Microsoft Active Directory 2003 Lockdown through Group Policies Proposal Document

Microsoft Active Directory 2003 Lockdown through Group Policies Proposal Document

GATI Pvt Ltd

DOCUMENT DETAILS

Status: DraftOwner: PS. ChaitanyaDate: Saturday, 08 April 2023Version: Microsoft Active Directory 2003Location: Hyderabad

CHANGE HISTORY

Version Date Changed By Change Description

Windows 2003

PS. Chaitanya

REVIEW PANEL

Version Date Name DesignationWindows 2003

B.Ravi Shanker Business Head

DISTRIBUTION LIST

Name DesignationAbinash Team Leader

APPROVAL PAGE

Designation Name Signed & Stamped

Date

GATI Pvt Ltd.Customer Representative (IT )

GATI Pvt Ltd.IT Head

Veeras Infotek Pvt. Ltd, IIB Groups,

Plot No .138, Keshav Nagar, Srinagar, Colony, Opp. SBI Bank,

Hyderabad -500073

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Hyderabad -500073

Table of Contents

Objective of the document……………………….………………………………….05Intended audience……………………………………………………………………05Statement of work……………………………………………………………………06Resource requirements..…………………………………………………………..…07Project Documantation………………………………………………………………08How to lock down a Windows Server 2003 Terminal Server session..................11How to Lock Down a User Profile Using Group Policy………………………….15

Present Scenario in GATI Pvt Ltd.……………………………………………12Proposed Scenario in GATI Pvt Ltd....................................................................14

-------------------------------------------------------------------------------------------------------ConfidentialPrepared By: PS. Chaitanya

4



Hyderabad -500073




Hyderabad -500073


5



Hyderabad -500073




Hyderabad -500073

Objective of the document

This document provides an insight into the design and Implementation of end point security in accordance with the proposed secure network architecture towards securing the IT and Network Infrastructure of GATI Ltd (hereon referred to as GATI). The design and the proposed model of domain structure has been arrived at by analyzing the flaws and loopholes in the present networking and end user environment at GATI Ltd. Further to this, the document has been arrived at based on the discussions with the IT team of GATI.

End Point Security has been a major area of concern for the management and the IT Team of GATI.

The purpose of this document is to provide an overview of the proposed model of domain structure for GATI to ensure the controlled environment in accordance to the IT security policy of GATI. This document is in reference to the “Network Architecture Report” submitted to GATI.

Intended audience


6



Hyderabad -500073




Hyderabad -500073

This document is primarily meant for the Management of GATI. Further distribution of this document entirely lies to the discretion of the Management GATI.

Scope of the Solution

Current scope of analyzing the end point security and introducing the domain environment t at GATI is not only limited to control the user actins while accessing the information processing facilities but also to create an architecture with the enhanced support for centralizing the access control procedures as per the IT security policy rolled out by GATI Management. Efforts have been made to control the end user actions to mitigate invasive activities arising from within the local network and the WAN locations also.

Statement of work

Based on the preliminary discussions and study we had with the officials of GATI Pvt Ltd. our understandings of the objectives of this assignment are:


7



Hyderabad -500073




Hyderabad -500073

Insecure Logon Procedures to the machines

Password Management

Inter Department Information Access

Administrative Privileges

Malwares, Malicious Code, Unwanted Program Installation

Controlled User Actions

Single Sign on for Applications

Controlled Access of Physical Ports such as USB, CD-ROMs

No changes to registry settings

Department wise identified account policies

Software Restriction Policies

Windows Update Services

On-the-Fly Functions

File Level Encryption for the data

Roaming User Profiles.


8



Hyderabad -500073




Hyderabad -500073 NOTE: All components indicated in this proposal are based on the inputs provided by GATI Pvt Ltd.

Resource Requirements

As with any large technology project, having the right resources for planning and deployment is essential. The resources that you will require for an Active Directory branch office deployment fall into three categories:

Software Requirements

Personnel RequirementsYour specific resource requirements will depend on a number of factors, including project scope, solution features, implementation schedule, and budget.


9



Hyderabad -500073




Hyderabad -500073

Software Requirements

Windows Server 2003 Active Directory.

Personnel Requirements

Active Directory affects your entire organization. It is necessary to establish typical roles within an Active Directory environment and within a project team. Typical roles within the Active Directory environment are:

Service administrators Data administrators Active Directory DNS owner OU owner


10



Hyderabad -500073




Hyderabad -500073

Project Documentation

Many organizations struggle with implementing the proper security features on a new Windows Server 2003 installation, and some just add security as needed. However, rather than reading through hundreds of pages of documentation and creating custom security templates, there's an easier way—the Security Configuration Wizard.

This wizard contains an XML database that includes every service, feature, and administration option for every different server deployment type. Regardless of whether you're deploying a DNS, Exchange, File and Print, Domain Controller, or any other Windows server, this tool has the settings you need to lock it down.


11



Hyderabad -500073




Hyderabad -500073 Run the wizard

The main purpose of this wizard is to implement role-based security on Windows Server 2003. By defining the server's role on the network, you can disable unnecessary services, block unused ports, implement additional address or security restrictions for ports necessary for operation, disable unnecessary IIS Web extensions, and restrict access to server message block (SMB), LanMan, and Lightweight Directory Access Protocol (LDAP) services.

You must have Windows Server 2003 Service Pack 1 installed to run this wizard. To access the wizard, go to Start | All Programs | Administrative Tools | Security Configuration Wizard (Scw.exe).

