Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 59 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
59
Dung lượng
1,9 MB
Nội dung
Lesson 2: Creating a Client Baseline Conguration List of Applications to Always Report Errors For Computer only Species the applications that should be included in WER error reporting List of Applications to be Excluded Both Species the applications that WER should exclude from its error reporting List of Applications to Never Report Errors For Computer only Species the applications that WER should never include in its error reporting Report Operating System Errors Computer only Species whether WER should process operating system errors Report Unplanned Shutdown Events Computer only Species whether WER should process unplanned shutdowns as errors Congure Default Consent Both Species whether WER should prompt the user for consent before reporting errors Customize Consent Settings Both Species whether WER should send the minimum error reporting data without consent and prompt the user for consent to send additional data Ignore Custom Consent Settings Both Species whether the default consent settings should override the custom consent settings Auditing is one of the most powerful ways for administrators to monitor ongoing events on their workstations. When you congure auditing in Group Policy, workstations track specic types of events and record them in the computer’s Security log for examination by adminis- trators at a later time. For example, if you congure your workstations to audit account logon failures, the system will create an event log entry each time a user types an incorrect password. If you see a large number of failed logon attempts, you can assume that someone is trying to guess a user’s password and you can take appropriate measures to stop that person. Windows has had auditing capabilities for a long time, but Windows 7 and Windows Server 2008 R2 have extended the operating system’s auditing function, enabling administrators to audit events on a much more granular level. The standard auditing policies, which you can apply to all Windows servers and workstations, are located in the Computer Conguration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy container of a GPO, as shown in Figure 4-34. Conguring Clients The contents of the Audit Policy container in a Group Policy object For all auditing policies, you can specify whether to monitor successes, failures, or both. The settings available in the Audit Policy container are as follows: ■ Monitors attempts to authenticate to the local computer across the network ■ Monitors attempts to create, modify, or delete user accounts and groups, as well as attempts to change user passwords ■ Monitors attempts to access Active Directory objects ■ Monitors attempts to interactively log on to the local machine ■ Monitors attempts to access non–Active Directory objects, such as folders, les, or printers, for which you have enabled auditing ■ Monitors attempts to modify user rights assignments, audit policies, account policies, or trust policies ■ Monitors attempts to exercise user rights ■ Monitors process-related events, including process creation and process termination ■ Monitors a variety of events that can affect the security of the system For Windows 7 workstations, you can use a more advanced set of audit policy subcategories, which enable you to monitor more specic events. To use these subcategories, you must rst enable the Audit: Force Audit Policy Subcategory Settings (Windows Vista or Later) To Override Audit Policy Category Settings policy, found in the Computer Conguration\ Policies\Windows Settings\Security Settings\Local Policies\Security Options container. After you enable this setting, you can use the settings found in the Computer Conguration\ Policies\Windows Settings\Security Settings\Advanced Audit Policy Conguration\Audit Policies container, as shown in Figure 4-35. Lesson 2: Creating a Client Baseline Conguration The Advanced Audit Policy Configuration container This container has 10 subcategories with a total of 55 auditing policies, which enable you to monitor highly specic events. For example, the Account Logon subcategory contains four policies, instead of the one available in standard auditing, enabling you to monitor individual stages of the logon process, including credential validation, Kerberos Authentication Service transactions, Kerberos Service ticket operations, and others. IMportaNt Folder Redirection is a set of policies that administrators can use to control where users store their personal data. Many administrators prefer users to store their data on server drives, rather than local ones. This enables the administrators to secure the data, as well as back it up and recover it more easily. Storing data on servers also makes it possible to have roaming users; individuals can access the les they need from any computer on the network. Conguring Clients To make this possible without reconguring each workstation individually, administrators can use these Folder Redirection policies, which cause workstations to redirect specic folders to shares on the network. The policies are located in the User Conguration\Policies\Windows Settings\Folder Redirection container, as shown in Figure 4-36. The Folder Redirection container in a GPO When you congure one of the Folder Redirection policies, you see a Properties sheet like the one shown in Figure 4-37. A folder redirection policy’s Properties sheet Lesson 2: Creating a Client Baseline Conguration Each policy provides the following three options: ■ Redirects the folder to a specied location, to a folder named for the user at a specied location, to the home directory specied in the user’s account, or to the local user prole location. ■ Redirects the folder to different locations based on the user’s group