1
00:00:03,040 --> 00:00:03,640
Okay.

2
00:00:03,670 --> 00:00:07,450
Let's summarize what we've learned about Adnan templates in this module.

3
00:00:08,380 --> 00:00:14,260
So group policies, main job is lockdown and this is implemented primarily in admin template policy.

4
00:00:15,160 --> 00:00:19,780
Security policy certainly has a role here and I'll talk about that in the next module.

5
00:00:19,810 --> 00:00:25,390
But group policies, history comes from admin templates and the capabilities of being able to push registry

6
00:00:25,390 --> 00:00:27,850
values into a given computer or user.

7
00:00:28,750 --> 00:00:32,110
So admin templates generally does not tattoo a system.

8
00:00:32,230 --> 00:00:36,880
This is a development that Microsoft made great strides on when they introduced group policy.

9
00:00:37,750 --> 00:00:43,600
When you apply a group and admin template setting to a system or a user, it gets applied in push there.

10
00:00:44,450 --> 00:00:50,000
And if you remove that GPO, the next processing cycle that happens will remove that old setting from

11
00:00:50,000 --> 00:00:54,890
the system and reapply the new settings so that tattooing doesn't happen.

12
00:00:54,890 --> 00:00:56,090
And that's a great thing.

13
00:00:56,960 --> 00:01:00,380
You can extend what can be controlled using admin templates.

14
00:01:01,310 --> 00:01:07,280
So these underlying IDM, x and ADMA files that are the things that generate what you see in editor,

15
00:01:07,280 --> 00:01:08,450
those can be extended.

16
00:01:09,350 --> 00:01:15,500
You can write your own custom DMX and ADMA files and I gave you a link to a free Microsoft tool called

17
00:01:15,500 --> 00:01:19,490
Adam X Migrate that has an authoring tool in it that lets you do these things.

18
00:01:20,420 --> 00:01:26,120
They are very powerful in that you can really customize any registry entry or any registry edit that

19
00:01:26,120 --> 00:01:29,000
you want using an add amex or ADMA file.

20
00:01:29,850 --> 00:01:34,830
And of course, if it's not in one of those four special policy keys I talked about, it will probably

21
00:01:34,830 --> 00:01:35,820
tattoo the system.

22
00:01:35,910 --> 00:01:41,880
But nonetheless, you have the flexibility to really write a custom dmcs for really any registry value

23
00:01:41,910 --> 00:01:42,690
you want to set.

24
00:01:43,590 --> 00:01:46,530
You can deploy admin templates settings in layers.

25
00:01:47,460 --> 00:01:52,470
So what I had suggested it is that you can provide kind of base level lock down for general things like

26
00:01:52,470 --> 00:01:55,080
Explorer and the Start menu and the desktop.

27
00:01:55,960 --> 00:02:00,850
And then if you have other more specific application, specific lockdowns you want to do, like in your

28
00:02:00,850 --> 00:02:06,370
office, you can create separate GPOs that contain all the settings for IEEE or all the settings for

29
00:02:06,370 --> 00:02:08,350
office for a particular business unit.

30
00:02:09,210 --> 00:02:14,280
And this is a good way of kind of approaching the problem from a layering perspective, not duplicating,

31
00:02:14,280 --> 00:02:20,520
but providing kind of an additive use of admin templates and taking advantage of the hierarchical processing

32
00:02:20,520 --> 00:02:22,230
model that group policy has.

33
00:02:23,100 --> 00:02:28,830
And then finally, in terms of discoverability, you know, there are literally thousands of admin templates

34
00:02:28,830 --> 00:02:29,810
settings out there.

35
00:02:29,850 --> 00:02:31,020
So how do you find them?

36
00:02:31,860 --> 00:02:35,250
Well, there's the Microsoft setting spreadsheet that I talked about.

37
00:02:35,340 --> 00:02:39,180
You can get from the Microsoft download site or the search app.

38
00:02:39,300 --> 00:02:44,510
It's an online Web app found on the Microsoft Azure site developed by somebody at Microsoft.

39
00:02:44,520 --> 00:02:47,760
And it gives you the ability to interactively search on keywords.

40
00:02:48,630 --> 00:02:53,930
And essentially what it does is discover within the current admin templates that Microsoft provides,

41
00:02:53,940 --> 00:02:57,240
and it is specific to the Microsoft admin template settings.

42
00:02:58,160 --> 00:03:03,230
It can give you the ability to search on settings to find a particular area that you're interested in

43
00:03:03,230 --> 00:03:04,040
locking down.

44
00:03:04,910 --> 00:03:06,590
So that's a great resource.

45
00:03:06,590 --> 00:03:11,720
And what we're going to do next is talk about how security policy lends itself to this whole notion

46
00:03:11,720 --> 00:03:12,470
of lockdown.