account with a single Windows app, so that the app launches when the user logs on to the system. Once in that app, the user cannot launch another app. The system also suppresses all notifications, and disables all of the key combinations, gestures, and shortcuts that provide access to the underlying system components. © 2013 John Wiley & Sons, Inc.

25 Configuring Assigned Access
To use Assigned Access, you create a local account specifically for that purpose, and you associate it with an app that you have already installed. There are two important limitations to this feature, however, as follows: Local accounts only – You must use a local account, created solely for use with Assigned Access. You cannot use a domain account. Modern apps only – You can only use Modern apps – either purchased from the Windows Store or sideloaded – with Assigned Access. © 2013 John Wiley & Sons, Inc.

26 Configuring Assigned Access
The Managed other accounts page © 2013 John Wiley & Sons, Inc.

27 Configuring Assigned Access
The Set up an account for assigned access page © 2013 John Wiley & Sons, Inc.

28 Lesson Summary Using Group Policy, you can restrict user access to removable storage devices on their workstations Software restriction policies are Group Policy settings that enable administrators to specify the programs that are allowed to run on workstations by creating rules of various types. AppLocker is a new feature in the Windows 8 Enterprise and Ultimate editions that enables administrators to create application restriction rules much more easily. © 2013 John Wiley & Sons, Inc.

29 Copyright 2013 John Wiley & Sons, Inc..
All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc.. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Download ppt "Lesson 6: Controlling Access to Local Hardware and Applications"

Similar presentations

Lesson 6: Configuring Servers for Remote Management

Lesson 6: Configuring Servers for Remote Management
Chapter 5: Database Forms and Reports

Chapter 5: Database Forms and Reports
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
© Copyright 2011 John Wiley & Sons, Inc.

© Copyright 2011 John Wiley & Sons, Inc.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
Lesson 7: Creating and Configuring Virtual Machine Settings

Lesson 7: Creating and Configuring Virtual Machine Settings
Lesson 14: Creating and Managing Active Directory Users and Computers

Lesson 14: Creating and Managing Active Directory Users and Computers
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Lesson 11: Deploying and Configuring the DHCP Service

Lesson 11: Deploying and Configuring the DHCP Service
Lesson 5: Configuring Print and Document Services

Lesson 5: Configuring Print and Document Services
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Lesson 2: Configuring Servers

Lesson 2: Configuring Servers
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Chapter 3: Data Modeling

Chapter 3: Data Modeling
Lesson 9: Creating and Configuring Virtual Networks

Lesson 9: Creating and Configuring Virtual Networks
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy

Similar presentations

Ads by Google