Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | ruth-mitchell |
View: | 217 times |
Download: | 1 times |
Group Policy Infrastructure in Windows: Today and Tomorrow
Kurt Roggen [BE]System Architect, DevoTeam/Guidance
Email: [email protected] Blog: http://tryCatch.be/blogs/roggenk
Today• Group Policies (GP)• Group Policy Preferences (GPP)• Scenarios
Tomorrow• Group Policies (GP)• GPEditor UI• Powershell• New features
• Group Policy Preferences (GPP)• Extensions
Agenda
2
Group Policy ToolsNew GPOE & GPMC ToolsUse consistent versions!
Group Policy ServiceGP now runs in a shared serviceHardened Service, more reliable
Group Policy Enhancemen
ts
Group Policy SettingsOver 800 new policy changes with Windows VistaExtended GP for new Windows Vista featuresNetwork Location
Awareness (NLA)NLA service provides the latest network informationApplications can query or register with NLA for network change indications Group Policy
LoggingAdministrative logApplications and Services logXML based event logsNew Tools - GPOLogView
Group Policy TemplatesADM Templates now in ADMX files (ADMX, ADML)
Windows Vista/Windows Server
2008
ADM ADMX
Group Policy Central Store
Centralized repository for ADMXContains all ADMX templatesCreated in the SYSVOL on DC in each domain
DC
FRS/DFS-R
SysVol
ADMX
ADML
+ Policies+
+
GUID
ADMPolicy DefinationsADMX, ADML Files
+
Group Policy Features Windows Vista, Windows Server 2008
Multiple Local GPOs LGPO’s
LGPO
Admin
UserUser Specified Group Policy
Admin/Non-Admin Group Policy
Local Computer Policy
Group Policy Preferences
Set initial valueRich Administration UIRich Item-level Targeting
New/Updated Policy settingsWindows Vista, Windows Server 2008
• Up to 1,800+ policy settings in past • +700 in Windows Vista (2500)• Group Policy is a Windows ‘Manageability’ basic requirement
• Policy Settings Greatly Expanded in a Number of Areas
Removable Storage Devices
IPSec/ Windows Firewall
Power Management
Printer Management
Troubleshooting and Diagnostics
Windows Defender
Network Access
Protection
Internet Explorer Tablet PC Windows Error
Reporting
User Account Control (UAC)
Wired and Wireless
PolicyDesktop Shell Globalization Remote
Assistance
GPO FilteringWindows Vista, Windows Server 2008
• Filters a list of settings based on• Text search of setting title, explain text and
comments• Platform and applications “supported on”• Managed (true GP policy setting)• Configured (enabled or disabled)• Results of search is a filtered view in the editor
• Hierarchical list• Flat list
• Only for Group Policies Administrative Template settings• Not Group Policy Preferences
• Available through GPMC 2.0• Windows Server 2008 RSAT & Vista SP1 RSAT
Multiple Local GPOsWindows Vista, Windows Server 2008
• Local GPOs can be created for:• The machine (same LGPO as today)• NEW: Admins or non-Admins local groups• NEW: Individual local users
• Application order is as above (machine LGPO processed first, etc), so individual user GPO “wins”
• Any single user receives either the Admin or the Non-Admin LGPO (not both)
• No change with LGPO vs. Domain GPO priority • Domain-based GPOs still have precedence over
LGPOs
• New policy setting: “Exclude processing of all local GPOs”
ADMX Central StoreWindows Vista, Windows Server 2008
• Domain-wide location for storing ADMX/ADML files
• Default Behavior (without The Central Store)• ADMX files local to the administrative machine are
used by GPMC/GPEdit
• Creating and Using The Central Store• Domain-wide location for storing ADMX files –
[sysvol]\<domain>\policies\PolicyDefinitions• One-time creation and population of central store per
domain• See published ADMX Files Step-by-Step guide
• From then, Windows Vista GPMC/GPEdit use ADMX files in the central store (and ignores the local store)
Starter GPOsWindows Vista, Windows Server 2008
• Create new GPOs based on a Starter GPO (templates)
• Encapsulation of best practices/scenarios• Contains recommended policy settings and values• Administrative template policy settings only
• Available for download by Microsoft
Starter GPOsWindows Vista, Windows Server 2008
• StarterGPO Scenarios• Based on Windows Vista Security Guide
• Windows Vista Enterprise Client (EC)• Windows Vista Specialized Security Limited Functionality (SSLF)
Client
• Based on Windows XP Security Guide • Windows XP Service Pack 2 (SP2) EC• Windows XP SP2 SSLF Client
• StarterGPO types• System Starter GPOs (Read-only)• Custom-made Starter GPOs (Editable)
• Anyone can create and share new custom templates
Group Policy CommentsWindows Vista, Windows Server 2008
• Comments 1. Per Group Policy Object (GPO)2. Per Group Policy setting3. Per Group Policy Preference (GPP) Item
1. 2. 3.
