1、Module 7: Implementing Security Using Group Policy,Module Overview,Configuring Security Policies Implementing Fine-Grained Password Policies Restricting Group Membership and Access to Software Managing Security Using Security Templates,Lesson 1: Configuring Security Policies,What Are Security Polici

2、es? What Is the Default Domain Security Policy? What Are the Account Policies? What Are Local Policies? What Are Network Security Policies? Windows Firewall with Advanced Security Demonstration: Overview of Additional Security Settings Demonstration: What Is the Default Domain Controller Security Po

3、licy?,What Are Security Policies?,What Is the Default Domain Security Policy?,Provides account policies for the domain; other settings are not configured by default Use to provide security settings that will affect the entire domain Use domain policy to provide security settings, as a best practice.

4、 Use separate GPOs to provide other types of settings,Domain,Default domain policy,Account and security settings,What Are the Account Policies?,Account policies mitigate the threat of brute force guessing of account passwords,What Are Local Policies?,Every computer running Windows 2000 and later has

5、 a local security policy that is part of local Group Policy,Domain policy will override local policies in cases of conflict,In a workgroup, you must configure local security policies to provide security,You can assign local rights through local Group Policies,Security options control many different

6、aspects of a computers security,Local Policies determine the security options for a user or service account,What Are Network Security Policies?,Separate wireless policies for Windows XP and Windows Vista,Windows Vista policies contain more options for wireless,Windows Vista wireless policies can den

7、y access to wireless networks,802.1x authentication can be configured via Group Policy,Only Windows Vista and later can receive wired network policies,Define the available networks and authentication methods for wireless connections for Windows Vista and Windows XP clients, and LAN authentication fo

8、r Windows Vista and Windows Server 2008 clients,Windows Firewall with Advanced Security,Supports filtering for both incoming and outgoing traffic,Used for advanced settings configuration,Provides integrated firewall filtering and IPsec protection settings,Allows rule configuration for various criter

9、ia, such as users, groups, and TCP and UDP ports,Provides network location-aware profiles,Can import or export policies,A stateful host-based firewall that allows or blocks network traffic according to its configuration,Windows Server 2008,Internet,LAN,Firewall,Firewall rules control inbound and out

10、bound traffic,Demonstration: Overview of Additional Security Settings,In this demonstration, you will see how to configure additional security settings,Demonstration: What Is the Default Domain Controller Security Policy?,In this demonstration, you will see the default domain controller policy setti

11、ngs,Provides an extra layer of security for domain controllers,Allows many user rights to be configured,Provides enabled auditing,Lesson 2: Implementing Fine-Grained Password Policies,What Are Fine-Grained Password Policies? How Fine-Grained Password Policies Are Implemented Implementing Fine-Graine

12、d Password Policies Demonstration: Implementing Fine-Grained Password Policies,What Are Fine-Grained Password Policies?,Administrator group,Manager group,End user group,Password changes: 7 days,Password changes: 14 days,Password changes: 30 days,Fine-grained passwords allow multiple password policie

13、s to exist in the same domain,How Fine-Grained Password Policies Are Implemented,Considerations when implementing PSOs:,Password Settings Container and Password Setting Objects are new schema object classes,PSOs can only be applied to users or global groups,PSOs can be created through ADSI Edit or L

14、DIFDE,A PSO has the following settings available:,Password policies Account lockout policies PSO Link Precedence,Implementing Fine-Grained Password Policies,Shadow groups can be used to apply a PSO to all users that do not already share a global group membership A user or group could have multiple P

15、SOs linked to them The precedence attribute is used to resolve conflicts Lower precedence values have higher priority PSOs linked directly to user objects override PSOs linked to a users global groups If there are no PSOs, normal domain account policies apply,Demonstration: Implementing Fine-Grained

16、 Password Policies,In this demonstration, you will see how to create and apply PSOs,Lesson 3: Restricting Group Membership and Access to Software,What Is Restricted Group Membership? Demonstration: Configuring Restricted Group Membership What Is a Software Restriction Policy? Options for Configuring

17、 Software Restriction Policies Demonstration: Configuring Software Restriction Policies,What Is Restricted Group Membership?,Group Policy can control group membership:,For any group on a local computer, by applying a GPO to the OU that holds the computer account For any group in AD DS, by applying a

18、 GPO to the domain controller,Demonstration: Configuring Restricted Group Membership,In this demonstration, you will see how to configure restricted groups,What Is a Software Restriction Policy?,A policy-driven mechanism that identifies and controls software on a client computer A mechanism restrict

19、ing software installation and viruses A component with two parts: A default rule with three options: Unrestricted, Basic, and Disallowed Exceptions to the default rule,Options for Configuring Software Restriction Policies,Certificate Rule Checks for digital signature on application Use when you want

20、 to restrict Win32 applications and ActiveX content,Internet Zone Rule Controls how Internet Zones can be accessed Use in high-security environments to control access to Web applications,Hash Rule Use to employ MD5 or SHA1 hash of a file to confirm identity Use to allow or prohibit a certain file ve

21、rsion from being run,Path Rule Use when restricting a file path Use when multiple files exist for the same application Essential when SRPs are strict,Demonstration: Configuring Software Restriction Policies,In this demonstration, you will see how to configure a software restriction policy,Lesson 4:M

22、anaging Security Using Security Templates,What Are Security Templates? Demonstration: Applying Security Templates What Is the Security Configuration Wizard? Demonstration: Configuring Server Security Using the Security Configuration Wizard Options for Integrating the Security Configuration Wizard an

23、d Security Templates Demonstration: Importing Security Configuration Policies into Security Templates,What Are Security Templates?,Security templates:,Allow administrators to apply consistent security settings to multiple computers,Can be applied via Group Policy,Can be designed based on server role

24、s,Demonstration: Applying Security Templates,In this demonstration, you will see how to create a security template and import it into a GPO,What Is the Security Configuration Wizard?,SCW provides guided attack surface reduction by:,Disabling unnecessary services and Internet Information Services (II

25、S)Web extensions Blocking unused ports and securing ports that are left open using IPSec Reducing protocol exposure Configuring audit settings,SCW supports:,Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing,Demonstration: Configuring Server Secur

26、ity Using the Security Configuration Wizard,In this demonstration, you will see how to create a security policy using the SCW,Options for Integrating the Security Configuration Wizard and Security Templates,Options:,Policies created with the SCW can be applied individually Other Security templates c

27、an be incorporated into the SCW,Scwcmd.exe command-line utility can be used to convert the XML policy into a GPO,Demonstration: Importing Security Configuration Policies into Security Templates,In this demonstration, you will see how to transform the XML policy file into a GPO,Lab: Implementing Security