When you first run the tool, it will prompt you to start or install any network applications (e.g., IIS, Exchange, SQL, etc.) that the server will use, so it can define the server role and apply the proper security settings. The wizard will also ask whether you want to create a new security policy, edit an existing policy, apply a policy, or roll back a policy. For this example, we're using this tool after initial installation, so select Create A New Security Policy.


12



Hyderabad -500073




Hyderabad -500073 Define the role

At this point, you can select a predefined role for your server from the wizard's security configuration database. After you select the server role, the wizard will prompt you to select the client features, additional administrative options, additional services (for non-Microsoft applications), and any special handling for these services.

Now, let's take a look at the different sections of the Security Configuration Wizard.

Network security

This section configures inbound ports using the built-in Windows Firewall. The tool bases the displayed settings on the roles and administration options that you've selected. If your organization uses IPSec, you can add further restrictions to access IP services and ports as well as configure encryption for port traffic using IPSec.

Registry settings

This section configures protocols used to communicate with computers on the network. If you have legacy Windows systems operating on your network (pre-Windows 2000), these systems create an additional


13



Hyderabad -500073




Hyderabad -500073 vulnerability to password-cracking and man-in-the-middle attacks, and they require special configuration to interoperate with Windows Server 2003. You can adjust the security settings of SMB and LDAP services as well as inbound/outbound authentication protocols for these legacy systems.

Audit policy

This section configures the auditing of the server based on your organization's auditing policy. The Audit Policy Editor allows you to configure the server to not audit any events, audit only successful events, or audit both successful and unsuccessful events.

Warning: If you use the wizard to apply the built-in audit security template to set the System Access Control Lists (SACLs), you cannot remove these settings through the rollback feature.

Internet Information Services

If this server will function as an IIS server, the wizard will prompt you to configure the security for the Web server. You can select the Web service extensions used for dynamic content, virtual directories used for your Web server, and allow or deny anonymous users from accessing Web site content.


14



Hyderabad -500073




Hyderabad -500073 Final thoughts

While some people might still prefer the pre-Windows Server 2003 method of securing their servers, the Security Configuration Wizard provides a powerful and easy opportunity to create a role-based security template that you can apply consistently to every server you own. If you've been looking for a way to standardize and simplify security settings for your Windows Server 2003 servers, don't overlook the Security Configuration Wizard.

According windows Active Directory Policy implement,

The table below shows the common Operating Systems and their domain Compatibility:

Windows 95/98/98Se NoWindows ME NoWindows NT4 Server/Workstation YesWindows 2000 All versions YesWindows XP Home Ed NoWindows XP Prof. Ed. YesWindows 2003 All Versions Yes


15



Hyderabad -500073




Hyderabad -500073


16



Hyderabad -500073




Hyderabad -500073

How to lock down a Windows Server 2003 Terminal Server session

You can use Group Policies to lock down a Terminal Server session on a

Microsoft Windows Server 2003-based or Microsoft Windows 2000-

based computer. With the following settings, even the administrator

account will have restricted access. It is highly recommended that you

create a new organizational unit instead of modifying the policies on an

existing one.

Note The use of these policies does not guarantee a secure computer,

and you should use them only as a guideline.

Use Active Directory Users and Computers to create a new

organizational unit (OU). Right-click the OU, click Properties, and then

on the Group Policy tab, click New Policy. Edit this policy with the

following settings:


17



Hyderabad -500073




Hyderabad -500073

[Computer Configuration\Admin Templates\System\Group Policy]

Enable the following setting:

User Group Policy loopback processing mode

[Computer Configuration\Windows Settings\Security Settings\

Local Policies\Security Options]

Enable the following settings:

Do not display last user name in logon screen

Restrict CD-ROM access to locally logged-on user only

Restrict floppy access to locally logged-on user only

[Computer Configuration\Administrative Templates\Windows

Components\Windows Installer]

Enable the following setting, and set it to Always:


18



Hyderabad -500073




Hyderabad -500073

Disable Windows Installer

Note The default setting for Disable Windows Installer

prevents any non-managed applications from being installed by

a non-administrator. Setting Disable Windows Installer to

Always may prevent some of the newer updates from Windows

Update from being applied. Therefore, we recommend that you

only set Disable Windows Installer to Always if there is a

specific need or an identified threat that you must address.

[User Configuration\Windows Settings\Folder Redirection]


Application Data

Desktop


19



Hyderabad -500073




Hyderabad -500073

My Documents

Start Menu

[User Configuration\Administrative Templates\Windows

Components\Windows Explorer]


Remove Map Network Drive and Disconnect Network

Drive

Remove Search button from Windows Explorer

Disable Windows Explorer's default context menu

Hides the Manage item on the Windows Explorer context

menu

Hide these specified drives in My Computer (Enable this

setting for A through D.)

Prevent access to drives from My Computer (Enable this

setting for A through D.)

Hide Hardware Tab


20



Hyderabad -500073




Hyderabad -500073

[User Configuration\Administrative Templates\Windows

Components\Task Scheduler]


Prevent Task Run or End

Disable New Task Creation

[User Configuration\Administrative Templates\Start Menu &

Taskbar]


Disable and remove links to Windows Update

Remove common program groups from Start Menu

Disable programs on Settings Menu

Remove Network & Dial-up Connections from Start Menu

Remove Search menu from Start Menu

Remove Help menu from Start Menu

Remove Run menu from Start Menu


21



Hyderabad -500073




Hyderabad -500073

Add Logoff to Start Menu

Disable changes to Taskbar and Start Menu Settings

Disable and remove the Shut Down command or Remove

and prevent access to the Shut Down command

Note In Windows 2000, this setting is named Disable and

remove the Shut Down command. In Windows Server 2003,

this setting is named Remove and prevent access to the

Shut Down command.

