1
00:00:03,080 --> 00:00:08,210
So in the last module we talked about how administrative templates policy can help with locked down

2
00:00:08,210 --> 00:00:09,420
of the user environment.

3
00:00:09,560 --> 00:00:10,970
The desktop environment.

4
00:00:11,870 --> 00:00:17,330
In this module, I'm going to shift gears and talk a little bit about how security policy can help with

5
00:00:17,330 --> 00:00:19,340
sort of lock down of the system itself.

6
00:00:20,280 --> 00:00:22,740
So let's dig in and see what that's all about.

7
00:00:23,640 --> 00:00:26,400
Security policy is really not one thing.

8
00:00:27,240 --> 00:00:32,760
It's composed of a lot of different policy areas under computer configuration backslash policies.

9
00:00:32,760 --> 00:00:34,200
Backslash Windows settings.

10
00:00:34,200 --> 00:00:35,910
Backslash security settings.

11
00:00:36,810 --> 00:00:42,600
There are a few settings under user configuration in this same path, but by and large, the majority

12
00:00:42,600 --> 00:00:46,530
of security policy is configured on computers rather than on users.

13
00:00:47,400 --> 00:00:50,700
And there's a lot of stuff you can do with security policies.

14
00:00:51,630 --> 00:00:58,290
So, for example, account password and lockout policy, this can be set for the domain or for local

15
00:00:58,290 --> 00:01:00,990
user accounts on workstations and servers.

16
00:01:01,860 --> 00:01:04,780
Audit Policy Configuring Basic Auditing.

17
00:01:04,800 --> 00:01:07,590
What is audited on a particular Windows system.

18
00:01:08,460 --> 00:01:09,900
User Rights Assignment.

19
00:01:09,990 --> 00:01:11,730
Who can do what on a system?

20
00:01:12,600 --> 00:01:14,510
So who can log on locally?

21
00:01:14,520 --> 00:01:16,200
Who can log on from the network?

22
00:01:16,380 --> 00:01:18,180
Who can perform certain tasks?

23
00:01:19,080 --> 00:01:24,300
This is all control through user rights assignment security options.

24
00:01:25,220 --> 00:01:28,280
I like to call these the kind of the vulnerability switches.

25
00:01:28,280 --> 00:01:34,760
So various default behaviors in terms of the Windows security subsystem and how it behaves, things

26
00:01:34,760 --> 00:01:41,510
like user account control, whether you have full prompts or minimal prompts, etc., that can all be

27
00:01:41,510 --> 00:01:43,640
configured through security options.

28
00:01:44,610 --> 00:01:47,480
Event log size and retention configurations.

29
00:01:48,410 --> 00:01:52,250
So how big should the event logs grow and what happens when they fill up?

30
00:01:53,130 --> 00:01:54,480
Restricted groups.

31
00:01:55,420 --> 00:02:00,730
I'm going to demo this in a little bit, but this is a feature that lets you control local group membership

32
00:02:00,730 --> 00:02:08,320
on Windows servers and desktops, systems, service security and start up so you can control who can

33
00:02:08,320 --> 00:02:13,930
modify the configuration of a Windows service on a system and what the default startup behavior should

34
00:02:13,930 --> 00:02:14,290
be.

35
00:02:15,220 --> 00:02:16,880
Should it be running automatic?

36
00:02:16,930 --> 00:02:18,580
Should it be running disabled?

37
00:02:19,540 --> 00:02:24,370
Those kinds of features, registry and file system permissions.

38
00:02:25,300 --> 00:02:30,910
So you can actually set the permissions on registry keys and files in the file system using group policy.

39
00:02:31,060 --> 00:02:32,740
And this can be very powerful.

40
00:02:33,650 --> 00:02:41,270
You can make mass changes to file system security using group policy wired and wireless network security.

