1 00:00:03,030 --> 00:00:08,700 Well, we covered a lot of ground in this section, in this module, talking about security policy. 2 00:00:08,790 --> 00:00:10,680 So let's recap what we talked about. 3 00:00:11,580 --> 00:00:18,090 So security policy supports a variety of security settings, from password policy to firewall configuration 4 00:00:18,090 --> 00:00:19,590 to group membership control. 5 00:00:20,470 --> 00:00:25,510 We talked about all of those and lots more beyond that public key and audit. 6 00:00:25,510 --> 00:00:27,190 And the list is pretty long. 7 00:00:28,050 --> 00:00:33,090 But security policy can tattoo a system and in most cases will tattoo a system. 8 00:00:33,930 --> 00:00:38,880 The example I gave earlier was around security on a file system or registry. 9 00:00:39,760 --> 00:00:44,500 And once that's put in place, you know, there's no easy way to just remove the policy and have the 10 00:00:44,500 --> 00:00:47,080 permissions on those resources get reverted back. 11 00:00:47,930 --> 00:00:53,240 In fact, you must explicitly undo those permissions or set them back to the way you want them explicitly 12 00:00:53,240 --> 00:00:56,180 in a new group policy object in order to make that happen. 13 00:00:57,050 --> 00:01:03,380 Group membership is another area that we talked about and we talked about how you can either use restricted 14 00:01:03,380 --> 00:01:06,800 groups or group policy preferences, local users in groups. 15 00:01:07,700 --> 00:01:13,370 And that's not the only example where preferences GP preferences has a sort of analogous function to 16 00:01:13,370 --> 00:01:15,080 something in security policy. 17 00:01:15,980 --> 00:01:21,260 Another example is in the system services area where you can configure Windows services, either the 18 00:01:21,260 --> 00:01:25,730 security settings policy or group policy preferences services area. 19 00:01:26,630 --> 00:01:30,890 So there are some capabilities that kind of overlap between the two areas. 20 00:01:31,760 --> 00:01:36,470 And I think it's just important to be aware of what each of the different features are for those two 21 00:01:36,470 --> 00:01:37,570 policy areas. 22 00:01:38,450 --> 00:01:41,780 And then Windows firewall policy is pretty flexible. 23 00:01:42,670 --> 00:01:47,800 It allows you to define both inbound and outbound rules, and you can define where those rules apply. 24 00:01:48,640 --> 00:01:52,480 You've got those three profiles, the domain, private or public. 25 00:01:53,330 --> 00:01:56,870 And you can set which of those are turned on for firewall versus not. 26 00:01:57,740 --> 00:02:01,640 And you can also define IPsec policy within this area. 27 00:02:02,510 --> 00:02:07,160 So again, a lot of flexibility when you create those inbound or outbound rules. 28 00:02:08,090 --> 00:02:09,980 You can use predefined rules. 29 00:02:10,910 --> 00:02:13,130 You can create your own custom rules. 30 00:02:14,060 --> 00:02:17,570 You can do it based on TCP port or protocol. 31 00:02:18,520 --> 00:02:20,170 So lots of options. 32 00:02:21,040 --> 00:02:26,140 And then finally, we talked about App Locker, which is this application blacklisting and whitelisting 33 00:02:26,140 --> 00:02:31,420 capability that's built into the box and provides you the ability to either audit what applications 34 00:02:31,420 --> 00:02:35,800 are being executed or actually block what applications are being executed. 35 00:02:36,670 --> 00:02:42,130 And I talked about how blacklisting is a lot easier to implement because basically you allow everything 36 00:02:42,130 --> 00:02:45,670 and then just explicitly deny those things that you know about that are bad. 37 00:02:46,540 --> 00:02:51,970 But of course, it's not as easy or as secure to do that because you don't know the universe of bad 38 00:02:51,970 --> 00:02:52,420 stuff. 39 00:02:53,360 --> 00:02:58,730 The alternative to that, which is whitelisting takes a lot more work because you implicitly deny execution 40 00:02:58,730 --> 00:03:03,770 of everything and then specifically whitelist or allow those applications and processes to run. 41 00:03:04,610 --> 00:03:07,890 And that does imply that you know exactly what those things are. 42 00:03:08,830 --> 00:03:12,160 So that's kind of the summary of what we talked about in this module. 43 00:03:13,060 --> 00:03:18,010 We're going to kind of continue on in this theme of different deployment scenarios for different policy 44 00:03:18,010 --> 00:03:23,320 areas in the next module where we talk about using group policy to configure Internet Explorer.