Group Policy Preferences Functionality Overview• Preference Setting(s)
• Initial value• Not enforced• Not true “Policy”• Not limited to policy aware applications
• Greatly extends number of settings• Computer and User settings
• Using Control Panel and Windows settings
• New functionality for new settings• Rich UI for easier administration• Better (item-level) targeting
• Shipped with Windows Server 2008
Group Policy PreferencesSettings
Control Panel Settings
Windows Settings
• Data Sources• Devices• Folder Options• Internet Options• Local Users and
Groups• Power Options• Printers• Scheduled Tasks• Start menu• Services
• Drive Mappings• Environment• Folders/Files• Ini files• Shares• Shortcuts• Registry• Applications
• Extensible!
Group Policy PreferencesRich User Interface
• Familiar experience• Makes it easy to find• Easy to manage• Better control of individual
settings – Red/Green
• Powerful browsers
Group Policy PreferencesBetter Targeting• Item-level targeting, not
GPO level• Robust targeting
• 29 types• Boolean logic (And, Or, Not)• Grouping
• Windows APIs – not WMI based
• Intuitive UI• No need to learn query
languages
• Powerful browsers
Group Policy Preferences Components (2)
• Snap-in Extensions (GPMC only – not in local policy)
• Client Side Extensions (CSE)Supported Platforms (both x86/x64)
Windows Server 2008
Windows Vista
Windows XP Windows Server 2003
Snap-in Included RSAT N/A N/A
CSEs Included Download Download Download
Remote Server Administration Tools (RSAT)
• New version of WS2003 “Admin Pack”• Available as OOB web download• RSAT public Beta available• RSAT RTW available shortly after WS08
Launch
• Installs WS2008 administration tools on Vista SP1* computers for remote management
• Enables GUI-based remote management for full server and server core installations
Group Policy Preferences are NOT Preferences
• By default, Group Policy Preference is NOT a preference
• By default, (re)set at GP refresh cycle• Manual (gpupdate)• Automatic Computer Configuration User Configuration
DC: 5 min User: 90 min + △30 minMin: 90 min – Max: 120 min (2h)
Non-DC: 90 min + △30 minMin: 90 min – Max: 120 min (2h)
Processing OrderPolicies versus Preferences
• Who wins??! It depends!• Alphabetical order, based on their GUID
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions
• One Exception: Registry CSE (applies first)• Last writer wins
Group Policy PreferencesAction Modes
• Create (once, if not exists)• Replace: Delete & re(create)• Update (default): Modify (attribs), if not exists
“Create”• Delete
Group Policy PreferencesReporting
• GPMC Settings Reports• New extension settings, targeting, etc. show
• Group Policy Results• Item-level Targeting does not show• Shows winning items
• Does not necessarily reflect final settings
• Group Policy Modeling (What-If)• Assumes all targeting return true
Group Policy PreferencesLogging - Troubleshooting
• Configurable per GPP CSE• Application eventlog• Log/Trace files
• Enabled through Group PolicyComputer Configuration\AdmTemplates\System\GroupPolicy\Logging and Tracing
• Located in GPP.admx (%systemroot%\PolicyDefinitions)
Things You Should Know About Group Policy Preferences• GPP has no dependency on Windows
Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains).
• Only dependencies are1. GPMC (from Vista SP1 RSAT or WS2008) is
the GUI2. GPP CSE are required on Vista, Windows XP,
Windows Server 2003• GPP CSE is native included Windows
Server 2008
GPP Scenarios
• Printer Scripts• Environment Variables• Power Schemes• Password Changes• Registry updates
Printer ScriptsExample
Targeting:• User-based• Computer/Server-based• Security Group-based• Departements• Floors
• AD OU-based• AD Site-based
Setting Power SchemeExample
• Power consumption and battery lifetime for desktops/laptops are different
• Targeting: Does NOT Have a Battery
Remote Server Administration Tools (RSAT) for Windows 7, Windows Server 2008 R2
• Required to see new GP features!!• Available as OOB web download• RSAT Win7 public Beta available now• RSAT RTW available shortly after
WS08R2 Launch• Installs WS2008R2 administration tools on
Windows 7 computers for remote management
• Enables GUI-based remote management for full server and server core installations
New featuresWindows 7, Windows Server 2008 R2
• Improved GPEditor User Interface• Default Starter Group Policy Objects• Support PowerShell• Support new/updated Windows features
Group Policy EditorWindows 7, Windows Server 2008 R2
• Improved User Interface GP Editor:• Administrative Template Settings only
• Support for extra registry value types • REG_MULTI_SZ (multi-string) value • QWORD value
System Starter GPOsWindows 7, Windows Server 2008 R2