41
00:02:42,170 --> 00:02:48,260
So whether you're on a wired network using 802.1 X authentication or on a wireless network that requires

42
00:02:48,260 --> 00:02:54,710
specific passwords for SSIDs and different authentication schemes, you can set options for those within

43
00:02:54,710 --> 00:02:59,210
this area, Windows Firewall and IP set configuration.

44
00:03:00,050 --> 00:03:05,390
So Windows Firewall is probably one of the more common security policy areas in group policy.

45
00:03:05,510 --> 00:03:10,220
And this allows you to do very fine grained control over the rules for inbound and outbound traffic

46
00:03:10,220 --> 00:03:11,870
on workstations and servers.

47
00:03:12,760 --> 00:03:19,540
Pcci or public key infrastructure policy lets you set behavior for certificate usage on workstations

48
00:03:19,540 --> 00:03:20,290
and servers.

49
00:03:21,200 --> 00:03:22,040
Ad blocker.

50
00:03:22,070 --> 00:03:25,040
This is another feature I'm going to go into in a little bit.

51
00:03:25,940 --> 00:03:30,230
App blocker lets you control which applications can execute on a system.

52
00:03:31,100 --> 00:03:36,440
You have really fine grained control over what code runs on a particular workstation or server, and

53
00:03:36,440 --> 00:03:39,620
this can be really beneficial in terms of controlling malware.

54
00:03:40,520 --> 00:03:44,180
Network access protection and network list configuration.

55
00:03:45,080 --> 00:03:49,070
So network access protection or an app can be configured.

56
00:03:49,940 --> 00:03:55,940
The Microsoft NAP solution can be configured through group policy as can network lists, which are essentially

57
00:03:55,940 --> 00:04:02,420
the things that the user sees when they're browsing their network and then advanced audit configuration.

58
00:04:03,320 --> 00:04:09,620
This is the kind of a follow on capability from the basic audit policy that allows you to set subcategories

59
00:04:09,620 --> 00:04:11,540
of auditing at a more granular level.

60
00:04:12,440 --> 00:04:17,000
So lots of power here in terms of what you can do with security policy.

61
00:04:17,900 --> 00:04:21,560
So let's talk about some tips for deploying security policy.

62
00:04:22,430 --> 00:04:26,120
By and large, most security policy will tattoo a system.

63
00:04:26,990 --> 00:04:32,570
So unlike administrative templates, when you apply a particular security setting, let's say it's file

64
00:04:32,570 --> 00:04:35,000
system security or registry permissions.

65
00:04:35,910 --> 00:04:40,410
And you remove the policy that deployed, that the permissions are not going away.

66
00:04:41,280 --> 00:04:42,930
They're staying on the system.

67
00:04:43,770 --> 00:04:49,050
And this really makes sense because you don't necessarily know what the previous state of some security

68
00:04:49,050 --> 00:04:51,840
settings are unless it's somehow kept or recorded.

69
00:04:52,740 --> 00:05:00,000
So most security policy will tattoo a system, and then by and large, most security policy will not

70
00:05:00,000 --> 00:05:02,220
merge settings from different GPOs.

71
00:05:03,150 --> 00:05:08,490
So as an example of this, if I have restricted groups policy that's controlling the local administrators

72
00:05:08,490 --> 00:05:15,000
group and I have that defined in a GPO linked at the domain level and then I define at an EU level a

73
00:05:15,000 --> 00:05:20,220
restricted groups policy that setting the local administrators membership and then defining different

74
00:05:20,220 --> 00:05:21,120
groups in that.

75
00:05:22,000 --> 00:05:27,460
The result that the computer at that OAU level sees is not the amalgam of both of those, but really

76
00:05:27,550 --> 00:05:31,250
going back to our LSW processing order, last writer wins.

77
00:05:31,270 --> 00:05:37,270
So whatever settings are defined in restricted groups at the EU level will be the ones that win account

78
00:05:37,270 --> 00:05:37,870
policy.