[User Configuration\Administrative Templates\Desktop]


Hide My Network Places icon on desktop

Prohibit user from changing My Documents path

[User Configuration\Administrative Templates\Control Panel]

Enable the following setting:


22



Hyderabad -500073




Hyderabad -500073

Disable Control Panel

Important When you enable this setting, you prevent

administrators from installing any MSI package on to the

Terminal Server, even if the explicit Deny is set for the

Administrator account.

[User Configuration\Administrative Templates\System]


Disable the command prompt (Set Disable scripts to No)

Disable registry editing tools

[User Configuration\Administrative

Templates\System\Logon/Logoff]



23



Hyderabad -500073




Hyderabad -500073

Disable Task Manager

Disable Lock Computer

For more information about how to lock down Windows Server 2003

Terminal Server Sessions, visit the following Web site: How to Lock Down a User Profile Using Group Policy

Group Policy Settings

Open up Active Directory Users and Computers Select the OU where the user account resides Right click and select properties Click the Group Policy tab Click the New button to create a new policy Give the policy a name and click the edit button Navigate to Computer Configuration\Windows Settings\Restricted

Groups. Right click and select Add Group. Click the Browse button. Type in Administrators and click OK. Click OK again. Click the Add button next to Members for this group. Type in the user account name to be locked down and click OK. Click OK again. Repeat if necessary. Click OK when finished. The reason I do this


24



Hyderabad -500073




Hyderabad -500073 is to avoid any issues with running applications. This is not a mandatory step.

From here on out I will list the policies that need to be enabled or disabled.

User Configuration\Administrative Templates\Windows Components\Windows Explorer

Remove the Folder Options menu item from the Tools menu - Enabled

Remove File menu from Windows Explorer - Enabled Remove "Map Network Drive" and "Disconnect Network Drive -

Enabled Remove Search button from Windows Eplorer - Enabled Remove Windows Explorer's default context menu - enabled Hides the Manage item on the Windows Explorer context menu -

Enabled Hide these specified drives in My Computer - Enabled This option is configurable to your needs. You can restrict all

drives, some drives or whatever you may need. User Configuration\Administrative Templates\Windows

Components\Windows Messenger Do not allow Windows Messenger to run - Enabled User Configuration\Administrative Templates\Start Menu and

Task Bar Remove user's folder from the Start Menu - Enabled


25



Hyderabad -500073




Hyderabad -500073 Remove links and access to Windows Update - Enabled Remove My Documents from Start Menu - Enabled Remove Documents menu from Start Menu - Enabled Remove programs on Settings menu - Enabled Remove Network Connections from Start Menu - Enabled Remove Favorites from Start Menu - Enabled Remove Search from Start Menu - Enabled Remove Help from Start Menu - Enabled Remove Run from Start Menu - Enabled Remove My Pictures icon from Start Menu - Enabled Remove My Music icon from Start Menu - Enabled Remove My Network Places icon from Start Menu - Enabled Add logoff to the Start Menu - Enabled Remove Drag-and-Drop context menus on the Start Menu -

Enabled Prevent changes to Taskbar and Start Menu Setting - Enabled Remove access to the context menus for the taskbar - Enabled Do not keep history of recently opened documents - Enabled Clear history of recently opened documents on exit - Enabled Lock the taskbar - Enabled Remove Balloon Tips on Start Menu items - Enabled Remove All Programs list from the Start Menu - Enabled Remove user name from Start Menu - Enabled Hide the notification area - Enabled


26



Hyderabad -500073




Hyderabad -500073 Do not display any custom toolbars in the taskbar - Enabled Remove Set Program Access and Defaults from the Start Menu -

Enabled User Configuration\Administrative Templates\Desktop Remove My Documents icon on the desktop - Enabled Remove Recycle Bin icon from desktop - Enabled Remove Properties from the My Documents context menu -

Enabled Remove Properties from the Recycle Bin context menu - Enabled Hide My Network Places on the desktop - Enabled Hide Internet Explorer icon on desktop - Enabled Do not add shares of recently opened documents to My Network

Places - Enabled Prevent adding, dragging, dropping and closing the Taskbar's

toolbars - Enabled Prohibit adjusting desktop toolbars - Enabled User Configuration\Administrative Templates\Control Panel Prohibit access to the Control Panel User Configuration\Administrative Templates\System\

Ctrl+Alt+Del Options Remove Task Manager - Enabled Remove Change Password - Enabled You may have noticed there were no changes made to Internet

Explorer settings. My environment does not have internet access


27



Hyderabad -500073




Hyderabad -500073 so these settings are unnecessary but your environment may have access to the internet and you should explore those settings. I have a list of policy changes for IE and if you need them send me a message and I will fill you in.

Don't be afraid to try different settings out. This works for my environment and it may not be suitable for you.

Once these policies are changed run gpupdate /force from the command line and reboot the Windows XP computer. Log in as the user you created and check out what little access this user has.


28



Hyderabad -500073




Hyderabad -500073

Prevent unauthorized software on network with software restriction policies

Software restriction policies are a part of Microsoft's security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers. Software restriction policies are one of many new management features in Windows XP and Windows Server 2003.