memberships. ■ The folder is not redirected and remains in its original location. Note One of the most common congurations is for an administrator to create a folder called Users on a network share and use the Basic option with the Create A Folder For Each User Under The Root Path setting to redirect folders to that location. The policy then creates a separate subfolder for each user and stores the contents of the selected folder there. A user prole is a collection of folders and registry settings that together provide the user environment on a Windows computer. By default, Windows 7 workstations create a separate prole in the C:\Users folder for each user that logs on to the computer. These are called local user proles. Many administrators prefer to store user proles on servers, however, so that users can access them from any workstation. This makes it possible for users to maintain their own desktop environments, even in a workplace where they log on at a different computer each day. These are called roaming proles. When a workstation is congured to use roaming proles, it downloads the prole from the server each time the user logs on. Later, when the user logs off, the workstation copies any changes that the user made to the prole back to the copy on the server. Some administrators also prefer to create a single server-based prole containing a standard desktop environment for all of their users and provide them with read-only access to it. The process is the same as for a roaming prole when the user logs on, but the workstation does not copy the changed prole back to the server at logoff. This enables the users to modify their environments during a session, but they lose those modications when they log off. Each time they log on again, the workstation reloads the standard prole. This is called a mandatory prole. One nal variation, called a super-mandatory prole, requires users to access the server- based prole to log on. If the workstation cannot access the prole on the network, the logon fails. Conguring Clients ■ ■ To create roaming proles and congure workstations to use them with Group Policy, use the following procedure: Create a folder on the server where you want to store the proles and share it. Congure the prole folder with the NTFS permissions shown in Table 4-2. NTFS Permissions for a Roaming Profiles Folder Creator/Owner Allow Full Control Subfolders and les only Domain Users Allow List Folder/Read Data Allow Create Folders/ Append Data This folder only LocalSystem Allow Full Control This folder, subfolders, and les Administrator No permissions Everyone No permissions Congure the permissions for the prole share by granting the Allow Full Control permission to the Everyone special identity. You can copy a default network prole to the NETLOGON share on a domain controller so that it will be replicated to all of the domain controllers for that domain. This causes users to start with the default network prole when they log on for the rst time, instead of using the default prole on the local disk. Lesson 2: Creating a Client Baseline Conguration In the Computer Conguration\Policies\Administrative Templates\User Proles container of a GPO, enable the Set Roaming Prole Path For All Users Logging On To This Computer policy, as shown in Figure 4-38, and specify the path to the prole share you created, using the following format: \\servername\sharename\%USERNAME%. The Set Roaming Profile Path For All Users Logging On To This Computer Properties sheet This causes the workstation to create a folder on the share, named for the user logging on, in which the workstation stores the user’s roaming prole. You can congure workstations to use different roaming prole paths by creating multiple GPOs and applying them to different OUs or using ltering to apply them to different com- puters in a single OU. You can also congure prole paths for individual users by specifying a prole path on the Prole tab of a user’s Properties sheet, as shown in Figure 4-39. Conguring Clients The Profile tab of a user’s Properties sheet Note To create a baseline GPO, you congure the standard Group Policy settings that you want to apply to all of your workstations, which could include auditing policies. This practice assumes that you have already completed the Lesson 1 practice, in which you downloaded, installed, and enabled GPMC, and then created a GPO called Baseline. After installing GPMC and creating a GPO, you can use Windows 7 to create a baseline workstation conguration. Click Start, and then click Administrative Tools\Group Policy Management. The Group Policy Management console appears. Lesson 2: Creating a Client Baseline Conguration Expand the Forest and Domains containers. Then expand the container representing your domain and select Group Policy Objects. Right-click the Baseline GPO you created earlier and, from the context menu, select Edit. The Group Policy Management Editor window appears. Expand the Computer Conguration, Policies, Windows Settings, Security Settings, and Local Policies containers and select Audit Policy. Double-click Audit Account Logon Events. The Audit Account Logon Events Properties sheet appears. Select the Dene These Policy Settings check box. The Audit These Attempts check boxes are activated. Clear the Success check box and select the Failure check box. Then click OK. Open the Audit Account Management Properties sheet. Select the Dene These Policy Settings check box, and then select both the Success and Failure check boxes and click OK. Leave Group Policy Management Editor open for the next exercise. The Audit Object Access policy enables you to audit specic types of access to specic objects by specic users groups. To do this, you must congure the policy and then congure auditing on the objects you want to monitor. In the Group Policy Management Editor, in the