Lesson 2:Deploying Security Templates

 < Day Day Up > 



Deploying your security templates can be a more complex, time-consuming process than creating the templates. Depending on the network environment, you can choose from several different methods of deploying security templates, including:

  • Manually importing the templates into Local Group Policy on individual computers.

  • Importing the templates automatically by using scripting.

  • Importing the templates into Group Policy objects linked to Active Directory directory service.

Additionally, you have a great deal of flexibility in configuring which templates are applied to which computers. Understanding the various ways to link and filter Group Policy objects is important knowledge, both for administering a Windows Server 2003 network and to pass this exam.

After this lesson, you will be able to

  • Add security templates to Group Policy.

  • Describe how inheritance affects Group Policy.

  • Deploy Group Policy to systems across your network.

  • Carefully control which systems Group Policy is applied to.

  • Deploy security templates in environments that do not use Active Directory.

  • Deploy System Policy to Windows NT 4.0 and earlier operating systems.

Estimated lesson time: 60 minutes

Deploying Security Templates Using Active Directory

Most environments with security requirements complex enough to require the use of security templates will also deploy Active Directory to simplify the management of the computers. Active Directory makes it easy to deploy a security template to the computers in your domain by using Group Policy.

Using Group Policy

Windows XP, Windows 2000, and Windows Server 2003 use Group Policy to configure a variety of security and non-security settings. All systems have a Local Group Policy which, in the absence of a higher priority Group Policy setting, is used to define configuration settings. In a domain, Group Policy simplifies management of large numbers of computers by allowing administrators to define software configurations, install new software, deploy updates, and many other tasks for both servers and user computers. An administrator can use Group Policy to set policies that apply across a site, a range of organizational units (OUs), or an entire domain. These network Group Policy settings take priority over the Local Group Policy when present.

Exam Tip 

Remember this for the exam: support for Group Policy is available on computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and Windows Server 2003. Earlier operating systems do not support Group Policy.

A GPO is a collection of Group Policy settings. GPOs are essentially the documents created by the Group Policy Object Editor. GPOs are stored at the domain level, and they affect users and computers that are contained in sites, domains, and organizational units.

While a complete discussion of Group Policy is outside the scope of the exam and this book, it is important to understand how Group Policy can be used to deploy security templates to computers in a domain. In a nutshell, one or more security templates can be imported into a Group Policy object. When the Group Policy object is deployed to client systems, those systems will automatically apply the settings contained within the imported security templates.

Important 

If you make an update to a security template, be sure to re-import it into the Group Policy object.

Importing templates into Group Policy objects

To import a security template into a GPO:

  1. Open Active Directory Users And Computers.

  2. In the console tree, right-click the domain, site, or OU you want to set Group Policy for.

  3. Click Properties, and then click the Group Policy tab.

  4. If you are editing an existing GPO, click the GPO you want to import the security template into. If you need to create a new GPO, click New and then type a name for the GPO.

  5. Click Edit to open the GPO.

    The Group Policy Object Editor appears.

  6. Expand Computer Configuration, and then expand Windows Settings.

  7. Right-click Security Settings, and then click Import Policy.

  8. Browse for the security template you want to import. If you want to remove security settings that already exist in the GPO, select the Clear This Database Before Importing check box. Click Open.

  9. Close the Group Policy Object Editor.

At this point, the GPO has the settings you defined in your security template. However, systems might not have the latest version of the GPO. You can use the Gpupdate.exe tool to immediately apply the template to an individual system, or you can wait until the updated GPO is automatically applied. By default, the security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. You will see this event if any changes have occurred during these intervals. In addition, the settings are also refreshed every 16 hours, regardless of whether new changes have taken place.

If multiple Group Policy objects are linked to a single domain, site, or OU, verify that the order the policies are applied is correct. If there are conflicting settings in different policies, the higher policy in the list has higher precedence and will overwrite conflicting settings from other policies. As shown in Figure 3.3, you can use the Up and Down buttons on the Group Policy tab of the domain, site, or OU properties to set the precedence.

click to expand
Figure 3.3: Modifying Group Policy precedence

Standard Group Policy inheritance

In general, Group Policy is passed down from parent to child containers within a domain. Group Policy is not inherited from parent to child domains. For example, Group Policy is not inherited from cohowinery.com to accounting.cohowinery.com. However, if you assign a specific Group Policy setting to a high-level parent container, that Group Policy setting applies to all containers beneath the parent container, including the user and computer objects in each container. If a policy setting is defined for a parent organizational unit and the same policy setting is not defined for a child organizational unit, the child inherits the parent’s enabled or disabled policy setting. If you explicitly specify a Group Policy setting for a child container, the child container’s Group Policy setting overrides the parent container’s setting. When multiple GPOs apply, and they do not have a parent/child relationship, the policies are processed in this order: local, site, domain, organizational unit.

