70 640 lesson08 ppt 041009

Configuring the User and Configuring the User and Computer Environment Using Computer Environment Using

Group PolicyGroup PolicyLesson 8

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Configuring Account Policies

Configure account policies

4.6

Planning and Configuring an Audit Policy

Configure Audit Policy by using GPOs

4.7

Security SettingsSecurity Settings

Account PoliciesAccount Policies• Account policies influence how a user

interacts with a computer or a domain. • By default, they are linked to the Default

Domain Policy.• This account policy is applied to all

accounts throughout the domain by default, unless you create one or more Fine-Grained Password Policies (FGPP) that override the domain-wide policy.

• These Fine-Grained Password Policies can be applied.

Password PoliciesPassword Policies

Fine-Grained Password PolicyFine-Grained Password Policy• Prior to Windows Server 2008, an Active

Directory administrator was only able to configure a single Password Policy and Account Lockout Policy for any Active Directory domain.

• If you were faced with a subset of users whose password policy requirements were different, you were left with the choice of configuring a separate domain or forcing all users within the domain to conform to a single password policy.

• Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain.

Lockout PolicyLockout Policy

Kerberos PolicyKerberos Policy• Kerberos is the default mechanism for

authenticating domain users in Windows Server 2008, Windows Server 2003, and Microsoft Windows 2000. Kerberos is a ticket-based system that allows domain access by using a Key Distribution Center (KDC), which is used to issue Kerberos tickets to users, computers, or network services. – These tickets have a finite lifetime and are

based in part on system time clocks. Note that Kerberos has a 5-minute clock skew tolerance between the client and the domain controller.

– If the clocks are off by more than 5 minutes, the client will not be able to log on.

Kerberos PolicyKerberos Policy

Kerberos PolicyKerberos Policy• Enforce User Logon Restrictions tells

Windows Server 2008 to validate each request for a session ticket against the rights associated with the user account.

• Although this process can slow the response time for user access to resources, it is an important security feature that should not be overlooked or disabled.

• Enforce User Logon Restrictions is enabled by default.

Local PoliciesLocal Policies

• Allow administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log (auditing):– User Rights Assignment.– Security Options.– Audit Policy.

User RightsUser Rights

Audit PolicyAudit Policy

Audit PolicyAudit Policy• System events — Events that trigger a

log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled and can no longer append entries; security log cleaning; or any event that affects system security or the security log. – In the Default Domain Controllers GPO, this

setting is set to log successes by default.


• Policy change events — By default, this policy is set to audit successes in the Default Domain Controllers GPO. – Policy change audit log entries are

triggered by events such as user rights assignment changes, establishment or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges.


• Account management events — This policy setting is set to audit successes in the Default Domain Controllers GPO. This setting triggers an event that is written based on changes to account properties and group properties. – Log entries written due to this policy

setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling.


• Logon events — This setting logs events related to successful user log-ons on a computer. – The event is logged to the Event

Viewer Security Log on the computer that processes the request. The default setting is to log successes in the Default Domain Controllers GPO.


• Account logon events — This setting logs events related to successful user log-ons to a domain.– The event is logged to the domain

controller that processes the request. The default setting is to log successes in the Default Domain Controllers GPO.

Audit PolicyAudit Policy• Audit Directory Service Access —

This event category logs user access to Active Directory objects, such as other user objects or OUs.

• Audit Object Access — This event category logs user access to files, folders, registry keys, and printers.– After you enable Audit Object Access,

you need to then specify what you are going to audit via Windows Explorer, Registry, Printers and Faxes or Active Directory Users and Computers.


• Events produced by auditing can be viewed by looking at the Security logs in the Event Viewer.

Configuring Files and Folders for Configuring Files and Folders for AuditingAuditing

• In Windows Explorer, right-click the file or folder you want to audit.

• Select Properties.• On the Security tab in the Properties

dialog box for the selected file or folder, click Advanced.

• In the Advanced Security Settings dialog box for the file or folder, select the Auditing tab.

Restricted Groups PolicyRestricted Groups Policy

• Allows an administrator to specify group membership lists. – You can control membership in

important groups, such as the local Administrators and Backup Operators groups.

Folder Redirection PolicyFolder Redirection Policy• Folder redirection provides

administrators with the ability to redirect the contents of certain folders to a network location or to another location on the user’s local computer.

• Contents of folders on a local computer located in the Documents and Settings folder, including the Documents, Application Data, Desktop, and Start Menu folders, can be redirected.

Configuring Folder RedirectionConfiguring Folder Redirection

• If you choose Basic–Redirect Everyone's Folder To The Same Location, you must specify the Target folder location in the Settings dialog box.

• If you choose Advanced–Specify Locations For Various User Groups, you must specify the target folder location for each group that you add in the Settings dialog box.

Folder Redirection PolicyFolder Redirection Policy

Offline Files PolicyOffline Files Policy• A separate Group Policy category that can allow

files to be available to users, even when the users are disconnected from the network. – The Offline Files feature works well with Folder

Redirection: When Offline Files is enabled, users can access necessary files as if they were connected to the network.

– When the network connection is restored, changes made to any documents are updated to the server.

– Folders can be configured so that either all files or only selected files within the folder are available for offline use. When it is combined with Folder Redirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present.

Offline Folder PolicyOffline Folder Policy

Disk QuotasDisk Quotas

• Limit the amount of space available on the server for user data.

Disk QuotasDisk Quotas

Group Policy RefreshGroup Policy Refresh

• Computer configuration group policies are refreshed every 90 minutes (+/- 30 minutes) by default.

• Domain controller group policies are refreshed every 2 minutes.

• You can force group policies by using the gpupdate command:

gpupdate /force

SummarySummary• Most security-related settings are

found within the Windows Settings node of the Computer Configuration node of a GPO.

• Policy settings that you wish to apply to all computers or users within a domain should be made within the Default Domain Policy GPO. – Generally, domain-wide account

policies, such as Password Policies, Account Lockout, and Kerberos settings, are modified here.

SummarySummary

• Windows Server 2008 provides the ability to configure Fine-Grained Password Policies, which allow multiple password and account lockout policies within a single domain.

• Local Policy settings govern the actions users can perform on a specific computer and determine whether the actions are recorded in an event log. Create Audit Policies here.

SummarySummary

• Auditing can be configured to audit successes, failures, or both.

• Plan auditing carefully before implementation.

• Events that are not important to your documentation and information needs can cause unnecessary overhead when audited.

• Auditing can be a very important security tool when used prudently.

SummarySummary

• Because audited events are recorded in the appropriate event log, it is necessary to understand the Event Log Policy setting area.

• This area allows control over maximum log sizes, log retention, and access rights to each log.

SummarySummary

• Restrictions on group memberships can be accomplished using the Group Restriction Policy setting. – Implementing this policy removes

group members who are not part of the configured group membership list or adds group members according to a preconfigured list.

SummarySummary

• Folder Redirection can be configured for folders located on a local computer within the Documents And Settings folder.

• The Offline Files settings allow redirected folders to be available when a network connection is not present.

• These two setting areas complement each other.

SummarySummary

• Disk quotas can be used to control storage space on a network drive.

• Implementing disk quotas allows administrators to have tighter control over drive usage, which can affect tape backup and restore functionality.

SummarySummary

• Computer configuration group policies are refreshed every 90 minutes by default.

• Domain controller group policies are refreshed every 2 minutes.

• These settings can be altered based on the frequency in which policy changes occur.

• Disabling unused portions of a GPO decreases the time it takes to complete policy processing.

70 640 lesson08 ppt 041009

Education