<span class='text_page_counter'>(1)</span><div class='page_container' data-page=1>

Module 7:

Implementing

Security Using Group

</div>
<span class='text_page_counter'>(2)</span><div class='page_container' data-page=2>

Module Overview

• Configuring Security Policies

• Implementing Fine-Grained Password Policies

• Restricting Group Membership and Access to Software

</div>
<span class='text_page_counter'>(3)</span><div class='page_container' data-page=3>

Lesson 1: Configuring Security Policies

• What Are Security Policies?

• What Is the Default Domain Security Policy?

• What Are the Account Policies?

• What Are Local Policies?

• What Are Network Security Policies?

• What Is Windows Firewall With Advanced Security?

• Demonstration: Overview of Additional Security Settings

</div>
<span class='text_page_counter'>(4)</span><div class='page_container' data-page=4></div>
<span class='text_page_counter'>(5)</span><div class='page_container' data-page=5>

What Is the Default Domain Security Policy?

• <b>Provides account policies for the domain; other settings </b>

<b>are not configured by default </b>

• <b>Use to provide security settings that will affect the </b>
<b>entire domain</b>

• <b>Use domain policy to provide security settings, as a </b>
<b>best practice. Use separate GPOs to provide other </b>
<b>types of settings </b>

<b>Domain</b>
<b>Default domain policy</b>

</div>
<span class='text_page_counter'>(6)</span><div class='page_container' data-page=6>

What Are the Account Policies?

<b> Description</b>
Password
Account lockout
Kerberos
<b>Policies </b>

• Enforce password history: 24 passwords

• Max password age: 42 days

• Min password age: 1 day

• Min password length: 7 characters

• Complex Password: enabled

• Store password using reversible encryption: disabled

• Lockout duration: not defined

• Lockout threshold: 0 invalid logon attempts

• Reset account lockout after: not defined
<b>Account policies consist of:</b>

• Can only be applied at the domain level

</div>
<span class='text_page_counter'>(7)</span><div class='page_container' data-page=7>

What Are Local Policies?

<b> Every computer running Windows 2000 and later has a local </b>
<b> security policy that is part of local Group Policy </b>





<b> Domain policy will override local policies in cases of conflict </b>





<b> In a workgroup, you must configure local security policies to </b>
<b> provide security</b>





<b> You can assign local rights through local Group Policies</b>





<b> Security options control many different aspects of a </b>
<b> computer’s security </b>





</div>
<span class='text_page_counter'>(8)</span><div class='page_container' data-page=8>

What Are Network Security Policies?

<b>Windows XP</b>
<b>Windows </b>
<b>Vista</b>
<b>Wireless</b>
<b>Wired</b>
<b>Wireless only</b>
<b>GPO</b>

<b> Separate wireless policies for Windows XP and Windows Vista</b>





<b> Windows</b> <b>Vista policies contain more options for wireless </b>





<b>Windows Vista wireless policies can deny access to </b>
<b> wireless networks</b>





<b>802.1x authentication can be configured via Group Policy</b>





<b>Only Vista and later can receive wired network policies</b>





<b>Define the available networks and authentication methods for wireless </b>
<b>connections for Windows Vista and Windows XP clients, and </b>

</div>
<span class='text_page_counter'>(9)</span><div class='page_container' data-page=9>

What Is Windows Firewall With

Advanced Security?

<b> </b>Supports filtering for both incoming and outgoing traffic





Used for advanced settings configuration





Provides integrated firewall filtering and IPsec protection settings





Allows rule configuration for various criteria, such as users, groups, and
TCP and UDP ports





Provides network location-aware profiles





Can import or export policies





<b> A stateful host-based firewall that allows or blocks network traffic </b>
<b> according to its configuration </b>

<b>Windows </b>

<b>Server 2008</b> <b>Internet</b>
<b>LAN</b>
<b>Firewall</b>

</div>
<span class='text_page_counter'>(10)</span><div class='page_container' data-page=10>

Demonstration: Overview of Additional

Security Settings

</div>
<span class='text_page_counter'>(11)</span><div class='page_container' data-page=11>

Demonstration: What Is the Default Domain

Controller Security Policy?

In this demonstration, you will see the default domain
controller policy settings

<b> Provides an extra layer of security for domain controllers</b>





<b> Allows many user rights to be configured</b>





<b> Provides enabled auditing</b>



</div>
<span class='text_page_counter'>(12)</span><div class='page_container' data-page=12>

Lesson 2: Implementing Fine-Grained Password

Policies

• What Are Fine-Grained Password Policies?

