A Group of registry settings (not security groups)
Components
-Templates (more can be added to default)
-GPO files in Sysvol(C:\windows\PolicyDefinitions\admx file)
-Linked to AD OUs, sites, domains
-Special settings
Interfaces (how/where to view/edit)
-Local Group policy
-Group policy management console (GPMC)
-Group policy management editor (GPME)
-Group policy object editor from mmc for user/group specific (Multiple local group policy - making exception to local GPO)
Local Group Policy
Applies only locally (can export/import)
Computer configuration - Applies to all users/everyone
User configuration - Applies to all unless ..
-Administrator/non-administrators policy
-User-specific policy (not groups)
Can use on any Domain or Non-domain except DC
Local processing of local GPO can be disabled via a GPO
Usefulness
-Servers with specific exceptions (Eg.diable control panel except for Admins)
-Non-Domain System
Applying Policy
Link enabled
Block Inheritance
Enforce
Refresh
-Startup (computer config policy)
-Logon (user config policy)
-90 min+random 30min, DCs 5 min
-Gpupdate
-PS invoke-gpupdate
-Right-click OU
Templates + Central Store
Template
-Acutal GPO settings
-Can get additional (e.g, office)
-Each OS releases adds new template settings
Central Store
-Previous windows clould have mismatch templates
-Already configured
-..But might have to copy most current templates from C:\windows\policyDefinitions (local) to DC@C:\windows\sysvol\domain\policies
Scope of Management
Very important
User config -link to-> User OU
Computer config -link to-> Computer OU
Multiple group policies often apply
-Settings are cumulative
-Conflicts: last policy wins
Processing Order
Local Default
|-> Site
|-> Domain
|-> OU
|-> OU
Security Filtering (to make exceptions)
Policies and Preferences
Both are mostly Registry punches
Policies (managed)
-Setting is permanent(eg. Grayed out UI)
-Applied at startup, logon, refresh
-Removing policy reverts to default
-Takes precedence over preference
Preferences (unmanaged)
-User can reverse setting(UI not grayed out)
-Applied+Refreshed or do not reapply
-Setting tattoos registry
-Not available for local GPO
-Often useful for desktop icons,shortcuts,URL on desktop,send to,mapped drive,
Starter GPOs
Commonly desired(not required) settings
Administrative templates only
To start, create folder
-includes canned starters
Often used for roles
-Various types of servers
-laptops
-desktops
-security sensitive
Exportable to CAB (cabinet files->compressed file)
Default GPO Permissions
Full Access
-Domain admin, Enterprise admin, Creator owner, Local system
Read/Apply: Authenticated users
Gran Additional permissions
-Create:Add to GP creator/owner
-Edit: R/W via Group policy management console(GPMC)
-Link mgmt: Delegation in GPM or Delegation of Control Wizard(DoCW)
-Modeling/Results: Delegation in GPM or Delegation of Control Wizard(DoCW)
GPO Security Settings
User Rights
Security Options
User Account Control
Audit Policy
Security Templates
Pre-configured settings for "security settings" (.inf)
Apply to single or multiple
Apply locally or GPO
Settings
-Account policies,local policies,event log,restricted group,system services,registry,file system
Configuration
-GPO, secedit.exe,security config and analysis(launch using mmc)+security template consoles, security compliance manager(download)
Locking down software
Software restriction policy
-Designed for legacy windows, fairly easy to bypass, all apps allowed by default
AppLocker
-Designed for win7/8,2008 r2,2012, less easy to bypass, all apps denied by default(GPO-Computer config-Windows settings-Security settings-Application control policies). Note: need to start "Application identity" service and this can be done via (Security settings-System services)in same policy.
Both are mostly Registry punches
Policies (managed)
-Setting is permanent(eg. Grayed out UI)
-Applied at startup, logon, refresh
-Removing policy reverts to default
-Takes precedence over preference
Preferences (unmanaged)
-User can reverse setting(UI not grayed out)
-Applied+Refreshed or do not reapply
-Setting tattoos registry
-Not available for local GPO
-Often useful for desktop icons,shortcuts,URL on desktop,send to,mapped drive,
Starter GPOs
Commonly desired(not required) settings
Administrative templates only
To start, create folder
-includes canned starters
Often used for roles
-Various types of servers
-laptops
-desktops
-security sensitive
Exportable to CAB (cabinet files->compressed file)
Default GPO Permissions
Full Access
-Domain admin, Enterprise admin, Creator owner, Local system
Read/Apply: Authenticated users
Gran Additional permissions
-Create:Add to GP creator/owner
-Edit: R/W via Group policy management console(GPMC)
-Link mgmt: Delegation in GPM or Delegation of Control Wizard(DoCW)
-Modeling/Results: Delegation in GPM or Delegation of Control Wizard(DoCW)
GPO Security Settings
User Rights
Security Options
User Account Control
Audit Policy
Security Templates
Pre-configured settings for "security settings" (.inf)
Apply to single or multiple
Apply locally or GPO
Settings
-Account policies,local policies,event log,restricted group,system services,registry,file system
Configuration
-GPO, secedit.exe,security config and analysis(launch using mmc)+security template consoles, security compliance manager(download)
Locking down software
Software restriction policy
-Designed for legacy windows, fairly easy to bypass, all apps allowed by default
AppLocker
-Designed for win7/8,2008 r2,2012, less easy to bypass, all apps denied by default(GPO-Computer config-Windows settings-Security settings-Application control policies). Note: need to start "Application identity" service and this can be done via (Security settings-System services)in same policy.
No comments:
Post a Comment