This article provides an in-depth look at how software restriction policies can be used to:


29



Hyderabad -500073




Hyderabad -500073 Fight viruses

Regulate which ActiveX controls can be downloaded

Run only digitally signed scripts

Enforce that only approved software is installed on system computers

Lockdown a machine

Software Restriction Policy Architecture

In SRP there are three components of a software restriction policy:An administrator creates the policy by using the Group Policy Microsoft Management Console (MMC) snap-in for a particular Active Directory container site, domain, or organizational unit.The policy is downloaded from Domain Controller to Client Machine’s policy and overrides the local policy and applied to a machine. User policies apply the next time a user logs on. Machine policies apply when a machine starts up.When a user starts a program or script, the operating system or scripting host checks the policy and enforces it.

The Software Restriction Policy contains by default Security Levels types:-------------------------------------------------------------------------------------------------------ConfidentialPrepared By: PS. Chaitanya

30



Hyderabad -500073




Hyderabad -500073

Unrestricted or Disallowed

A software restriction policy is created using the MMC Group Policy snap-in. A policy consists of a default rule about whether programs are allowed to run, and exceptions to that rule. The default rule can be set to Unrestricted or Disallowed—essentially run or don't run.Setting the default rule to Unrestricted allows an administrator to define exceptions; for example, the set of programs that are not allowed to run. A more secure approach is to set the default rule to Disallowed and specify only the programs that are known and trusted to run.Default Security LevelThere are two ways to use software restriction policies:If an administrator knows all of the software that should run, then a software restriction policy can be applied to control execution to only this list of trusted applications.If all the applications that users might run are not known, then administrators can step in and disallow undesired applications or file types as needed.Four Rules Identify SoftwareThe purpose of a rule is to identify one or more software applications, and specify whether or not they are allowed to run. Creating rules largely consists of identifying software that is an exception to the


31



Hyderabad -500073




Hyderabad -500073 default rule. Each rule can include descriptive text to help communicate why the rule was created.A software restriction policy supports the following four ways to identify software:Hash—A cryptographic fingerprint of the file.Certificate—A software publisher certificate used to digitally sign a file.Path—The local or universal naming convention (UNC) path of where the file is stored.Zone—Internet Zone Software Restriction Policy OptionsThis section discusses the various options that influence the behavior of a software restriction policy. These options alter the scope of enforcement behavior or the Authenticode trust settings for digitally signed files.

Enforcement OptionsThere are two enforcement options: DLL checking and Skip Administrators.DLL Checking A program, such as Internet Explorer consists of an executable file, iexplore.exe, and many supporting dynamic link libraries (DLL). By


32



Hyderabad -500073




Hyderabad -500073 default, software restriction policy rules are not enforced against DLLs. This is the recommended option for most customers for three reasons.Disallowing the main executable file prevents the program from running, so there is no need to disallow all of the constituent dynamic link libraries.DLL checking results in performance degradation. If a user runs 10 programs during a logon session, the software restriction policy is evaluated 10 times. If DLL checking is turned on, the software restriction policy is evaluated for each DLL load within each program. If each program uses 20 DLLs, this results in 10 executable program checks plus 200 DLL checks, so the software restriction policy is evaluated 210 times.If the default security level is set to Disallowed, then not only does the main executable file have to be identified to allow it to run, but all of its constituent DLLs also must be identified, which can be burdensome.DLL checking is provided as an option for environments that want the highest assurance possible when running programs. While viruses primarily target executables for infection, some target DLLs. To ensure that a program has not been infected by a virus, you can use a set of hash rules that identify the executable and all of its required DLLs.To turn on DLL checking:Select the following option in the Enforcement Properties dialog box,


33



Hyderabad -500073




Hyderabad -500073 Apply software restriction policies to the following > All software filesSkip AdministratorsAn administrator may want to disallow the running of programs for most users, but allow administrators to run anything. For example, a customer may have a shared machine that multiple users connect to using Terminal Server. The administrator may want users to be able to run only specific applications on the machine, but allow members of the local administrators group to run anything. To do this, use the Skip Administrators option.If the software restriction policy is created in a GPO attached to an object in Active Directory, the preferred way to skip administrators is to deny the Apply Group Policy permission on the GPO to a group containing the administrators. This way less network traffic is consumed downloading GPO settings that do not apply to administrators. However, software restriction policies defined in Local Security Policy objects have no way to filter based on users. In this case the Skip Administrators option should be used.To turn on Skip Administrators:Select the following option in the Enforcement Properties dialog box as shown in Figure 2 above:Apply software restriction policies to the following users > All users except local administrators


34



Hyderabad -500073




Hyderabad -500073 Note: Setting the Skip Administrators option is only valid for machine policies.Defining ExecutablesThe Designated File Types dialog box shown in Figure 3 below lists the file types to which the software restriction policy applies. The designated file types are file types that are considered executable. For example, a screen saver file (SCR), is considered executable because when double-clicked in Windows Explorer it is loaded as a program.The rules in a software restriction policy only apply to the file types listed in the Designated File Types dialog box. If your environment uses a file type that you want to be able to set rules on, add it to the list. For example, if you use Perl scripting files, you may choose to add .pl and other file types associated with the Perl engine to the Designated File Types list.

Trusted PublishersThe Trusted Publishers options shown in Figure 4 below allow you to configure settings related to ActiveX® controls and other signed content.