• How Fine-Grained Password Policies Are Implemented

• Implementing Fine-Grained Password Policies

</div>
<span class='text_page_counter'>(13)</span><div class='page_container' data-page=13>

What Are Fine-Grained Password Policies?

<b>Administrator </b>
<b>group</b>

<b>Manager </b>

<b>group</b> <b>End user group</b>

<b>Password </b>
<b>changes: 7 </b>

<b>days </b>

<b>Password </b>
<b>changes: 14 </b>

<b>days </b>

<b>Password </b>
<b>changes: 30 </b>

<b>days </b>

</div>
<span class='text_page_counter'>(14)</span><div class='page_container' data-page=14>

How Fine-Grained Password Policies

Are Implemented

Considerations when implementing PSOs:

<b> </b>Password Settings Container and Password Setting Objects
are new schema object classes





<b> </b>PSOs can only be applied to users or global groups





<b> </b>PSOs can be created through ADSI Edit or LDIFDE





A PSO has the following settings available:

• Password policies

• Account lockout policies

• PSO Link

</div>
<span class='text_page_counter'>(15)</span><div class='page_container' data-page=15>

Implementing Fine-Grained Password Policies

• <b>Shadow groups can be used to apply a PSO to all users </b>
<b>that do not already share a global group membership</b>

• <b>A user or group could have multiple PSOs linked to them</b>

• <b>The precedence attribute is used to resolve conflicts </b>

• <b>Lower precedence values have higher priority</b>

• <b>PSOs linked directly to user objects override PSOs linked </b>
<b>to a user’s global groups</b>

</div>
<span class='text_page_counter'>(16)</span><div class='page_container' data-page=16>

Demonstration: Implementing Fine-Grained

Password Policies

</div>
<span class='text_page_counter'>(17)</span><div class='page_container' data-page=17>

Lesson 3: Restricting Group Membership and

Access to Software

• What Is Restricted Group Membership?

• Demonstration: Configuring Restricted Group Membership

• What Is a Software Restriction Policy?

• Options for Configuring Software Restriction Policies

</div>
<span class='text_page_counter'>(18)</span><div class='page_container' data-page=18>

What Is Restricted Group Membership?

Group Policy can control group membership:

• For any group on a local computer by applying a GPO to the
OU that holds the computer account

</div>
<span class='text_page_counter'>(19)</span><div class='page_container' data-page=19>

Demonstration: Configuring Restricted

Group Membership

</div>
<span class='text_page_counter'>(20)</span><div class='page_container' data-page=20>

What Is a Software Restriction Policy?

• A policy-driven mechanism that identifies and controls software
on a client computer

• A mechanism restricting software installation and viruses

• A component with two parts:

• A default rule with three options: Unrestricted, Basic,
and Disallowed

</div>
<span class='text_page_counter'>(21)</span><div class='page_container' data-page=21>

Options for Configuring Software

Restriction Policies

<b>Certificate Rule</b>
<b>Checks for digital </b>

<b>signature on application</b>
<b>Use when you want to </b>
<b>restrict Win32 </b>

<b>applications and </b>
<b>ActiveX content</b>

<b>Certificate Rule</b>
<b>Checks for digital </b>

<b>signature on application</b>
<b>Use when you want to </b>
<b>restrict Win32 </b>

<b>applications and </b>
<b>ActiveX content</b>

<b>Internet Zone Rule</b>
<b>Controls how Internet </b>
<b>Zones can be accessed</b>
<b>Use in high-security </b>

<b>environments to control </b>
<b>access to Web </b>

<b>applications</b>

<b>Internet Zone Rule</b>
<b>Controls how Internet </b>
<b>Zones can be accessed</b>
<b>Use in high-security </b>

<b>environments to control </b>
<b>access to Web </b>

<b>applications</b>

<b>Hash Rule</b>

<b>Use to employ MD5 or </b>
<b>SHA1 hash of a file to </b>
<b>confirm identity</b>

<b>Use to allow or prohibit </b>
<b>a certain version of a file </b>
<b>from being run</b>

<b>Hash Rule</b>

<b>Use to employ MD5 or </b>
<b>SHA1 hash of a file to </b>
<b>confirm identity</b>

<b>Use to allow or prohibit </b>
<b>a certain version of a file </b>
<b>from being run</b>

<b>Path Rule</b>

<b>Use when restricting the </b>
<b>path of a file</b>

<b>Use when multiple files </b>
<b>exist for the same </b>

<b>application</b>

<b>Essential when SRPs are </b>
<b>strict</b>

<b>Path Rule</b>

<b>Use when restricting the </b>
<b>path of a file</b>

<b>Use when multiple files </b>
<b>exist for the same </b>

<b>application</b>

</div>
<span class='text_page_counter'>(22)</span><div class='page_container' data-page=22>

Demonstration: Configuring Software

Restriction Policies

</div>
<span class='text_page_counter'>(23)</span><div class='page_container' data-page=23>

Lesson 4:Managing Security Using

Security Templates

• What Are Security Templates?

