Lecture 11: Managing the networkNetwork Design & Administration
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Group Policy Objects (GPO) [11]
• A GPO applies rights or limitations to all the AD objects in a container (or set of containers)
• A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups!
• Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines
2
Net
wor
k D
esig
n &
Adm
inist
ratio
n
GPO Applicability[1]
• GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more!• Hierarchy of GPO’s: higher levels overrule lower• Filtering (& delegation) can be applied to limit
scope/customise • Some cases where GPO’s fail to apply – can be
tricky to debug
3
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Who is allowed to set them?
• The relevant predefined Active Directory GLOBAL groups are:• Domain Admins• Enterprise Admins (only appear in Forest root
domain)• Group Policy Creator Owners (by default, domain
admin acct is member of this group)• However, by default, predefined AD groups only
get rights/permissions when added to domain local groups 4
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Who is allowed to set them?
• Every AD domain has a builtin container, where it creates security groups with domain local scope.• These have the relevant rights and permissions
• Most important group here is Administrators – by default, the global Enterprise and Domain Admin groups are added to this• Admin have large set of RIGHTS by default,
though these may be delegated to others
5
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Group Policy Management
• There can be lots of GPO’s within a domain!• The Group Policy Management console provides
you with a way to manage these GPO’s.• Provides access to the Group Policy Editor where
individual policy objects can be created and edited.• Provides access to Administrative templates
(.adm) which describe where registry-based group policy settings are stored, and are used to change settings on GPO’s 6
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Group Policy Management Console
Cannot edit from here. Just right click selected policy, and GP editor comes up
This is for checking effects
7
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Administrative Templates
• There are a number of built-in administrative templates:• system.adm • inetres.adm• wmplayer.adm• conf.adm• wuau.adm
• Each of these files contains many individual policy descriptions, and where they are stored in Registry• If an admin wants to add NEW policies, Microsoft
recommend to create custom .adm files rather than modify these 8
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Example Policies in .admEnable disk quotasEnforce disk quota limitDefault quota limit and warning levelLog event when quota limit exceededLog event when quota warning level exceeded
System.adm
Scripting of Java appletsLogon optionsRun .NET Framework-reliant components signed with AuthenticodeRun .NET Framework-reliant components not signed with AuthenticodeDownload signed ActiveX controlsDownload unsigned ActiveX controls
Configure Automatic UpdatesSpecify intranet Microsoft update service locationEnable client-side targetingReschedule Automatic Updates scheduled installationsNo auto-restart for scheduled Automatic Updates installations
inetres.adm
wuau.adm
9
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Security Policies (secpol.msc)Enforce password historyMaximum password ageMinimum password ageMinimum password lengthPassword must meet complexity requirementStore passwords using reversible encryption for all users in the domain !!Account lockout durationAccount lockout thresholdReset lockout counter after
Maximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewal
Audit account logon eventsAudit account managementAudit logon eventsAudit policy changeAudit system events
Password policy Kerberos policyAudit policySecurity options
Interactive logon: Require smart cardInteractive logon: Smart card removal behavior
10
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Effect of not using GPO for accounts[4],[5],[6]
• In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks.
• Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted.
In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitter's lax security regarding repeated login attempts made it fairly simple for the hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
"It appears that Miley didn't learn the lesson last year and hasn't been taking enough care over her password security to avoid the same fate, other users should make sure they choose strong passwords that can't be easily cracked, and Twitter itself should play a key part in enforcing this."
11
Net
wor
k D
esig
n &
Adm
inist
ratio
n
And to follow on from this[7]
“… I started wondering how vulnerable other sites might be to this type of attack. … I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts… And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a very large dictionary database:”
“I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to Twitter, but why doesn’t this happen every day?”
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") WinHttpReq.Open "POST", "http://www.domain.com/login", false WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded" WinHttpReq.Send("login=Chris&password=Pa$$w0rd")
12
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Example security issue helped by GPO[8]
• A particular problem is the need to disable USB sticks and other removable media in secure installations• Can set up custom adm to include this, and apply
via GPO to a group of workstations• Disables various drivers• A lot better than gluing up the USB ports! • Vista/7 includes extensions to GP to make this
easier (Removable Storage Management) BUT also includes approx. 800 other new policy settings
13
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Other Issues with GPO’s
• For Server 2003 and XP, they run in winlogon and then update on irregular time basis• For Vista, they have their own “hardened” service which
cannot be stopped• .adm files are added to sysvol every time a new GPO is
created – this can lead to lots of copied files around the system, and replication traffic overhead• Some of the GPO’s have to be considered as merely
obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings
14
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Managing Software on the Network[10],[11]
• GPO’s allow admins to specify which .msi packages are to be assigned or published
• Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it)
• GPO can also define how upgrade/removal handled
15
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Assign vs. Publish
• Published software is available in the Add/Remove Programs applet, but user has to decide whether to install• Assigned to User means icon for app is on
desktop (“advertised”) - activation or opening associated document for 1st time will trigger install• Assigned to Computer means software already
installed before user even logs on 16
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Why .msi?
• Contains useful info about structure of program • So can “self heal” if files accidentally deleted• Installer creates system restore point before
installing – so reverts automatically if install goes wrong• Has sophisticated options for various methods of
installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately• Can be constructed using Wix (Microsoft Installer
Toolkit) – has a large learning curve
17
Net
wor
k D
esig
n &
Adm
inist
ratio
n
How to setup and use[12]
• Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users
• Create GPO for software deployment (and associate with chosen domain/site/OU)
• Configure software deployment properties for the GPO – location of SDP, default handling of new packages etc.
• Add the installation packages to the GPO (indicating whether to be published or assigned)
• Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation• Uninstall This Application When It Falls Out Of The Scope Of
Management 18
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Some snags…
• No licence control is performed – so Published software had better be on a site licence!• Need to plan carefully how to structure the
software e.g. common packages to be assigned to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage• If users need admin privilege to install, risky! Can
configure installer to “always install elevated”, but this also poses a security risk. 19
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Microsoft Software Licensing
• Needs care in Windows networks• Need to consider whether Per User or Per Device is most
cost-effective way.• (Also might need to buy additional Client Access Licences
for Remote Desktop Services if remote users log in to a server)• Each Server 2008 computer runs a Licence Logging
service, which keeps track. • The information is replicated to a Site Licence Server
• Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Process to maintain licences
• Identify Site Licence Server (normally first domain controller in a site)• Administer licences using Licensing in
Administrative Tools• To add new licences, select New License, and
specify number added• Alternatively, use 3rd party tool that can also
handle other licences e.g. volume• Monitor licence status regularly
21
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Next time & References• Powershell Scripting
References[1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx[2] MOAC 70-290 Ch 7[3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html [4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business-Tool-Security-Nightmare.html[5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI[6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html[7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx[8] http://support.microsoft.com/kb/555324[10] MOAC 70-270 Ch 9[11] http://technet.microsoft.com/en-us/library/cc782152.aspx[12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22
Top Related