Table 3 shows Trusted Publisher options related to the use of ActiveX controls and other signed content.Table 3 Trusted Publisher Tasks and Settings

Task Setting


35



Hyderabad -500073




Hyderabad -500073

To allow only domain administrators to make decisions regarding signed active content

Enterprise Administrators

To allow local machine administrators to make all decisions regarding signed active content

Local computer Administrators

To allow any user to make decisions regarding signed active content

End Users

To ensure that the certificate used by the software publisher has not been revoked.

Publisher

To ensure that the certificate used by the organization that time-stamped the active content has not been revoked.

Timestamp

Scope of Software Restriction PoliciesSoftware restriction policies do not apply to the following:Drivers or other kernel mode software.Any program run by the SYSTEM account.Macros inside of Microsoft Office 2000 or Office XP documents.Programs written for the common language runtime. (These programs use the Code Access Security Policy.) Software Restriction Policy Design


36



Hyderabad -500073




Hyderabad -500073 This section covers how software restriction policies are administered using Group Policy snap-ins, things to be concerned about when editing a policy for the first time, and what's involved in applying a software restriction policy to a group of users.Integration with Group PolicySoftware restriction policies are administered using the following Group Policy snap-ins:Domain Policy To set up a domain policyClick Start, then Run; type dsa.msc and click OK.Right-click on domain or OU, then click Properties > Group Policy tab >New/Edit.Local Security Policy To set up a security policyClick Start, then Run.Type secpol.msc, then click OK.To create a policy:Select Create New Policies from the Action menu.Applying a Software Restriction Policy to a Group of UsersA software restriction policy is delivered through Group Policy to a site, domain, or organizational unit. However, an administrator may want to apply a software restriction policy to a group of users within a domain. To do this, the administrator can use GPO filtering.


37



Hyderabad -500073




Hyderabad -500073 Designing a Software Restriction PolicyThis section outlines the steps to follow when designing a software restriction policy.Items to AddressWhen designing a policy, decisions need to be made regarding the following items:GPO or local security policyUser or machine policyDefault security levelAdditional rulesPolicy optionsLinking the policy to a site, domain, or organizational unitStepping Through the ProcessStep 1. GPO or Local Security Policy Should the policy apply to many machines or users in a domain or organizational unit, or should it only apply to the local machine?If the policy should apply to many machines or users in a domain or other Active Directory container, use a GPO.If your policy should only apply to the local machine, use the Local Security Policy.Step 2. User or Machine Policy Should the policy apply to users regardless of where they log in, or to a machine regardless of who logs in?


38



Hyderabad -500073




Hyderabad -500073 If you want the policy to apply to a specific group of users, for example the Marketing Department domain group, then you need a user policy.If you want the policy to apply to a set of machines and all the users that log on to those machines, then you need a machine policy.Step 3. Default Security Level Do you know all of the software your users will be running, or can they install any software they choose?If you know all of the software your users will be running, you should set the default security level to Disallowed.If users can install any software they want, set the default security level to Unrestricted.Step 4. Additional Rules Identify the applications you choose to allow or disallow using the four rule types outlined in the Software Restriction Policy Architecture section above.To see which rules make sense for your policy, refer to Table 1. When to Use Each Rule, above.To create additional rules, refer to the Step-by-step Guide for Creating Additional Rules, below.Step 5. Policy Options There are several policy options:If you are using a local security policy, and do not want the policy to apply to administrators on the machine, set the Skip Administrators option.


39



Hyderabad -500073




Hyderabad -500073 If you want to check DLLs in addition to executables and scripts, turn on the DLL checking option.If you want to set rules on file types that are not in the default list of designated file types, then add additional file types.If you want to change who can make decisions about downloading ActiveX controls and other signed content, set Trusted Publishers options.Step 6. Linking the Policy to a Site, Domain, or Organizational Unit To link a GPO to a site.Use the Active Directory Sites and Services snap-in.Right-click the site, domain, or OU to which you want to link the GPO, and select Properties.Select the Group Policy tab, to create, edit, and manage GPOs.To link a GPO to a domain or OU,Use the Active Directory Users and Computers snap-in.Right-click the site, domain, or OU to which you want to link the GPO, and select Properties.Select the Group Policy tab, to create, edit, and manage GPOs.Filtering GPO filtering can be done at this stage. You can have a portion of an OU receive a GPO by filtering based on group membership. You can also filter based on a WMI query.Testing A Policy


40



Hyderabad -500073




Hyderabad -500073 If you want to test your policy immediately, instead of waiting for the next Group Policy refresh interval, run gpupdate.exe and log on again to test your policy. Step-by-Step Guide for Creating Additional RulesThe following steps are helpful when creating additional rules. To illustrate the principles behind the steps, each one illustrates an example of creating rules for Microsoft Office XP.Step 1. List the Software Applications List the software you are trying to identify. For our Office XP example, the software consists of Microsoft Word, Excel, PowerPoint®, and Outlook®.Step 2. Decide Rule Type Refer to Table 1. When to Use Each Rule, above, to decide which rule type to use. Also determine the security level for your rule. For our example, we use path rules set to the Unrestricted security level.Step 3. Record the Folders Where the Software is Installed List the paths where the software is installed. Three ways to do this include:You can look at the Target property of a shortcut to the file.You can start each program by clicking Start, Run, and then typing msinfo32.exe. From msinfo32, select Software Environment and then Running Tasks.


