Module 7:

Implementing
Security Using Group
Policy
Module Overview
• Configuring Security Policies

• Implementing Fine-Grained Password Policies

• Restricting Group Membership and Access to Software

• Managing Security Using Security Templates

Lesson 1: Configuring Security Policies
• What Are Security Policies?

• What Is the Default Domain Security Policy?

• What Are the Account Policies?

• What Are Local Policies?

• What Are Network Security Policies?

• Windows Firewall with Advanced Security

• Demonstration: Overview of Additional Security Settings

• Demonstration: What Is the Default Domain Controller Security

Policy?
What Are Security Policies?
What Is the Default Domain Security Policy?

• Provides account policies for the domain; other settings

are not configured by default
• Use to provide security settings that will affect the
entire domain
• Use domain policy to provide security settings, as a
best practice. Use separate GPOs to provide other
types of settings

Account and security

settings
Domain
Default domain policy
 What Are the Account Policies?
Account policies mitigate the threat of brute force guessing of
account passwords

Account policies consist of:

Policies Description

• Enforce password history: 24 passwords

• Max password age: 42 days
• Min password age: 1 day
Password
• Min password length: 7 characters
• Complex Password: enabled
• Store password using reversible encryption: disabled

• Lockout duration: not defined

Account lockout • Lockout threshold: 0 invalid logon attempts
• Reset account lockout after: not defined

Kerberos • Can only be applied at the domain level

 What Are Local Policies?

Local Policies determine the security options for a user or service account

Every computer running Windows 2000 and later has a local

 security policy that is part of local Group Policy

In a workgroup, you must configure local security policies to

 provide security

 Domain policy will override local policies in cases of conflict

 You can assign local rights through local Group Policies

Security options control many different aspects of a

 computer’s security
 What Are Network Security Policies?
Define the available networks and authentication methods for wireless
connections for Windows Vista and Windows XP clients, and
LAN authentication for Windows Vista and Windows Server 2008 clients

 Separate wireless policies for Windows XP and Windows Vista

 Windows Vista policies contain more options for wireless

Windows Vista wireless policies can deny access to

 wireless networks

 802.1x authentication can be configured via Group Policy

 Only Windows Vista and later can receive wired network policies

GPO
Wired
Windows Vista
Wireless

Wireless only Windows XP

Windows Firewall with Advanced Security
A stateful host-based firewall that allows or blocks network traffic
according to its configuration

 Supports filtering for both incoming and outgoing traffic

 Used for advanced settings configuration

 Provides integrated firewall filtering and IPsec protection settings

Allows rule configuration for various criteria, such as users, groups, and
 TCP and UDP ports

Provides network location-aware profiles


 Can import or export policies

Windows
Internet
Server 2008
Firewall rules control inbound
and outbound traffic
Firewall LAN
Demonstration: Overview of Additional
Security Settings
In this demonstration, you will see how to configure
additional security settings
Demonstration: What Is the Default Domain
Controller Security Policy?

 Provides an extra layer of security for domain controllers

 Provides enabled auditing

 Allows many user rights to be configured

In this demonstration, you will see the default domain

controller policy settings
Lesson 2: Implementing Fine-Grained Password
Policies
• What Are Fine-Grained Password Policies?

• How Fine-Grained Password Policies Are Implemented

• Implementing Fine-Grained Password Policies

• Demonstration: Implementing Fine-Grained

Password Policies
What Are Fine-Grained Password Policies?

Fine-grained passwords allow multiple password policies to

exist in the same domain

Password
changes: 7
days
Administrator
group

Password Password
changes: 14 changes: 30
days days
Manager group End user group
 How Fine-Grained Password Policies
Are Implemented

Considerations when implementing PSOs:

Password Settings Container and Password Setting Objects
 are new schema object classes

 PSOs can be created through ADSI Edit or LDIFDE

 PSOs can only be applied to users or global groups

A PSO has the following settings available:

• Password policies
• Account lockout policies
• PSO Link
• Precedence
Implementing Fine-Grained Password Policies

• Shadow groups can be used to apply a PSO to all users

that do not already share a global group membership
• A user or group could have multiple PSOs linked to them
• The precedence attribute is used to resolve conflicts
• Lower precedence values have higher priority
• PSOs linked directly to user objects override PSOs linked
to a user’s global groups
• If there are no PSOs, normal domain account policies apply
Demonstration: Implementing Fine-Grained
Password Policies
In this demonstration, you will see how to create and
apply PSOs
Lesson 3: Restricting Group Membership and
Access to Software
• What Is Restricted Group Membership?