• Demonstration: Applying Security Templates

• What Is the Security Configuration Wizard?

• Demonstration: Configuring Server Security Using the
Security Configuration Wizard

• Options for Integrating the Security Configuration Wizard
and Security Templates

</div>
<span class='text_page_counter'>(24)</span><div class='page_container' data-page=24>

What Are Security Templates?

<b>Security templates:</b>

<b> Allow administrators to apply consistent security </b>
<b> settings to multiple computers</b>





<b> Can be applied via Group Policy</b>





<b> Can be designed based on server roles </b>



</div>
<span class='text_page_counter'>(25)</span><div class='page_container' data-page=25>

Demonstration: Applying Security Templates

</div>
<span class='text_page_counter'>(26)</span><div class='page_container' data-page=26>

What Is the Security Configuration Wizard

<b>SCW provides guided </b>
<b>attack surface </b>

<b>reduction by:</b>

• Disabling unnecessary
services and IIS

Web extensions

• Blocking unused ports
and secure ports that are
left open using IPSec

• Reducing protocol
exposure

• Configuring audit settings

<b>SCW supports:</b>

• Rollback

• Analysis

• Remote configuration

• Command-line support

• Active Directory
integration

</div>
<span class='text_page_counter'>(27)</span><div class='page_container' data-page=27>

Demonstration: Configuring Server Security

Using the Security Configuration Wizard

</div>
<span class='text_page_counter'>(28)</span><div class='page_container' data-page=28>

Options for Integrating the Security Configuration

Wizard and Security Templates

<b>Options:</b>

• Policies created with the SCW can be applied individually

• Other Security templates can be incorporated into the SCW

</div>
<span class='text_page_counter'>(29)</span><div class='page_container' data-page=29>

Demonstration: Importing Security Configuration

Policies into Security Templates

</div>
<span class='text_page_counter'>(30)</span><div class='page_container' data-page=30>

Lab: Implementing Security by Using Group

Policies

• Exercise 1: Configuring Domain Security Settings

• Exercise 2: Implementing Fine-Grained Password Policies

• Exercise 3: Configuring Restricted Groups and Software
Restriction Policies

• Exercise 4: Configuring Security Templates

• Exercise 5: Verifying the Security Configuration

Logon information

Virtual machine <b>6425A-NYC-DC1NYC-CL1</b>, ,

<b>NYC-SVR1</b>

User name <b>Administrator</b>
Password <b>Pa$$w0rd</b>

</div>
<span class='text_page_counter'>(31)</span><div class='page_container' data-page=31>

Lab Review

• You want to control which wireless networks your

Windows Vista clients will have access to. What is the best
way to accomplish this?

• You need to harden security on all the database servers
across your organization. What tool is best suited for this
task?

</div>
<span class='text_page_counter'>(32)</span><div class='page_container' data-page=32>

Module Review and Takeaways

• Considerations

</div>
<span class='text_page_counter'>(33)</span><div class='page_container' data-page=33>

Beta Feedback Tool

• Beta feedback tool helps:

 Collect student roster information, module feedback, and

course evaluations.

 Identify and sort the changes that students request, thereby

facilitating a quick team triage.

 Save data to a database in SQL Server that you can later

query.

</div>
<span class='text_page_counter'>(34)</span><div class='page_container' data-page=34>

Beta Feedback

• <b>Overall flow of module:</b>

 Which topics did you think flowed smoothly, from topic to

topic?

 Was something taught out of order?

• <b>Pacing:</b>

 Were you able to keep up? Are there any places where the

pace felt too slow?

 Were you able to process what the instructor said before

moving on to next topic?

 Did you have ample time to reflect on what you learned? Did

you have time to formulate and ask questions?

• <b>Learner activities:</b>

 Which demos helped you learn the most? Why do you think

that is?

 Did the lab help you synthesize the content in the module?

Did it help you to understand how you can use this

knowledge in your work environment?

 Were there any discussion questions or reflection questions

</div>

<!--links-->