41



Hyderabad -500073




Hyderabad -500073 You can use the following command: wmic.exe process get "ExecutablePath, ProcessID"For our example, you will see the following tasks running:"C:\Program Files\Microsoft Office\Office10\WINWORD.EXE""C:\Program Files\Microsoft Office\Office10\EXCEL.EXE""C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE""C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE"Step 4. Identify Dependent Programs Some programs launch other programs to perform tasks. Your software application may depend on one or more supporting programs. For example, Microsoft Word launches the Microsoft Clip Organizer to manage clipart. The Microsoft Clip Organizer uses the following programs:C:\Program Files\Microsoft Office\Office10\MSTORDB.EXEC:\Program Files\Microsoft Office\Office10\MSTORE.EXEMicrosoft Office also uses files in the C:\Program Files\Common Files folderStep 5. Generalize the Rules In this step you should group related rules together to create a more general rule. Consider using environment variables, wild cards, and registry path rules.Continuing our example, each program is stored in C:\Program Files\Microsoft Office\Office10, so it is sufficient to use one path rule for that folder instead of four separate path rules. Also, if Office is always


42



Hyderabad -500073




Hyderabad -500073 installed in the Program Files folder on your machines, use an environment variable instead of an explicit path. Thus, our proposed rules are:%ProgramFiles%\Microsoft Office\Office10%ProgramFiles%\Common FilesStep 6. Have You Allowed Too Much? This is the step where you look at what else is allowed by the rules you have proposed. Creating a rule that is too general may allow programs to run that you did not intend. The Office10 folder in our example also contains:FINDER.EXEOSA.EXEMCDLC.EXEWAVTOASF.EXEBecause these programs are acceptable to run, we do not have to change our rules. Commonly Overlooked RulesWhen designing a policy, consider the following areas when creating rules.Login Scripts Login scripts are stored on a central server. Often this central server can change with each login. If your default rule is Disallowed, be sure to create rules that identify the locations of your log on scripts.


43



Hyderabad -500073




Hyderabad -500073 Consider using wildcards to identify these locations if the log on servers have similar names.System File Protection System File Protection contains backup copies of many system programs in a folder named dllcache. These programs can be started by a user who knows the full path to the backup copy. If you want to disallow users running programs contained in the backup folder, you may want to create the following rule: %WINDIR%\system32\dllcache, DisallowedCommon Startup Locations Windows has many locations that contain links to programs that run at start up. If you don't make provisions for these programs, users will receive error messages when they log in.Common startup locations include:%USERPROFILE%\Start Menu\Programs\Startup%ALLUSERSPROFILE%\Start Menu\Programs\StartupWin.ini, System.ini lines beginning with "run=" and "load="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunVirus Scanning Programs


44



Hyderabad -500073




Hyderabad -500073 Most anti-virus software has a real-time scanner program that starts when the user logs in and scans all files accessed by the user, looking for possible virus contamination. Make sure your rules allow your virus scanning programs to run. ScenariosThis section examines some typical problems and how software restriction policies can be used to solve them.Block Malicious ScriptsAn organization wants to be protected from script-based viruses.

However, many organizations use VBS files for systems management and logon scripts. Blocking all VBS files from running protects an organization, but a VBS can no longer be used for legitimate purposes. A software restriction policy overcomes this handicap by blocking the undesirable VBS, while allowing legitimate ones to run.This policy can be created using the rules in Table 4.Table 4 Rules for Blocking Malicious Scripts

Default Security Level: Unrestricted

Path Rules


45



Hyderabad -500073




Hyderabad -500073

*.VBS Disallowed

*.VBE Disallowed

*.JS Disallowed

*.JSE Disallowed

*.WSF Disallowed

*.WSH Disallowed

Certificate Rules

IT Department Certificate Unrestricted

This policy prevents all scripting files associated with the Windows Scripting Host from running, except those that are digitally signed by the IT Department certificate. See Appendix below for how to obtain a certificate and digitally sign files.Manage Software InstallationYou can configure your organization's machines so that only approved software can be installed. For software that uses Windows Installer technology, this can be accomplished by the policy shown in Table 5.Table 5 Rules for Managing Software Installation


46



Hyderabad -500073




Hyderabad -500073

Default Security Level: Unrestricted

Path Rules

*.MSI Disallowed

\\products\install\PROPLUS.MSI Unrestricted

Certificate Rules

IT Department Certificate Unrestricted

This policy prevents all Windows Installer packages from installing. It allows MSI files digitally signed by the IT department certificate and the OWC10.MSI package located at \\products\install to be installed. See the Appendix below for how to obtain a certificate and digitally sign files.This policy also shows how you can use the precedence of the path and certificate rules to allow just the software you want. For any other package that your organization cannot or does not want to digitally sign, you can create hash rules, or fully qualified path rules, to make exceptions for them.Line-of-Business PC


47



Hyderabad -500073




Hyderabad -500073 In some cases an administrator may want to manage all of the software that runs on a machine. This is because even when users have insufficient rights to replace system files or files in shared folders such as Program Files, if they have a place on the file system they can write to, then they can also copy a program there and start it up.Viruses contracted this way can damage the system by modifying operating system settings and files; they can also cause great damage by misusing the user's privileges. For example, mass-mailer worms can be spread by accessing the user's address book and sending mail. Even normal users on a system are vulnerable to this kind of attack.As long as users are not administrators on their local machines, the policy in Table 6 protects them from accidentally running malicious code. Because users cannot modify the contents of the Program Files or Windows folders, they can only run software installed by an administrator.Table 6 Policy for Managing all Software on a Machine