• Demonstration: Configuring Restricted Group Membership

• What Is a Software Restriction Policy?

• Options for Configuring Software Restriction Policies

• Demonstration: Configuring Software Restriction Policies

 What Is Restricted Group Membership?

Group Policy can control group membership:

• For any group on a local computer, by applying a GPO to the
OU that holds the computer account
• For any group in AD DS, by applying a GPO to the
domain controller
Demonstration: Configuring Restricted
Group Membership
In this demonstration, you will see how to configure
restricted groups
What Is a Software Restriction Policy?

• A policy-driven mechanism that identifies and controls software

on a client computer
• A mechanism restricting software installation and viruses
• A component with two parts:
• A default rule with three options: Unrestricted, Basic,
and Disallowed
• Exceptions to the default rule
Options for Configuring Software
Restriction Policies
Hash Rule
• Use to employ MD5 or
SHA1 hash of a file to
confirm identity
• Use to allow or prohibit a
certain file version from
being run
Path Rule
• Use when restricting a file
path
• Use when multiple files
exist for the same
application
• Essential when SRPs are
strict
Certificate Rule
• Checks for digital signature
on application
• Use when you want to
restrict Win32 applications
and
ActiveX content
Internet Zone Rule
• Controls how Internet
Zones can be accessed
• Use in high-security
environments to control
access to Web applications
Demonstration: Configuring Software
Restriction Policies
In this demonstration, you will see how to configure a
software restriction policy
Lesson 4:Managing Security Using
Security Templates
• What Are Security Templates?

• Demonstration: Applying Security Templates

• What Is the Security Configuration Wizard?

• Demonstration: Configuring Server Security Using the

Security Configuration Wizard
• Options for Integrating the Security Configuration Wizard
and Security Templates
• Demonstration: Importing Security Configuration Policies
into Security Templates
What Are Security Templates?

Security templates:
Allow administrators to apply consistent security
 settings to multiple computers

 Can be designed based on server roles

 Can be applied via Group Policy

Demonstration: Applying Security Templates
In this demonstration, you will see how to create a security
template and import it into a GPO
What Is the Security Configuration Wizard?

SCW provides guided attack SCW supports:

surface
reduction by:
• Rollback
• Disabling unnecessary
services and Internet • Analysis
Information Services (IIS) • Remote configuration
Web extensions
• Command-line support
• Blocking unused ports
and securing ports that • Active Directory
are left open using IPSec integration
• Reducing protocol • Policy editing
exposure
• Configuring audit settings
Demonstration: Configuring Server Security
Using the Security Configuration Wizard
In this demonstration, you will see how to create a security
policy using the SCW
 Options for Integrating the Security Configuration
Wizard and Security Templates
Options:

• Policies created with the SCW can be applied individually

• Other Security templates can be incorporated into the SCW

Scwcmd.exe command-line utility can be used to convert the XML policy

into a GPO
Demonstration: Importing Security Configuration
Policies into Security Templates
In this demonstration, you will see how to transform the
XML policy file into a GPO
Lab: Implementing Security Using Group Policies
• Exercise 1: Configuring Domain Security Settings

• Exercise 2: Implementing Fine-Grained Password Policies

• Exercise 3: Configuring Restricted Groups and Software

Restriction Policies
• Exercise 4: Configuring Security Templates

• Exercise 5: Verifying the Security Configuration

Logon information
Virtual machine 6425A-NYC-DC1, NYC-CL1,NYC-SVR1

User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes

Lab Review
• You want to control which wireless networks your
Windows Vista clients will have access to. What is the best
way to accomplish this?
• You need to harden security on all the database servers
across your organization. What tool is best suited for this
task?
• You used the Security Configuration Wizard to create a
policy for your servers running IIS. You transformed the
policy into a GPO. You applied the GPO to the proper OU,
but the IIS settings are not being deployed. What is the
problem?
Module Review and Takeaways
• Considerations

• Review questions