79
00:05:37,900 --> 00:05:43,900
So password lockout Kerberos must be defined on a GPO linked at the domain level in order for it to

80
00:05:43,900 --> 00:05:45,160
affect ID accounts.

81
00:05:46,060 --> 00:05:49,690
This is a long misunderstood concept within group policy.

82
00:05:50,580 --> 00:05:56,190
In group policy, there is only one way to set domain user account policy.

83
00:05:56,190 --> 00:05:57,570
In other words, password.

84
00:05:57,570 --> 00:05:59,040
Minimum length password.

85
00:05:59,100 --> 00:06:00,600
How long a password lasts?

86
00:06:00,600 --> 00:06:02,970
90 days, 30 days, whatever.

87
00:06:03,000 --> 00:06:07,080
Whether a password is locked out after a certain number of unsuccessful attempts.

88
00:06:07,980 --> 00:06:13,980
All of that can be or must be defined at the domain level in order for it to affect a user's accounts,

89
00:06:14,130 --> 00:06:15,090
user accounts.

90
00:06:15,990 --> 00:06:21,120
Now, you can define account policies at lower levels in the hierarchy, but it's only going to effect

91
00:06:21,120 --> 00:06:24,810
local user accounts on those machines that process, that policy.

92
00:06:25,740 --> 00:06:28,680
So it's not for domain accounts at that level.

93
00:06:29,550 --> 00:06:35,070
Now, Microsoft did introduce this thing called fine grained password policy, which is completely outside

94
00:06:35,070 --> 00:06:40,590
of the realm of group policy that lets you set more granular account policy on a pro-EU or poor security

95
00:06:40,590 --> 00:06:41,160
group level.

96
00:06:42,030 --> 00:06:47,040
This has absolutely nothing to do with what I'm talking about here with domain account policy.

97
00:06:47,900 --> 00:06:50,270
There can be only in the group policy world.

98
00:06:50,300 --> 00:06:55,940
There can be only one account policy defined for a given domain, and it has to be in a GPL linked at

99
00:06:55,940 --> 00:06:56,840
the domain level.

100
00:06:57,720 --> 00:07:02,820
And just for the sake of discussion, what I typically recommend is the default domain policy, which

101
00:07:02,820 --> 00:07:08,430
is one of the two default policies that Microsoft ships in and is a good place to put account policy,

102
00:07:08,490 --> 00:07:10,950
password, policy, lockout, etc..

103
00:07:11,850 --> 00:07:17,340
I would also say that you should consider applying different security locked down from servers to desktops.

104
00:07:18,210 --> 00:07:20,760
The requirements are often very different.

105
00:07:21,650 --> 00:07:26,510
And I think it's important to keep them separate so that you have dedicated GPOs settings, security

106
00:07:26,510 --> 00:07:30,410
on desktops and dedicated GPOs setting security on servers.

107
00:07:31,280 --> 00:07:36,170
And then finally, kind of harkening back to my best practices for admin template deployment.

108
00:07:36,200 --> 00:07:39,050
I recommend layering security into GPOs.

109
00:07:39,950 --> 00:07:46,160
So you have a base OS hardening GPO, so to speak, that does the base OS hardening security for things

110
00:07:46,160 --> 00:07:50,120
like who can log on and what the basic permissions are on a particular system.

111
00:07:50,930 --> 00:07:58,010
And then you layer on additional security hardening for whatever workloads or applications are running

112
00:07:58,010 --> 00:07:59,000
on those systems.

113
00:07:59,930 --> 00:08:05,330
So if you have a server that's running IIS, it has additional hardening that you might want to do specific

114
00:08:05,330 --> 00:08:06,140
to IaaS.

115
00:08:07,030 --> 00:08:12,610
And that would be implemented in an IRS hardening GPO that's applied separate from the base OS.

116
00:08:13,520 --> 00:08:18,830
And that way you can reuse the base OS security for many different servers and then layer on whatever

117
00:08:18,830 --> 00:08:20,180
that role the server plays.