Default Security Level: Disallowed

Apply software restriction policies to the following users:

All users except administrators


48



Hyderabad -500073




Hyderabad -500073

Path Rules

%WINDIR% Unrestricted

%PROGRAMFILES% Unrestricted

This policy disallows all software on the user's machine, except that installed in the Windows directory, Program Files directory, or their respective subfolders. It does not apply to administrators.If a user receives a virus attachment in an e-mail, for example WORM.vbs, the mail program will copy it to the profile directory (%USERPROFILE%) and launch it from there. Because the profile directory is not a subfolder of the Windows folder or the Program Files folder, programs launched from there will not run.If all the programs a user needs are not installed in %WINDIR% or %PROGRAMFILES%, or there are programs in those folders that the administrator does not want the user running, the administrator can make additional exceptions as shown in Table 7.Table 7 Exceptions for Managing all Software on a Machine

Path Rules

%WINDIR%\regedit.exe Disallowed


49



Hyderabad -500073




Hyderabad -500073

%WINDIR%\system32\cmd.exe Disallowed

\\CORP_DC_??\scripts Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates \InoculateIT\6.0\Path\HOME%

Unrestricted

The effects of these exceptions are:Both the command prompt (cmd.exe) and the registry editor (regedit.exe) are disallowed.An exception is created to allow login scripts to run on the user's machine.The use of the "?" wildcard allows the rule to match \\CORP_DC_01, \\CORP_DC_02, and others.A registry path rule is added that allows the anti-virus software on the machine to run.Different Policies for Different UsersIn this scenario, there are machines that are shared by many users. The machines have the same software installed on them, but the administrator wants to grant a certain group of users access to some software, and a different group of users access to other software. There also will be software that is shared between the groups.


50



Hyderabad -500073




Hyderabad -500073

With software restriction policies, you can perform the following tasks:

Control which programs can run on your computer. For example, you can apply a policy that does not allow certain file types to run in the e-mail attachment folder of your e-mail program if you are concerned about users receiving viruses through e-mail. Permit users to run only specific files on multiple-user computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software except for those specific files that they must use for their work. Decide who can add trusted publishers to your computer. Control whether software restriction policies affect all users or just certain users on a computer. Prevent any files from running on your local computer, your organizational unit, your site, or your domain. For example, if there is a known virus, you can use software restriction policies to stop the computer from opening the file that contains the virus. IMPORTANT: Microsoft recommends that you do not use software restriction policies as a replacement for antivirus software.

How to Start Software Restriction Policies


51



Hyderabad -500073




Hyderabad -500073 For the Local Computer OnlyClick Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. In the console tree, expand Security Settings, and then expand Software Restriction Policies.For a Domain, a Site, or an Organizational Unit on a Member Server or a Workstation That Is Joined to a DomainOpen Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, and then click Add. Click Group Policy Object Editor, and then click Add. In Select Group Policy Object, click Browse. In Browse for a Group Policy Object, either select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit, and then click Finish.

Alternatively, you can create a new GPO, and then click Finish. Click Close, and then click OK. In the console tree, go to the following location: Group Policy Object Computer_name Policy/Computer Configuration or User/Configuration/Windows Settings/Security Settings/Software Restriction Policies


52



Hyderabad -500073




Hyderabad -500073 For an Organizational Unit or a Domain on a Domain Controller or a Workstation That Has the Administration Tools Pack InstalledClick Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for. Click Properties, and then click the Group Policy tab. Click an entry in Group Policy Object Links to select an existing GPO, and then click Edit.

Alternatively, you can click New to create a new GPO, and then click Edit. In the console tree, go to the following location: Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies For Your Site and on a Domain Controller or a Workstation That Has the Administration Tools Pack InstalledClick Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services. In the console tree, right-click the site that you want to set Group Policy for:


53



Hyderabad -500073




Hyderabad -500073 Active Directory Sites and Services [ Domain_Controller_Name. Domain_Name] Sites Site

Click Properties, and then click the Group Policy tab. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit.

Alternatively, click New to create a new GPO, and then click Edit. In the console tree, go to the following location: Group Policy Object Computer_name Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies IMPORTANT: Click User Configuration to set policies that will be applied to users, regardless of the computer to which they log on. Click Computer Configuration to set policies that will be applied to computers, regardless of the users who log on to them.

You can also apply software restriction policies to specific users when they log on to specific computer by using an advanced Group Policy setting named loopback. How to Prevent Software Restriction Policies from Applying to Local Administrators


54



Hyderabad -500073




Hyderabad -500073 Click Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In the details pane, double-click Enforcement. Under Apply software restriction policies to the following users, click All users except local administrators.NOTES: You may have to create a new software restriction policy setting for this GPO if you have not already done so. Typically, users are members of the local administrator group on their computers in your organization; therefore, you may not want to turn on this setting. Software restriction policies do not apply to any users who are members of their local administrator group. If you are defining a software restriction policy setting for your local computer, use this procedure to prevent local administrators from having software restriction policies applied to them. If you are defining a software restriction policy setting for your network, filter user policy settings based on membership in security groups by using Group Policy. How to Create a Certificate RuleClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In either the console tree or the details pane, right-click Additional Rules, and then click New Certificate Rule. Click Browse, and then select a certificate.


