Professional Documents
Culture Documents
in
Module Overview
www.technocorp.co.in
Delegate the Support of Computers Manage Security Settings Manage Software with GPSI Auditing Software Restriction Policy and Applocker
What Are Restricted Groups? Demonstration: Delegate Administration by Using Restricted Groups Policies Define Group Membership with Group Policy Preferences
Member Of Policy is for a domain group Specify its membership in a local group Cumulative
Members Policy is for a local group Specify its members (groups and users) Authoritative
In this demonstration, you will see how to: Add a domain support group to the local Administrators group of client computers Define the authoritative membership of the local Administrators group of client computers
Create, delete, or replace a local group Rename a local group Change the Description Modify group membership Local Group preferences are available in both Computer Configuration and User Configuration
Tools
Settings are a subset of domain GPO settings but different than local GPO Security Templates
Plain text files Can be applied directly to a computer Security Configuration and Analysis Secedit.exe Can be deployed with Group Policy Can be used to analyze a computer's current security settings against the security template's
In this demonstration, you will see how to: Build a custom MMC with the Security Templates snap-in Create a security template Import the template into the Security Settings node of a GPO
www.technocorp.co.in
Analyze Computer
Secedit.exe
Import Policy
Group Policy
Create the policy Edit the policy Apply the policy Roll back the policy Transform the policy into a GPO
scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"
Security policies
Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings Can include security templates Security Configuration Wizard or scwcmd.exe Transform into a GPO by using scwcmd
Modify GPO
Understand GPSI
www.technocorp.co.in
No feedback
No centralized indication of success or failure No built-in metering, auditing, license management
In this demonstration, you will see how to: Create a software distribution point
Redeploy application
After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application
Upgrade application
Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version
Remove application
Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Dont delete or unlink GPO until all clients have applied setting
The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link
Less than 500 kbps by default
Each CSE uses the slow link determination to decide whether to process
By default, GPSI does not process over a slow link
Auditing
www.technocorp.co.in
Overview of Audit Policies Specify Auditing Settings on a File or a Folder Enable Audit Policy Evaluate Events in the Security Log
By default, domain controllers audit success events for most categories Goal: Align audit policies with corporate security policies and reality
Over-auditing: Logs are too big to find the events that matter Under-auditing: Important events are not logged Tools that help you consolidate and crunch logs can be helpful
www.technocorp.co.in
Enable auditing for Object Access: Success and/or Failure GPO must be scoped to the server Success/Failure policy setting must match auditing settings (success/failure)
Security Log
Summary
Audit Object Access policy must be enabled to audit Success or Failure GPO must be scoped to the server SACL must be configured to audit successful or failed access Security Log must be examined
What Is a Software Restriction Policy? Overview of Application Control Policies Compare Applocker and Software Restriction Policies Demonstration: How to Configure Application Control Policies
www.technocorp.co.in
Certificate
Path Zone
AppLocker
Specific users or groups (per rule) File hash, path, publisher Allow and Deny Implicit Deny Yes Yes
www.technocorp.co.in
No
No No No
Yes
Yes Yes Yes
Create a GPO to enforce the default AppLocker Executable rules Apply the GPO to the domain Test the AppLocker rule