Group Policy Management Console White Paper
Total Page:16
File Type:pdf, Size:1020Kb
COMP2221 SESSION 9: CONTROLLING LOCAL AND DOMAIN SECURITY WITH GROUP POLICY TEMPLATES
Order of application of Windows 2003 policies is:
1. the local policy. 2. site level policies (if they exist…) in the administratively specified order. 3. domain level group policies, again in the specified order. 4. group policies associated with the organizational units. If a single organizational unit contains multiple group policies, the policies are applied in an administratively specified order.
First, local policies on a machine using Microsoft Management Console (MMC) MMC does not itself perform Windows 2003 administrative functions, but it does host many “snap-in” tools that do, by means of “console” files.
It can be used in: user mode - working with existing MMC consoles to administer a system author mode - creating new consoles or modifying existing MMC consoles. In the exercise that follows, as local administrator, you will be able to “author” consoles on the local machine.
Exercise 9(a): Starting up MMC & Installing the “Security Configuration and Analysis” and “Security Templates” Snap-ins
MMC provides a wizard for accessing the various snap ins which control Windows registry settings, including Security features. It also provides access to templates for configuring/controlling all aspects of machine security policy and group security policy
1. MMC could be accessed from the desktop; in this case, we will use the command line. Type MMC and press ENTER. The MMC window will appear.
2. The main MMC window will have a default name console1. On the console menu, click File, then Add/Remove Snap-in. A new dialogue box should open.
3. Click on Add. A new dialogue box Add Standalone Snap in should open
4. Click on Security Configuration and Analysis, and click on Add.
1 1 5. Also click on Add for Security Templates, and Group Policy Object Editor. Both “snap ins” should have been transferred on the screen to the add/remove snap in window. Note that “Group Policy” is referring to the Local Computer.
6. Click Finish, Close, and then OK, to remove the open dialogue boxes
7. On the main console menu, click Save As and save the console file with a suitable name (suffix will be added).
8. Right click on the security configuration and analysis snap in, and use Open Database feature to create (give name… e.g. SecurityTools). Then save the console database with an associated policy template (you choose…) to a suitable folder a (The sdb suffix is added automatically).
9. Now right click on the security configuration and analysis snap in and click on analyse computer now, to get a full run down of the current settings – which make up the “local policy” (ie settings for the local machine).
10.Select local policies look at the options in each of the three categories. Plenty of options available… are they all appropriately set?
11.When you select security settings, linger a little longer. You should now be presented with a particularly large number of settings that control security aspects of local policy. Note that each setting can be set to enabled, disabled, or not configured.
The “local machine” settings (copied into registry and held there from boot up onwards) interact with group policy security settings after domain logon to provide a security profile that is appropriate for that group of users.
Exercise 9(b): Creating a Policy from a Template
A group policy is particularly useful when it is applied at domain level, to provide local control of settings whenever a user logs on based on the group(s) they belong to. Group policies don’t just stop at the domain level, but can apply right across a domain tree.
The Group Policy Object Editor is divided into two basic sections, Computer Configuration and User Configuration.
Computer configuration settings such as audit policy, (all) user rights assignments, and security options) are associated with the local policy object User Configuration relates to the settings that relate directly to user desktop settings.
2 2 1. Do a bit of exploring to find out where the security settings you looked at through the analysis tool are actually stored.
You can only apply security settings via template to “local policy”. Nevertheless, what follows is a useful exercise…
2. Double click on security templates… Now double click again to provide a list of seven pre-prepared templates. Look at the contents of each in turn. In particular, look at the three categories in “account policies” and “local policies”. Also, note that “system services” contains settings for all of the Windows programs offered as “services”, which may currently be “undefined”.
3. Make a note of the name, and double-click on one of these files. As you can see, it is just a configuration file containing lots of settings, rather like a registry file. The settings are divided into a series of sub-groups (e.g. account policy, local policies, event log, restricted groups…), and provide the basis of a security policy for users and groups of users. Double-click as necessary to look closely at all the settings.
4. Now repeat 3 with a different template file. Can you see how the template file relates to its function?
5. Working with a partner, spend some time discussing the appropriateness of each of these settings for users on a typical medium-security network connected to the Internet. A print out of some settings is available, and might be helpful to you, but if a setting is not currently defined, it will not be displayed at all.
6. Make a note of the agreed settings you would wish to impose on users as a local policy. Be prepared to defend such changes in a discussion… Now change the settings on one of the templates, and resave it with a different name. You can save your template file to a USB stick if you wish. Notice that local policy is saved with settings in the same two sections: user configuration & computer configuration.
7. Finally… [if someone without a domain lets you…] you may be able to use the modified template file try out security settings applied locally to another computer.
Exercise 9(c) Applying security policies to domains (For controlling security on a real network, this is the really important part… ) Principles as for local policies, but more to manage. Implementation of group policies may be outside the time constraints of this session (you can always come back another time…) One way to investigate group policies is from Active Directory…
1. Open the Active Directory Management Console (Active Directory Users and Computers).
2. Locate the container in which your user objects reside (usually an Organizational Unit).
3. Right-click the container in the left panel tree view and click Properties.
3 3 4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy. Note the user/computer config divisions, as with local policy.
5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.
6. Select User Rights Assignment.
Note: All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that is not defined in the current container could be inherited from another container.
7. To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box. 8. For a site, domain, or organizational unit, individual user rights can be configured by completing the following steps: 9. Open the Security Policy Setting dialog box for the user right to be modified (ie log on locally). 10. Select Define these policy settings to define the policy. 11. To apply the right to a user or group, click Add. 12. In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to “domain users. It will also be necessary to apply the right to Administrators, before the wizard can complete. 13. Click on properties, and look at each tab in turn… libks is useful for applying a GPO to other domains. “General” can disable either user config settings or computer config settings from the policy. 14. Click on “new”, and create a new group. Again, there are the user and computer options. Don’t select a domain… we’ll leave it there for now!
4 4 Administering Group Policy & Group Policy Management Console (GPMC)
(Another snap in for MMC…) http://support.microsoft.com/kb/307882 GPMC helps administrators manage an enterprise more cost-effectively by improving manageability and increasing productivity It also contains a set of scriptable interfaces for managing Group Policy. Simplifies the management of Group Policy by providing a single place for managing core aspects via: A user interface (UI) that makes Group Policy much easier to use. Backup/restore of Group Policy objects (GPOs). Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters. Simplified management of Group Policy-related security. HTML reporting of GPO settings and Resultant Set of Policy (RSoP) data. Scripting of policy related tasks that are exposed within this tool (not scripting of settings within a GPO).
Exercise 9(d) Installing GPMC A simple process that involves running a Windows Installer (.MSI) package for the CD. All necessary files are installed to the \Program Files\GPMC folder. 1. Double-click the gpmc.msi package, and click Next. 2. Accept the End User License Agreement (EULA), and click Next. 3. Click Close to complete the installation.
Exercise 9(e) Using GPMC Upon completion of the installation, the Group Policy tab that appeared on the Property pages of sites, domains, and organizational units (OUs) in the Active Directory snap-ins is updated to provide a direct link to GPMC. Once GPMC has executed…
o Either Click the Group Policy Management shortcut in the Administrative Tools folder on the Start Menu or in the Control Panel. View the default policy, and examine the settings o Or Create a custom MMC console - Click Start, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-in, click Add, highlight Group Policy Management, click Add, click Close, and then click OK.
5 5 To repair or remove GPMC, use Add or Remove Programs in Control Panel. Alternatively, run the gpmc.msi package, select the appropriate option, and click Finish.
6 6