1
00:00:03,040 --> 00:00:07,540
In this module, we're going to begin a series of discussions that will take place over the next few

2
00:00:07,540 --> 00:00:12,940
modules that talk about specific policy scenarios and how we can implement those using group policy.

3
00:00:13,810 --> 00:00:17,770
In this module, we're going to talk about desktop and server lockdown.

4
00:00:18,640 --> 00:00:20,380
So let's kind of dig into it.

5
00:00:21,330 --> 00:00:25,920
RU policy's main job is really to do lockdown and that's really what it does best.

6
00:00:26,820 --> 00:00:28,410
It started in that area.

7
00:00:29,280 --> 00:00:34,950
Remember when I talked in module one about the G at the predecessor to group policy, which was system

8
00:00:34,950 --> 00:00:35,580
policy.

9
00:00:36,510 --> 00:00:38,400
That was all about lockdown.

10
00:00:39,240 --> 00:00:43,860
It was all about essentially controlling what the user could do on their system.

11
00:00:44,700 --> 00:00:47,520
And that really is my definition for lockdown.

12
00:00:48,360 --> 00:00:53,880
It's preventing a user or an application or anything really on a system from doing something to that

13
00:00:53,880 --> 00:00:54,450
system.

14
00:00:55,290 --> 00:01:00,240
And it could be everything is from the, you know, simple things like disabling the registry editor

15
00:01:00,240 --> 00:01:04,440
to more complicated things like setting trusted site lists on Internet Explorer.

16
00:01:04,470 --> 00:01:06,780
And that's really what lockdown is all about.

17
00:01:07,650 --> 00:01:13,410
It is primarily implemented in two policy areas within group policy, namely administrative templates

18
00:01:13,410 --> 00:01:14,230
and security.

19
00:01:14,250 --> 00:01:17,380
And those are pretty broad areas, especially security.

20
00:01:17,400 --> 00:01:21,510
And I will also say that there are other policy areas that can implement lockdown.

21
00:01:21,510 --> 00:01:25,020
And I'm going to actually show you an example of one of those in this module.

22
00:01:25,890 --> 00:01:31,020
But these are the primary areas where we see the things that control the Windows operating system and

23
00:01:31,020 --> 00:01:32,820
prevent the user from doing stuff.

24
00:01:33,780 --> 00:01:37,230
So let's talk a little bit about administrative templates.

25
00:01:38,100 --> 00:01:43,290
We've introduced this in previous modules and shown examples of administrative templates settings.

26
00:01:44,240 --> 00:01:50,510
These are found under computer configuration backslash policies and user configuration backslash policies,

27
00:01:51,410 --> 00:01:54,530
so they apply to both the computer and the user.

28
00:01:55,420 --> 00:01:59,830
And they really are all about pushing registry values to the computer or user.

29
00:02:00,700 --> 00:02:06,880
If it's a computer policy under admin templates, then it's going into the HK UI underscore local underscore

30
00:02:06,880 --> 00:02:08,620
machine portion of the registry.

31
00:02:09,500 --> 00:02:15,620
If it's the if it's user policy under admin templates, then it's going into the HK UI underscore current

32
00:02:15,620 --> 00:02:17,480
underscore user registry hive.

33
00:02:18,330 --> 00:02:20,550
And that's, of course, the user's profile.

34
00:02:21,470 --> 00:02:26,240
So there's no user policy being delivered if there's no user logged on to a system.

35
00:02:27,130 --> 00:02:33,250
I mean, that's simply just the user side of group policy is strictly dependent on having a user available.

36
00:02:34,110 --> 00:02:39,270
And it does presume that the thing that's being locked down knows how to read those registry settings.

37
00:02:40,170 --> 00:02:45,690
So what this essentially means is, you know, Microsoft ships a bunch of templates that implement lots

38
00:02:45,690 --> 00:02:49,830
of different policy, locked down everything from IEEE to Windows Media Player.

39
00:02:50,720 --> 00:02:55,340
The list is long and there are literally thousands of these settings under admin templates.

40
00:02:56,240 --> 00:03:01,100
The key to them is that each of those components that Microsoft delivers has been coded to look for

41
00:03:01,100 --> 00:03:05,000
these registry values and to change their behaviour based on their value.

42
00:03:05,870 --> 00:03:11,810
So if you enable a policy to disable the registry editor, Microsoft has coded the registry editor to

43
00:03:11,810 --> 00:03:13,430
look for that registry value.

44
00:03:14,270 --> 00:03:19,100
And if it finds it and sets it and sees that it's enabled, it will essentially cancel the launch of

45
00:03:19,100 --> 00:03:20,250
the registry editor.

46
00:03:20,270 --> 00:03:25,430
And that is really, you know, a function of the fact that these applications are aware of admin templates

47
00:03:25,430 --> 00:03:25,970
settings.

48
00:03:26,000 --> 00:03:27,830
And that's that's really a key.

