2. Group Policy Objects (GPO) [11]
• A GPO applies rights or limitations to all the AD objects in a
container (or set of containers)
• A container may be a site, domain or organisation unit (OU) – GPO’s
are not directly applicable to groups!
• Aim of GPO’s is to simplify management of network with reference
to rules that apply to multiple users and/or machines
Network Design & Administration
2
3. GPO Applicability[1]
• GPO’s can control settings for software
configuration, registry, security configuration,
software installation and lots more!
• Hierarchy of GPO’s: higher levels overrule lower
Network Design & Administration
• Filtering (& delegation) can be applied to limit
scope/customise
• Some cases where GPO’s fail to apply – can be
tricky to debug
3
4. Who is allowed to set them?
• The relevant predefined Active Directory GLOBAL
groups are:
• Domain Admins
• Enterprise Admins (only appear in Forest root
Network Design & Administration
domain)
• Group Policy Creator Owners (by default, domain
admin acct is member of this group)
• However, by default, predefined AD groups only
get rights/permissions when added to domain
local groups 4
5. Who is allowed to set them?
• Every AD domain has a builtin container, where it
creates security groups with domain local scope.
• These have the relevant rights and permissions
• Most important group here is Administrators –
Network Design & Administration
by default, the global Enterprise and Domain
Admin groups are added to this
• Admin have large set of RIGHTS by default,
though these may be delegated to others
5
6. Group Policy Management
• There can be lots of GPO’s within a domain!
• The Group Policy Management console provides
you with a way to manage these GPO’s.
• Provides access to the Group Policy Editor where
Network Design & Administration
individual policy objects can be created and
edited.
• Provides access to Administrative templates
(.adm) which describe where registry-based
group policy settings are stored, and are used to
6
change settings on GPO’s
7. Group Policy Management
Console
Network Design & Administration
This is for
checking Cannot edit from
effects here. Just right
click selected 7
policy, and GP
editor comes up
8. Administrative Templates
• There are a number of built-in administrative templates:
• system.adm
• inetres.adm
• wmplayer.adm
Network Design & Administration
• conf.adm
• wuau.adm
• Each of these files contains many individual policy
descriptions, and where they are stored in Registry
• If an admin wants to add NEW policies, Microsoft
recommend to create custom .adm files rather than
8
modify these
9. Example Policies in .adm
Enable disk quotas System.adm
Enforce disk quota limit
Default quota limit and warning level
Log event when quota limit exceeded
Log event when quota warning level exceeded inetres.adm
Scripting of Java applets
Network Design & Administration
Logon options
Run .NET Framework-reliant components signed with Authenticode
Run .NET Framework-reliant components not signed with Authenticode
Download signed ActiveX controls
Download unsigned ActiveX controls
Configure Automatic Updates wuau.adm
Specify intranet Microsoft update service location
Enable client-side targeting
Reschedule Automatic Updates scheduled installations 9
No auto-restart for scheduled Automatic Updates installations
10. Security Policies (secpol.msc)
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the domain !!
Account lockout duration
Network Design & Administration
Account lockout threshold
Reset lockout counter after
Maximum lifetime for service ticket Password policy
Maximum lifetime for user ticket Kerberos policy
Maximum lifetime for user ticket renewal Audit policy
Security options
Audit account logon events
Audit account management
Audit logon events 10
Interactive logon: Require smart card
Audit policy change Interactive logon: Smart card removal behavior
Audit system events
11. Effect of not using GPO for
accounts[4],[5],[6]
• In January 2009, a hacker gained access to a Twitter employee’s
administrative account and was able to use the admin tools to reset
passwords on other users’ accounts. Then these passwords for the accounts
of a number of celebrities (including Barack Obama) were published on a
hackers’ forum. Subsequently posts were made on those accounts by
unauthorized persons. Twitter did not use account lockout policies to
prevent a hacker from utilizing dictionary attacks.
Network Design & Administration
• Miley Cyrus had her Twitter account suspended temporarily after it was
hacked into and offensive messages posted.
"It appears that Miley didn't learn the lesson last year and hasn't been taking enough
care over her password security to avoid the same fate, other users should make sure
they choose strong passwords that can't be easily cracked, and Twitter itself should
play a key part in enforcing this."
In the case of the hacked Twitter employee, the combination of
a weak password, "happiness," and Twitter's lax security
regarding repeated login attempts made it fairly simple for the 11
hacker to gain entry. Twitter has not indicated that it has fixed
this vulnerability by limiting the number of password attempts.