• Included by default• Read-only (System) Starter GPOs• Based on Windows Vista Security Guide
• Windows Vista Enterprise Client (EC)• Windows Vista Specialized Security Limited Functionality (SSLF)
Client
• Based on Windows XP Security Guide • Windows XP Service Pack 2 (SP2) EC• Windows XP SP2 SSLF Client
• Administrative template policy settings only
PowerShell SupportWindows 7, Windows Server 2008 R2
• 25 PowerShell cmdlets for Group Policy scripting
• GPO operations: creation, removal, backup, and import
• GPO link operations: creation, update, and removal• Setting inheritance flags and permissions on Active
Directory organizational units (OUs) and domains• GPO Settings: Creating, update, retrieval, removal
• Only registry-based policy settings (Administrative Templates)
• GPP Settings: Creating, update, retrieval, removal• No Item-Level Targeting
• Starter GPOs operations: creation and update
PowerShell Cmdlets Windows 7, Windows Server 2008 R2
Examples• Import-Module GroupPolicy -verbose• New-GPO “My GPO” –comment “Created with PS”• New-GPStartGPO “My StarterGPO”• Set-GPRegistryValue …• Set-GPPrefRegistryValue …• Backup-GPO –all –path C:\GPO.Backups
• New to PowerShell??• Get-Command *GP* -commandType cmdlet• Get-Help Set-GPRegistryValue –examples•
PowerShell & GPO Scripts Windows 7, Windows Server 2008 R2• PowerShell Scripts supported in GPO
Startup/Shutdown & Logon/Logoff scripts• By default, Windows PowerShell scripts run
after non-Windows PowerShell scripts
New/Updated Policy settingsin Windows 7, Windows Server 2008 R2
• Up to 2,500+ policy settings in past • +300 in Windows 7 (2800)
• Group Policy is a Windows ‘Manageability’ basic requirement
• Policy Settings Greatly Expanded in a Number of Areas
BranchCache BITS Offline Files Biometrics Troubleshooting and Diagnostics
Windows Defender
User Account Control
Internet Explorer Smartcard Windows Error
Reporting
AppLocker System Audit Policies Desktop Shell Bitlocker Drive
EncryptionRemote
Assistance
Windows 7 Solution
Application Control Enhance Security and Control
Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy
AppLocker™
Users can install and run unapproved applicationsEven standard users can install some types of softwareUnauthorized applications may:
Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
Situation Today
AppLocker Policy Elements
• Rule Collections (4 areas)• Executable Rules (.exe)• Windows Installer Rules (.msi, .msp)• Script Rules (.ps1, .bat, .cmd, .vbs, .js)• DLL (.dll, .ocx)
• Rule Permissions• Allow rules (whitelisting) – Approved software• Deny rules (blacklisting) - Declined software
• Rule Conditions (Criteria)• Hash rules• Path rules• Publisher-based rules
• Signed using Digital signature
AppLocker versus Software Restriction Policies (SRP)
Feature Software Restriction Policies
AppLocker
Policy Scope OU (via GPO scope) OU (via GPO scope), user, groups
Rule Types Hash, Path, Certificate, Internet Zone rules
Hash, Path, Publisher rules
Audit-Only No Yes
Import/Export No Yes
OS Support Windows XP, WS 2003 (R2)Windows Vista, WS 2008Windows 7, WS 2008 R2
Windows 7, WS 2008 R2
59
• Allows setting granular audit policies• Before only through CLI (auditpol.exe)
Advanced System AuditingEnhance Security and Control
Group Policy PreferencesNew Extensions
• Power Plans (Windows Vista and later)• Create, Change and Set Active
• Scheduled Tasks (Windows Vista and later)• Richer Task Scheduler options
• Immediate Task (Windows Vista and later) • Run immediately upon the GP refresh• Removed afterwards
• Internet Explorer 8
Group Policy PreferencesPower Plans
• Power Plans (Windows Vista and later)• Set current/active Power Plan• Allows custom Power Plans to be set• Allows user to change active Power Plan
Group Policy PreferencesScheduled Tasks
• Scheduled Tasks (Windows Vista and later)• Richer Task Scheduler options
Today• Group Policies (GP)• GPO Filtering• MLGPOs• Central Store• Starter GPOs• Comments
• Group Policy Preferences (GPP)• Rich UI• Item-level
Targeting
CONCLUSION
65
Tomorrow• Group Policies (GP)• GPEditor UI• Starter GPOs• Support Powershell• New features
(AppLocker, Granular Audit Policies)
• Group Policy Preferences (GPP)• New Extensions
RESOURCESGroup Policy TechNet page http://www.microsoft.com/technet/grouppolicyGroup Policy Team Bloghttp://blogs.technet.com/grouppolicyGroup Policy Wikihttp://grouppolicy.editme.com
Windows Server 2008 Blog by Kurt Roggen [BE]http://trycatch.be/blogs/roggenk TechNet ChopStickshttp://www.microsoft.com/belux/technet/nl/chopsticks
Group Policy Settings Reference Windows Vista http://go.microsoft.com/fwlink/?LinkId=54020Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=77080 How to troubleshoot Group Policy using Event logs http://go.microsoft.com/fwlink/?LinkId=74139