Group Policy Security Settings [en-US]
**
**
Introduction
One day you'll start to an IT infrastructure projects. You can go to meetings and talk about security flaws in the computer as an informatics is, accordingly, you can tell your plans. Most of the time these meetings, financial resources goes fine until that mention. However, in order to increase security measures when you want to allocate financial resources managers, they are a bit finicky on these issues begin to look for alternatives. At this point, we need to commissioning and play an important role in order to avoid the costs that the Group Policy is engaged in Design.
Why? Because Group Policy and Microsoft, 3rd software spending thousands of dollars of his work is done the same thing for free. Of course, if it is configured as a best practice. Now you, on the Group Policy security settings with a simple sampling will talk. Contents of this article, MS Windows Server 2012 / R2 architecture was prepared using. Come on, let's start!
On the Group Policy Security Settings Hierarchy
Computer Configuration
Windows Settings
Security Settings
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Local Policies
Audit Policy
User Right Assignment
Security Options
Event Log
Restricted Groups
System Services
Registry
File System
Wired Network Policies
Windows Firewall with Advanced Security
Network List Manager Policies
Wireless Network Policies
Public Key Policies
Software Restriction Policies
Network Access Protection
Application Control Policies (AppLocker)
IPSEC on Active Directory
Advanced Audit Policy of Configuraton
Hierarchy Details
Password Policy: Perhaps the most widely used, no model policy is indispensable. Characteristic features of Password is presented and applied to computers allows. The company also provides consulting services, with real-life examples can explain the importance of password security. In fact, this policy is not only applied on the computer. I think people should be working style. For example, each user http://www.newpasswordgenerator.com site passwords should find himself acknowledging the need and use them.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/1.JPG
Account Lockout Policy: Many computer users, the beginning of a meal under the pretext computer gets up and goes. In the meantime, do not accidentally lock your computers. That one person can be the target of malicious at that moment. In such an event in the 1980s, "Sun" leaked company data was entered and thousands of dollars in damage. See Art Of Deception "in the 2000s experienced information regarding the security vulnerabilities after the most companies on this issue took precautions. Fact exaggerated, this redundancy as the reason for the companies listed, I know. This security setting at the computer, taking off how long the computer on its own lock would be that we determine this is the screen. trial at the same time as a precaution against password, account lockout threshold of a substance from the host. Thus, about how many failed password of the user account is locked at the end of the GP will decide.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/2.JPG
Kerberos Policy: domain controller in the medium of communication between the client user account determine how we can say. Client logon request sends to DC, this setting Enforce user logon restrictions contained in Rule Through DC, the client is valid in its own database that makes control. Let's say, you have an MCITP certification. This certificate has a start time, an end that also have a timeout. Certification is finished, you can not move for a value other than paper. Here's to a client computer, taken from DC ticket has certain time intervals. When the time range starts logon problems. To avoid, however, should follow the settings here and need to print to the event log.
Audit Policy: Each company officials, including that of data processing managers, company's IT infrastructure did not want to know what's going on? Who is logged on, who have tried to access the folder to which, who has played with the permissions of a folder, delete files, and a weekend of the system who suddenly have an event occurs that causes the collapse. A server itself closed, but we do not know why. Here we want to know where we're playing with the settings. Audit Policy settings enabled within, by what I mentioned above can monitor and report on the system when an abnormal condition can be
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/3.JPG
User Right Assignment: Who do you remote desktop? Who Allow the system time change? Who runs as the service account the Allow? Which users logon to ban? Who are able to shutdown the system? Who are able to synchronize data? Who can drive you care management? Who are not authorized to start the service? Allow .bat extension files which users run? Who are able to return from a backup (Windows System Backup)? Here are the answers to such questions. It is important. In fact, these questions every IT project, data processing managers are questions that will be asked by the top managers. For this reason, it is necessary to jump and well-designed.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/5.JPG
Security Options: in this position, also from each other has a number of important setting items. Below we decide where the answers to questions we wrote:
Local admin account active / disabled?
Microsoft account active / disabled?
The status of the Guest account?
Permitted portable devices? (Such as a USB device)
Who's authority to install the printer?
DC communication between the client and a public key you have signed Me?
In ADUC on a computer that recorded the maximum duration of stay there?
Does CTRL + ALT + DEL to be used? (Where it is active, you can potentially offensive material).
Is it going to be interactive logon messages? (Company name, etc. Welcome. İnclude phrases.)
In network access regedit remote access to me to be? Who can access?
UAC settings: non-admin users to run exe that will empower me?
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/6.JPG
Registry: we use a computer to send area is remote REG_KEY. These are files with the extension .VBS we can prepare in advance. Or a key on the client side is not normal and should not be giving a program error. Identify and that the GPO can overcome the problem by way of makinie on.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/9.JPG
Central Access Policy: Dynamic objects are used for the access. NTFS Permission can say that it is customized. Very nice article about this series is the portal. Instead of explaining in detail, we recommend reading :
Wired Network Policy: wired network clients to our company, communication is the area determined how it will take place. Encrypted / unencrypted? Authenticated / verified before? represent features such as. For the implementation of these settings, the UAC on the client side's must be disabled.
Windows Firewall with Advanced Security: Clients need to be open, but closed in the usual ports for opening setting. For example, we have set up a server, SQL, and SQL to remote access is required. To do this, you must open port 1433 outbound. Here we can make it through this policy.
Network List Manager Policy: You've probably heard this. Why do we in the lower right corner on my computer "Undefined" he writes? Sometimes computers can act like unconscious. There is a reason for everything. When you work in a domain environment, the client side of the network icons how you want to appear, we will specify the names here.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/12.JPG
Wireless Network Policies: We determine how to move the wireless network.
Public Key Policies: over SSL, your company can publish a website. Or you can send a mail server with SSL encryption. There is an SSL certificate and that you have to install it on all computers, this policy I have been using. Provided, of course, to choose the correct class. On the client side using the MMC years doing what if we import the following screen in the same way by importing the certificate on the client side are sending.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/13.JPG
Software Restriction Policy: We guess, obsessed manager is one of the most beloved areas. Client forbid what programs? The answer lies here. I used to use MSN you would say. Point-to-point applications are widely used to prohibit. By setting a registry that path or local path on the client side by entering information (together with “EXE” ) can do. Thus, when the client opens the program, this program has been banned, please contact your system administrator encounters such a message.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/14.JPG
Application Control Policies: AppLocker is in the hosting technology. Software Restriction policy as the version can look a little more sophisticated and beautiful. Because here, scripts, files with the extension app, msi files, all files are executable, what comes to mind are available. Also the biggest difference here, policy objects outside of the OR, ADR is applied to the level of the group.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/15.JPG
IPSec on the Active Directory : IPsec, the name implies, the TCP / IP packets can not be resolved is a technology that was developed for. Is a layer would be more accurate to say. Detailed information can be found here. This policy objects, together with the communication between the client and server are moving to encrypt all IP field, and thus our company, our can not access local resources. The only person we want and we apply this policy can be included in our networkü computers. This may have access to an e-mail, the RDP session can access the Web can be. That there may be a private individual, such as access, all traffic over the IPSEC can run, but we try very hard. There are companies that use outside security crazy.
Advanced Audit Policy Configuratoin : Auditing all details of events.
http://www.alperyazgan.com/wp-content/uploads/gposec/resimler/16.JPG
Follow all the proposed methods described above, even if a malicious user or unconsciously, all these systems can be reversed at once. How so? It's simple; A password will share with the ends. When we come to the end of the article, the only message we want to give out technical information, every company should first ensure that the user is that awareness.
Wishing you a safe day,
Thank you very much..