12. And to follow on from this[7]
“… I started wondering how vulnerable other sites might be to
this type of attack. … I went looking at some of the sites that I
frequent and found that many of them don’t have any
restrictions on authentication attempts…
And how hard would it really be to create such a script to attempt
a brute force attack like the one that was used by the
hacker? Well… How about four simple lines of code attached to a
Network Design & Administration
very large dictionary database:”
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttpReq.Open "POST", "http://www.domain.com/login", false
WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded"
WinHttpReq.Send("login=Chris&password=Pa$$w0rd")
“I tested this script against a site that I frequent and it worked as
expected. So, I guess it’s not that hard to perform such an
attack. Now it seems the question isn’t how did this happen to 12
Twitter, but why doesn’t this happen every day?”
13. Example security issue helped
by GPO[8]
• A particular problem is the need to disable USB
sticks and other removable media in secure
installations
• Can set up custom adm to include this, and apply
Network Design & Administration
via GPO to a group of workstations
• Disables various drivers
• A lot better than gluing up the USB ports!
• Vista/7 includes extensions to GP to make this
easier (Removable Storage Management) BUT
13
also includes approx. 800 other new policy
settings
14. Other Issues with GPO’s
• For Server 2003 and XP, they run in winlogon and then
update on irregular time basis
• For Vista, they have their own “hardened” service which
cannot be stopped
Network Design & Administration
• .adm files are added to sysvol every time a new GPO is
created – this can lead to lots of copied files around the
system, and replication traffic overhead
• Some of the GPO’s have to be considered as merely
obscuration rather than security, since users may be able
to use other programs to get around them e.g. for editing
Registry settings 14
15. Managing Software on the
Network[10],[11]
• GPO’s allow admins to specify which .msi packages are to be
assigned or published
• Assignment can be user or computer associated, whereas
publishing is necessarily linked only to users (a user has to do
something to install it)
Network Design & Administration
• GPO can also define how upgrade/removal handled
15
16. Assign vs. Publish
• Published software is available in the
Add/Remove Programs applet, but user has to
decide whether to install
• Assigned to User means icon for app is on
Network Design & Administration
desktop (“advertised”) - activation or opening
associated document for 1st time will trigger
install
• Assigned to Computer means software already
installed before user even logs on
16
17. Why .msi?
• Contains useful info about structure of program
• So can “self heal” if files accidentally deleted
• Installer creates system restore point before
Network Design & Administration
installing – so reverts automatically if install goes
wrong
• Has sophisticated options for various methods of
installation (especially for big programs and slow
links) to install only some bits of large packages
(e.g. Office) immediately
17
• Can be constructed using Wix (Microsoft Installer
Toolkit) – has a large learning curve
18. How to setup and use[12]
• Create Software Distribution Points (SDP) – shared network
folders with NTFS Read/Execute permissions for the users
• Create GPO for software deployment (and associate with
chosen domain/site/OU)
• Configure software deployment properties for the GPO –
Network Design & Administration
location of SDP, default handling of new packages etc.
• Add the installation packages to the GPO (indicating whether
to be published or assigned)
• Configure each installation package properties – e.g.
• Auto-Install This Application By File Extension Activation
• Uninstall This Application When It Falls Out Of The Scope Of
Management 18
19. Some snags…
• No licence control is performed – so Published
software had better be on a site licence!
• Need to plan carefully how to structure the
software e.g. common packages to be assigned
Network Design & Administration
to computers, specific ones to be assigned to
different user groups etc., otherwise might have
too many GPOs to manage
• If users need admin privilege to install, risky! Can
configure installer to “always install elevated”,
but this also poses a security risk. 19
20. Microsoft Software Licensing
• Needs care in Windows networks
• Need to consider whether Per User or Per Device is most
cost-effective way.
• (Also might need to buy additional Client Access Licences
Network Design & Administration
for Remote Desktop Services if remote users log in to a
server)
• Each Server 2008 computer runs a Licence Logging
service, which keeps track.
• The information is replicated to a Site Licence Server
• Can maintain licence information for file, print services,
IIS, RDS , Exchange, SQL Server etc. 20
21. Process to maintain licences
• Identify Site Licence Server (normally first
domain controller in a site)
• Administer licences using Licensing in
Administrative Tools
Network Design & Administration
• To add new licences, select New License, and
specify number added
• Alternatively, use 3rd party tool that can also
handle other licences e.g. volume
• Monitor licence status regularly
21