55



Hyderabad -500073




Hyderabad -500073 Select a security level. In the Description box, type a description for this rule, and then click OK.NOTES: For information about how to start software restriction policies in MMC, see "Start software restriction policies" in Related Topics in the Windows Server 2003 Help file. You may have to create a new software restriction policy setting for this GPO if you have not already done so. By default, certificate rules are not turned on. To turn on certificate rules: Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiersIn the details pane, double-click AuthenticodeEnabled, and then change the value data from 0 to 1.The only file types that are affected by certificate rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules. For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers.


56



Hyderabad -500073




Hyderabad -500073 When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts. How to Create a Hash RuleClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule. Click Browse to find a file, or paste a precalculated hash in the File hash box. In the Security level box, click either Disallowed or Unrestricted. In the Description box, type a description for this rule, and then click OK.NOTES: You may have to create a new software restriction policy setting for this GPO if you have not already done so. You can create a hash rule for a virus or a Trojan horse to prevent the malicious software from running. If you want other users to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to other users. Never e-mail the virus itself. If a virus has been sent through e-mail, you can also create a path rule to prevent users from running mail attachments.


57



Hyderabad -500073




Hyderabad -500073 A file that is renamed or moved to another folder still results in the same hash. Any change to a file results in a different hash. The only file types that are affected by hash rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules. For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers. When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts. How to Create an Internet Zone Rule

Click Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In the console tree, click Software Restriction Policies. In either the console tree or the details pane, right-click Additional Rules, and then click New Internet Zone Rule. In Internet zone, click an Internet zone. In the Security Level box, click either Disallowed or Unrestricted, and then click OK.NOTES: You may have to create a new software restriction policy setting for this GPO if you have not already done so.


58



Hyderabad -500073




Hyderabad -500073 Zone rules apply to Windows Installer packages only. The only file types that are affected by zone rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules. For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers. When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts.

How to Create a Path RuleClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule. In the Path box, type a path or click Browse to find a file or folder. In the Security level box, click either Disallowed or Unrestricted. In the Description box, type a description for this rule, and then click OK.IMPORTANT: On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs. NOTES:


59



Hyderabad -500073




Hyderabad -500073 You may have to create a new software restriction policy setting for this GPO if you have not already done so. If you create a path rule for a program with a security level of Disallowed, a user can still run the software by copying it to another location. The wildcard characters that are supported by the path rule are the asterisk (*) and the question mark (?). You can use environment variables, such as %programfiles% or %systemroot%, in your path rule. To create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule. To prevent users from running e-mail attachments, you can create a path rule for your mail program's attachment folder that prevents users from running e-mail attachments. The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules. For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers. When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts. How to Create a Registry Path Rule


60



Hyderabad -500073




Hyderabad -500073 Click Start, click Run, type regedit, and then click OK. In the console tree, right-click the registry key that you want to create a rule for, and then click Copy Key Name. Note the value name in the details pane. Click Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule. In Path, paste the registry key name and the value name. Enclose the registry path in percent signs (%), for example: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%In the Security level box, click either Disallowed or Unrestricted. In the Description box, type a description for this rule, and then click OK.NOTES: You may have to create a new software restriction policy setting for this GPO if you have not already done so. You must be a member of the Administrators group to perform this procedure.

Format the registry path as follows: % Registry Hive\ Registry Key Name\ Value Name%


61



Hyderabad -500073




Hyderabad -500073 You must write out the name of the registry hive; you cannot use abbreviations. For example, you cannot substituted HKCU for HKEY_CURRENT_USER. The registry path rule can contain a suffix after the closing percent sign (%). Do not use a backslash (\) in the suffix. For example, you can use the following registry path rule: %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*The only file types that are affected by path rules are those that are listed in Designated file types. There is one list of designated file types that is shared by all rules. For software restriction policies to take effect, users must update policy settings by logging off from and then logging on to their computers. When more than one rule is applied to policy settings, there is a precedence of rules for handling conflicts. How to Add or Delete a Designated File TypeClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In the details pane, double-click Designated File Types. Perform one of the following steps as appropriate: To add a file type, type the file name extension in the File extension box, and then click Add.


62



Hyderabad -500073




Hyderabad -500073 To delete a file type, click the file type in the Designated file types box, and then click Remove..How to Change the Default Security Level of Software Restriction PoliciesClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. In the details pane, double-click Security Levels. Right-click the security level that you want to set as the default, and then click Set as default.

CAUTION: In certain folders, if you set the default security level to Disallowed, you can adversely affect your operating system.NOTES: You may have to create a new software restriction policy setting for this GPO if you have not already done so. In the details pane, the current default security level is indicated by a black circle with a check mark in it. If you right-click the current default security level, the Set as default command does not appear in the menu. Rules are created to specify exceptions to the default security level. When the default security level is set to Unrestricted, rules specify software that is not allowed to run. When the default security level is set to Disallowed, rules specify software that is allowed to run.


63



Hyderabad -500073




Hyderabad -500073 If you change the default level, you affect all files on the computers that have software restriction policies applied to them. At installation, the default security level of software restriction policies on all files on your computer is set to Unrestricted.How to Set Trusted Publisher OptionsClick Start, click Run, type mmc, and then click OK. Open Software Restriction Policies. Double-click Trusted Publishers. Click the users who you want to decide which certificates will be trusted, and then click OK.


64

Microsoft Active Directory 2003 Lockdown through Group Policies Proposal Document

Documents

Transcript of Microsoft Active Directory 2003 Lockdown through Group Policies Proposal Document