Audit Policy container, double-click Audit Object Access. The Audit Object Access Properties sheet appears. Select the Dene These Policy Settings check box, and then choose both the Success and Failure check boxes and click OK. Click Start. Then click All Programs\Accessories\Windows Explorer. The Windows Explorer window appears. Expand Computer and Local Disk (C:). Create a new folder called Data on the C: drive. Right-click the C:\Data folder you created and, from the context menu, select Properties. The Data Properties sheet appears. Click Security, and then click Advanced. The Advanced Security Settings For Data dialog box appears. Click the Auditing tab, and then click Edit. A new Advanced Security Settings For Data dialog box appears, containing only an Auditing tab, as shown in Figure 4-40. Conguring Clients The Advanced Security Settings For Data dialog box Click Add. The Select User, Computer, Service Account, Or Group dialog box appears. In the Enter The Object Name To Select text box, type and click OK. The Auditing Entry For Data dialog box appears, as shown in Figure 4-41. The Auditing Entry For Data dialog box [...]... Compliance Management Toolkit from http:// www.microsoft.com/downloads/details.aspx?FamilyID=5534bee 1-3 cad-4bf0-b92ba8e 545 573 a3e&displaylang=en and install the GPO Accelerator program ■ Practice 2 Run the GPO Accelerator script with the following command: gpoaccelerator.wsf /win7 /sslf /lab ■ 1 68 Practice 3 Examine the settings in the GPOs created by the GPO Accelerator program CHAPTER 4 Configuring Clients... allows administrators to deploy specific firewall rules to all or some computers within an organizational environment The Windows Firewall With Advanced Security Group Policy node is located under the Computer Configuration\ Windows Settings\Security Settings node, as shown in Figure 5 -4 Figure 5 -4 Windows Firewall with Advanced Security node Lesson 1: Configuring Client Security CHAPTER 5 179 As... this is fine-grained password policies, which are beyond the scope of the 7 0- 686 exam The same Group Policy items define account policies at both the domain and local level Domain policies apply to domain accounts, and local policies apply to accounts stored locally on the computer running Windows 7 Password policies and account lockout policies are located within the Computer Configuration\ Windows Settings\Security... CHAPTER 5 Configuring Security and Internet Explorer Figure 5-9 Configure AppLocker to Audit Only More Info AppLocker Step-By-Step Guide For more information on how to best configure AppLocker for your organization, consult the AppLocker Step-By-Step Guide, which is available on TechNet at http://technet.microsoft.com/ en-us/library/dd72 3686( WS.10).aspx Configuring Removable Drive Policies Removable... TechNet: http://technet.microsoft.com/en-us/library/cc730808(WS.10).aspx 1 88 CHAPTER 5 Configuring Security and Internet Explorer Modifying Network Security Settings Windows 7 has introduced some changes to the way that the NTLM and Kerberos protocols function These changes have been implemented to make Windows 7 more secure but may adversely affect the way that Windows 7 interacts with some network environments... policy, as shown in Figure 5-1 1 If an encryption type is not explicitly allowed through this policy, it cannot be used for Kerberos authentication Figure 5-1 1 Allowed Kerberos encryption NTLM authentication for computers running Windows 7 has also been strengthened with clients requiring 128-bit encryption when using the authentication protocol In the event that 40 -bit or 56-bit encryption is the maximum... that apply only to Windows 7 and Windows Server 2008 R2 ■ Folder redirection policies enable users to store their personal data on network servers so that administrators can secure and back up the data and users can access it from any workstation ■ A user profile is a collection of folders and registry settings that together provide the user environment on a Windows computer Windows 7 workstations create... use of secure desktop, secure desktop is still used For highly secure environments you should configure UAC to prompt administrators for credentials on the secure desktop This ensures that an administrator has given their full consent and avoids the problem of another person performing administrative tasks if the administrator leaves their computer unattended while logged on with an administrator account... computer Defining AppLocker Settings AppLocker is available in Windows 7 Enterprise and Ultimate AppLocker offers broadly similar functionality as the Software Restriction Policies that were available in earlier versions of Windows and that administrators can still use to restrict application execution in other editions of the Windows 7 operating system AppLocker policies differ from Software Restriction... security standards ■ Define Windows Internet Explorer settings Lessons in this chapter: ■ Lesson 1: Configuring Client Security 172 ■ Lesson 2: Configuring Windows Internet Explorer 196 CHAPTER 5 171 Before You Begin To complete the exercises in the practice sessions in this chapter, you need to have completed the following steps: ■ Installed the Windows 7 operating system on a stand-alone client PC named . Download the Security Compliance Management Toolkit from http:// www.microsoft.com/downloads/details.aspx?FamilyID=5534bee 1-3 cad-4bf0-b92b- a8e 545 573 a3e&displaylang=en and install the GPO Accelerator. stop that person. Windows has had auditing capabilities for a long time, but Windows 7 and Windows Server 2008 R2 have extended the operating system’s auditing function, enabling administrators. or you can test yourself on all the 7 0- 686 certication exam content. You can set up the test so that it closely simulates the experience of taking a certica- tion exam, or you can set it up