If a policy setting that is applied to a parent organizational unit and a policy setting that is applied to a child organizational unit are compatible, the child organizational unit inherits the parent policy setting, and the child’s setting is also applied. If a policy setting that is configured for a parent organizational unit is incompatible with the same policy setting that is configured for a child organizational unit (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied.

You can block policy inheritance at the domain or OU level by opening the properties dialog box for the domain or organizational unit and selecting the Block Policy Inheritance check box. You can enforce policy inheritance by setting the No Override option on a GPO link. When you select the No Override check box, you force all child policy containers to inherit the parent’s policy, even if that policy conflicts with the child’s policy and even if Block Inheritance has been set for the child. You can set No Override on a GPO link by opening the properties dialog box for the site, domain, or organizational unit and making sure that the No Override check box is selected.

Exam Tip 

Policies that are set to No Override cannot be blocked—know this for the exam!

Group Policy inheritance with security groups

You cannot link Group Policy objects directly to a security group. You can, however, use security group membership to allow or disallow members of the group from applying a Group Policy object. In this way, you can control which users receive a Group Policy object by placing them into specific groups.

By default, all Authenticated Users are authorized to apply a Group Policy object. Therefore, to allow only specific groups to apply a GPO, you must first remove the default permissions for Authenticated Users, and then grant permissions for the specific groups to apply the GPO. The most common ways to edit the properties and permissions for a GPO are:

  • Using Active Directory Users And Computers

    1. Click Start, click Administrative Tools, and then click Active Directory Users And Computers.

    2. Right-click the domain or OU, and then click Properties.

    3. Click the Group Policy tab.

    4. Click the GPO you want to edit, and then click Properties.

    5. Click the Security tab.

  • Using Active Directory Sites And Services

    1. Click Start, click Administrative Tools, and then click Active Directory Sites And Services.

    2. Expand Sites, right-click the site to which the GPO is linked, and then click Properties.

    3. Click the Group Policy tab.

    4. Click the GPO you want to edit, and then click Properties.

    5. Click the Security tab.

  • Using the Group Policy Object Editor

    1. Use the Group Policy Object Editor to open the GPO whose scope you want to control by using security groups.

    2. In the console tree, right-click the GPO node, and then click Properties.

    3. Click the Security tab.

Note 

Additionally, you can edit GPOs by using the Group Policy Management Console (GPMC). For more information about GPMC, visit http://www.microsoft.com/windowsserver2003/gpmc/.

After you have opened the properties dialog box for a GPO, enable only a specified group to apply a Group Policy object by following these steps:

  1. Click the Authenticated Users group. In the Permissions box, select the Deny Apply Group Policy check box.

  2. Click the Add button to add the security group to the Group Or User Names list.

  3. Click the new security group. In the Permissions box for the selected security group, select the Grant Apply Group Policy check box, as shown in Figure 3.4, to explicitly allow the selected security group to apply the Group Policy object.

    click to expand
    Figure 3.4: Denying a security group access to a Group Policy object

Modifying Group Policy inheritance using WMI filtering

When you need to restrict the application of GPOs based on a property of the user or computer, rather than security group memberships, you can use Windows Management Instrumentation (WMI) filters. Each GPO can be linked to one WMI filter; however, the same WMI filter can be linked to multiple GPOs. Before you can link a WMI filter to a GPO, you must create the filter. The WMI filter is evaluated on the destination computer (running either Windows XP or Windows Server 2003) during processing of Group Policy.

A WMI filter consists of one or more WMI Query Language (WQL) queries. The WMI filter applies to every setting in the GPO, so administrators must create separate GPOs if they have different filtering requirements for different settings. The WMI filters are evaluated on the destination computer after the list of potential GPOs is determined and filtered based on security group membership. Windows XP and Windows Server 2003 will only apply the GPO if the WMI filter evaluates to TRUE. Windows 2000 does not support WMI filtering, so computers running Windows 2000 ignore the WMI filter and will always apply the GPO.

Because WMI filters are ignored on computers running Windows 2000, a filtered GPO will always be applied on them. However, you can work around this by using two GPOs and giving the one with Windows 2000 settings higher precedence. Then use a WMI filter for that Windows 2000 GPO, and only apply it if the operating system is Windows 2000, not Windows XP Professional. The computer running Windows 2000 will receive the Windows 2000 GPO and will override the settings in the Windows XP Professional GPO. The client running Windows XP Professional will receive all the settings in the Windows XP Professional GPO.