49
00:03:28,670 --> 00:03:33,470
You can't really just create an admin template setting out of the blue and hope that the application

50
00:03:33,470 --> 00:03:35,030
is going to change its behavior.

51
00:03:35,970 --> 00:03:41,070
The application has to be aware of that setting and has to be coded ahead of time to pay attention to

52
00:03:41,070 --> 00:03:41,760
that setting.

53
00:03:42,630 --> 00:03:47,310
The other thing that we talk about when we talk about admin templates is that these registry settings

54
00:03:47,310 --> 00:03:51,300
don't tattoo the registry when they're applied and when the policy is removed.

55
00:03:52,200 --> 00:03:56,760
So what this means, and I'm going to explain this in more detail in a second, is that if you have

56
00:03:56,760 --> 00:04:02,340
a GPO and you define some admin template settings on it and you apply those to a user and the user logs

57
00:04:02,340 --> 00:04:07,860
on and gets those registry settings in their HQ, I underscore current underscore user registry hive

58
00:04:08,730 --> 00:04:14,640
and then you delete or unlink the GPO or for some reason that GPO no longer applies to that user.

59
00:04:14,670 --> 00:04:16,960
Well then you're going to get that registry value.

60
00:04:16,980 --> 00:04:21,150
Those values are going to be removed the next time the user processes policy.

61
00:04:22,020 --> 00:04:23,910
And that gets done automatically.

62
00:04:23,940 --> 00:04:27,000
You don't have to do anything to get that removal to happen.

63
00:04:27,840 --> 00:04:31,010
And that was never the case in the old system policy day.

64
00:04:31,020 --> 00:04:34,470
And it was a big improvement when Microsoft shipped admin templates.

65
00:04:35,370 --> 00:04:40,530
Now, in order for this non tattooing behavior to happen, the admin templates have to write values

66
00:04:40,530 --> 00:04:42,270
to one of these four policy keys.

67
00:04:42,450 --> 00:04:47,940
Two of them on the computer side under HK UI underscore local underscore machine and two on the user

68
00:04:47,940 --> 00:04:48,360
side.

69
00:04:49,200 --> 00:04:54,720
And if you look into the template files that Microsoft ships in the box, you'll notice that 99, if

70
00:04:54,720 --> 00:04:59,940
not 100% of the registry keys that get written to exist under these four policy keys.

71
00:05:00,810 --> 00:05:06,030
And the applications, of course, have been coded to look in one of these four policy keys for these

72
00:05:06,030 --> 00:05:07,170
registry values.

73
00:05:08,100 --> 00:05:13,200
So these keys are kind of key to the non tattooing nature of policy, and they're there on purpose.

74
00:05:13,350 --> 00:05:14,550
They're not accidental.

75
00:05:15,450 --> 00:05:20,850
Microsoft has specifically coded the group policy engine to look in these keys when it's doing its cleanup

76
00:05:20,850 --> 00:05:24,660
and essentially, you know, use these keys to write new values, too.

77
00:05:25,470 --> 00:05:28,890
So let's look at tattooing them a little bit more and how this works.

78
00:05:29,790 --> 00:05:35,430
So we've got our client, we've got a GP and the client process is an admin template setting and makes

79
00:05:35,430 --> 00:05:38,190
a bunch of registry tape changes on its registry.

80
00:05:39,060 --> 00:05:43,740
And then a new processing cycle happens and the client again looks for GPO changes.

81
00:05:43,920 --> 00:05:49,270
But before it does that, it actually removes the old values that were processed in that first cycle.

82
00:05:50,160 --> 00:05:55,650
So the first thing it does is it removes those registry values that were delivered by that GPO during

83
00:05:55,650 --> 00:05:56,520
the first cycle.

84
00:05:57,390 --> 00:06:02,310
And then it gets its list of GPOs that apply and brings down the new settings from the GPO.

85
00:06:03,150 --> 00:06:08,820
So if you've gotten, you know, a change in settings, you added new settings to the previous GPO or

86
00:06:08,820 --> 00:06:13,950
maybe you've even just removed all the settings from the previous GPO and set a new set of admin template

87
00:06:13,950 --> 00:06:14,460
settings.

88
00:06:15,390 --> 00:06:18,690
Those old settings are removed before the new ones are applied.

89
00:06:19,590 --> 00:06:24,960
So essentially what you see the effect of this is this kind of non tattooing nature of group policy

90
00:06:24,960 --> 00:06:25,890
admin templates.

91
00:06:26,750 --> 00:06:32,120
And it's really the key to it is that those old values are swept away from those four policy keys I

92
00:06:32,120 --> 00:06:33,530
showed in the previous slide.

93
00:06:34,400 --> 00:06:39,560
And that's essentially how the group policy engine is able to guarantee that no registry values are

94
00:06:39,560 --> 00:06:42,620
tattooed between one processing cycle and the next.