To define and apply a new WMI filter, follow these steps:

  1. View the GPO properties.

  2. Click the WMI Filter tab.

  3. Click This Filter, and then click Browse/Manage.

  4. In the Manage WMI Filters window, click Advanced, and then click New.

  5. Complete the Name, Description, and Queries fields, and then click Save.

    Figure 3.5 shows the Manage WMI Filters window with a filter designed to apply the GPO only to computers running Windows XP Professional.

    click to expand
    Figure 3.5: Managing WMI filters

  6. Click the filter you want to apply to the GPO, and then click OK to close the GPO Properties page.

This book does not cover creating WMI filter queries. For the purposes of the exam, it is important to understand that computers running Windows 2000 and earlier do not support WMI filtering and will always apply a GPO with WMI filtering. You should also know that you can use WMI filters to apply a GPO to computers based on operating system, hardware, and other factors. When troubleshooting a problem related to a GPO not being applied to a computer running Windows XP Professional or Windows Server 2003, check to verify that WMI filtering is not the cause of the problem.

Deploying Security Templates Without Active Directory

Using Active Directory makes managing a large network of computers running Windows much easier. However, not all networks use Active Directory. Fortunately, you can still deploy security templates by using tools that do not rely on Active Directory, including the Group Policy Object Editor, the Security Configuration And Analysis snap-in, and Secedit.

Using Group Policy Object Editor

You can use the Group Policy Object Editor snap-in to immediately apply configuration settings to the Local Group Policy object on a computer. To do this, follow these steps:

  1. Open a blank MMC console by clicking Start and then clicking Run. Type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-In.

  3. Click Add, click Group Policy Object Editor, and then click Add.

    The Group Policy Wizard appears. The Local Computer GPO should be selected by default.

  4. Click Finish.

  5. Expand Local Computer Policy, Computer Configuration, and then Windows Settings.

  6. Right-click Security Settings, and then click Import Policy.

  7. Browse to select the security template you want to import, and then click Open.

Using Security Configuration And Analysis

You can also use the Security Configuration And Analysis snap-in to immediately apply configuration settings to a computer. To do this, follow these steps:

  1. Open a blank MMC console, and add the Security Configuration And Analysis snap-in.

  2. In the console tree, right-click Security Configuration And Analysis, and then click Open Database.

  3. In the File Name box, type a file name and then click Open.

  4. Browse for the security template you want to import. If you want to remove security settings that already exist in the GPO, select the Clear This Database Before Importing check box. Click Open.

  5. If you want to apply multiple security templates to the computer, right-click Security Configuration And Analysis, and then click Import Template. Browse for the security template you want to import, and then click Open. Repeat this step for each security template you want to import.

  6. In the console tree, right-click Security Configuration And Analysis, and then click Configure Computer Now.

  7. Use the default error log path by clicking OK.

    The Configuring Computer Security window appears while the security template is being applied. The security settings take effect immediately.

    See Also 

    The Security Configuration And Analysis snap-in is described in more detail in Chapter 4, “Hardening Computers for Specific Roles.”

Using Secedit

Secedit.exe is a command-line tool that provides similar functionality to the graphical Security Configuration And Analysis snap-in. By calling the Secedit.exe tool at a command prompt from a batch file or an automatic task scheduler, you can use it to automatically create and apply templates and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple computers on which security must be analyzed or configured, and you need to perform these tasks during off hours.

To apply a security template by using Secedit, follow these steps:

  1. Open a command prompt by clicking Start, pointing to All Programs, pointing to Accessories, and then clicking Command Prompt.

  2. At the command prompt, type secedit /import /cfg filename.inf. For example, to import the hisecdc.inf predefined security template, execute the following command:

    secedit /configure /db hisecws.sdb /cfg %windir%\security\templates
    \hisecdc.inf /overwrite /log hisecws.log

  3. When prompted, type y.

Secedit has a unique ability not found in other tools—it can import only portions of a security template by using the /areas parameter. After the /areas parameter, list one or more of the following options to import that portion of the security template:

  • SECURITYPOLICY. Imports account policies, audit policies, event log settings, and security options.

  • GROUP_MGMT. Imports restricted group settings.

  • USER_RIGHTS. Imports user rights assignment.

  • REGKEYS. Imports registry permissions.

  • FILESTORE. Imports file system permissions.

  • SERVICES. Imports system service settings.

For example, the following command imports only the services and file system portions of the hisecdc.inf predefined security template:

secedit /configure /db hisecws.sdb /cfg %windir%\security\templates\hisecdc.inf  /overwrite /log hisecws.log /areas SERVICES FILESTORE

For a complete description of Secedit, execute the command Secedit /? at a command prompt.

Practice: Applying and Deploying Security Templates

In this practice, you will manually apply a security template and then view the effects. You will then import a security template into Group Policy.

Exercise 1: Review Current Password Policies

In this exercise, you will determine Computer1’s active password policy settings. Later, you will apply a security template to modify these settings.

  1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

  2. Create a new MMC console, and add the Resultant Set Of Policy snap-in.

  3. In the left pane, right-click Resultant Set Of Policy, and then click Generate RSoP Data.

    The Resultant Set Of Policy Wizard appears.

  4. On the Welcome page, click Next.

  5. On the Mode Selection page, click Logging Mode, and then click Next.

  6. On the Computer Selection page, click This Computer, and then click Next.

  7. On the User Selection page, click Do Not Display User Policy Settings In The Results, and then click Next.

  8. On the Summary Of Selections page, click Next.

    The Resultant Set Of Policy Wizard analyzes Computer1’s current configuration. This is the best way to determine what security settings are currently applied to a computer, because any one computer can receive security settings from multiple sources.

  9. On the Completing The Resultant Set Of Policy Wizard page, click Finish.

  10. In the left pane of the MMC console, expand COMPUTER1 – RSoP, then expand Computer Configuration, Windows Settings, Security Settings, and Account Policies.

  11. Click Password Policy.

    The right pane will display Computer1’s active password policies. Note the minimum password length, which should still be set to the default setting.

Exercise 2: Apply the Security Template

In this exercise, you will apply the security template you created in Lesson 1 to Computer1 by using the Domain Controller Security Policy console, and then verify that the settings were applied.

  1. Open the Domain Controller Security Policy console.

  2. Right-click Security Settings, and then click Import Policy.

  3. In the Import Policy From dialog box, navigate to My Documents\Templates. Click Domain Password Requirements.inf, and then click Open.

  4. In the left pane, expand Account Policies, and then click Password Policy. Note that the Minimum Password Length, Password Must Meet Complexity Requirements, and Store Passwords Using Reversible Encryption policies are all defined.

  5. Close the Domain Controller Security Policy console.

  6. Click Start, and then click Run. In the Open field, type gpupdate /force, and then click OK.

    The Gpupdate tool causes Windows Server 2003 to immediately refresh Group Policy settings.

  7. After Gpupdate has finished, return to the console you created in Exercise 1 of this lesson. Right-click COMPUTER1 – RSoP, and then click Refresh Query.

  8. In the left pane of the MMC console, expand COMPUTER1 – RSoP, and then expand Computer Configuration, Windows Settings, Security Settings, and Account Policies.

  9. Click Password Policy.

    The right pane will display Computer1’s active password policies. Note the minimum password length, which should be set to 10 characters—the policy defined in the custom Domain Password Requirements security template.

Exercise 3: Apply a Predefined Template Using Group Policy

In this exercise, you will apply one of the predefined security templates to an OU by using Group Policy.

  1. Open the Active Directory Users And Computers console.

  2. Right-click cohowinery.com, click New, and then click Organizational Unit.

    The New Object dialog box appears.

  3. In the Name field, type Secure Workstations. Click OK.

  4. Right-click Secure Workstations, and then click Properties.

  5. Click the Group Policy tab, and then click the New button.

  6. Name the Group Policy Secure Workstation Policy.

  7. Click the new policy, and then click Edit.

    The Group Policy Object Editor appears.

  8. Expand Computer Configuration, and then expand Windows Settings. Right-click Security Settings, and then click Import Policy.

  9. In the Import Policy From dialog box, navigate to C:\Windows\Security\Templates, and click Hisecws.inf. Click Open.

  10. Close the Group Policy Object Editor.

  11. In the Secure Workstation Properties dialog box, click Close to return to the Active Directory Users And Computers console.

    Now any computers you add to the Secure Workstations OU will have the Hisecws.inf predefined security template applied.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

  1. Which is the correct tool to use to most efficiently deploy a security template to a single domain member?

    1. Group Policy Object Editor snap-in

    2. Security Configuration And Analysis snap-in

    3. Security Templates snap-in

    4. Local Security Policy console snap-in

    5. Secedit command-line tool

  2. Which is the correct tool to use to most efficiently deploy a security template to hundreds of computers in a domain?

    1. Group Policy Object Editor snap-in

    2. Security Configuration And Analysis snap-in

    3. Security Templates snap-in

    4. Local Security Policy console snap-in

    5. Secedit command-line tool

  3. Which is the correct tool to use to most efficiently deploy a security template to dozens of standalone computers?

    1. Group Policy Object Editor snap-in

    2. Security Configuration And Analysis snap-in

    3. Security Templates snap-in

    4. Local Security Policy console snap-in

    5. Secedit command-line tool

Lesson Summary

  • The easiest way to deploy security templates to multiple systems is to use Group Policy.

  • Group Policy can be applied to a domain, a site, or an OU.

  • You can further restrict which computers and users a Group Policy object applies to by restricting permissions to the Group Policy object, or by using WMI filtering.

  • You can use Secedit to apply a security template from the command line. By using this tool, you can automatically deploy security policies to systems that are not members of a domain.

  • You can manually apply a security template to a computer by using the Group Policy Object Editor or the Security Configuration And Analysis snap-in.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net