Lecture 11 managing the network


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture 11 managing the network

  1. 1. Lecture 11:Managing thenetworkNetwork Design & Administration
  2. 2. Group Policy Objects (GPO) [11]• A GPO applies rights or limitations to all the AD objects in a container (or set of containers)• A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups!• Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines Network Design & Administration 2
  3. 3. GPO Applicability[1]• GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more!• Hierarchy of GPO’s: higher levels overrule lower Network Design & Administration• Filtering (& delegation) can be applied to limit scope/customise • Some cases where GPO’s fail to apply – can be tricky to debug 3
  4. 4. Who is allowed to set them?• The relevant predefined Active Directory GLOBAL groups are: • Domain Admins • Enterprise Admins (only appear in Forest root Network Design & Administration domain) • Group Policy Creator Owners (by default, domain admin acct is member of this group)• However, by default, predefined AD groups only get rights/permissions when added to domain local groups 4
  5. 5. Who is allowed to set them?• Every AD domain has a builtin container, where it creates security groups with domain local scope. • These have the relevant rights and permissions• Most important group here is Administrators – Network Design & Administration by default, the global Enterprise and Domain Admin groups are added to this• Admin have large set of RIGHTS by default, though these may be delegated to others 5
  6. 6. Group Policy Management• There can be lots of GPO’s within a domain!• The Group Policy Management console provides you with a way to manage these GPO’s.• Provides access to the Group Policy Editor where Network Design & Administration individual policy objects can be created and edited.• Provides access to Administrative templates (.adm) which describe where registry-based group policy settings are stored, and are used to 6 change settings on GPO’s
  7. 7. Group Policy ManagementConsole Network Design & Administration This is for checking Cannot edit from effects here. Just right click selected 7 policy, and GP editor comes up
  8. 8. Administrative Templates• There are a number of built-in administrative templates: • system.adm • inetres.adm • wmplayer.adm Network Design & Administration • conf.adm • wuau.adm• Each of these files contains many individual policy descriptions, and where they are stored in Registry• If an admin wants to add NEW policies, Microsoft recommend to create custom .adm files rather than 8 modify these
  9. 9. Example Policies in .admEnable disk quotas System.admEnforce disk quota limitDefault quota limit and warning levelLog event when quota limit exceededLog event when quota warning level exceeded inetres.admScripting of Java applets Network Design & AdministrationLogon optionsRun .NET Framework-reliant components signed with AuthenticodeRun .NET Framework-reliant components not signed with AuthenticodeDownload signed ActiveX controlsDownload unsigned ActiveX controlsConfigure Automatic Updates wuau.admSpecify intranet Microsoft update service locationEnable client-side targetingReschedule Automatic Updates scheduled installations 9No auto-restart for scheduled Automatic Updates installations
  10. 10. Security Policies (secpol.msc)Enforce password historyMaximum password ageMinimum password ageMinimum password lengthPassword must meet complexity requirementStore passwords using reversible encryption for all users in the domain !!Account lockout duration Network Design & AdministrationAccount lockout thresholdReset lockout counter afterMaximum lifetime for service ticket Password policyMaximum lifetime for user ticket Kerberos policyMaximum lifetime for user ticket renewal Audit policy Security options Audit account logon events Audit account management Audit logon events 10 Interactive logon: Require smart card Audit policy change Interactive logon: Smart card removal behavior Audit system events
  11. 11. Effect of not using GPO for accounts[4],[5],[6] • In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. Network Design & Administration • Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted."It appears that Miley didnt learn the lesson last year and hasnt been taking enoughcare over her password security to avoid the same fate, other users should make surethey choose strong passwords that cant be easily cracked, and Twitter itself shouldplay a key part in enforcing this." In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitters lax security regarding repeated login attempts made it fairly simple for the 11 hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
  12. 12. And to follow on from this[7]“… I started wondering how vulnerable other sites might be tothis type of attack. … I went looking at some of the sites that Ifrequent and found that many of them don’t have anyrestrictions on authentication attempts…And how hard would it really be to create such a script to attempta brute force attack like the one that was used by thehacker? Well… How about four simple lines of code attached to a Network Design & Administrationvery large dictionary database:”Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")WinHttpReq.Open "POST", "http://www.domain.com/login", falseWinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded"WinHttpReq.Send("login=Chris&password=Pa$$w0rd")“I tested this script against a site that I frequent and it worked asexpected. So, I guess it’s not that hard to perform such anattack. Now it seems the question isn’t how did this happen to 12Twitter, but why doesn’t this happen every day?”
  13. 13. Example security issue helpedby GPO[8]• A particular problem is the need to disable USB sticks and other removable media in secure installations• Can set up custom adm to include this, and apply Network Design & Administration via GPO to a group of workstations• Disables various drivers• A lot better than gluing up the USB ports!• Vista/7 includes extensions to GP to make this easier (Removable Storage Management) BUT 13 also includes approx. 800 other new policy settings
  14. 14. Other Issues with GPO’s• For Server 2003 and XP, they run in winlogon and then update on irregular time basis• For Vista, they have their own “hardened” service which cannot be stopped Network Design & Administration• .adm files are added to sysvol every time a new GPO is created – this can lead to lots of copied files around the system, and replication traffic overhead• Some of the GPO’s have to be considered as merely obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings 14
  15. 15. Managing Software on theNetwork[10],[11]• GPO’s allow admins to specify which .msi packages are to be assigned or published• Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it) Network Design & Administration• GPO can also define how upgrade/removal handled 15
  16. 16. Assign vs. Publish• Published software is available in the Add/Remove Programs applet, but user has to decide whether to install• Assigned to User means icon for app is on Network Design & Administration desktop (“advertised”) - activation or opening associated document for 1st time will trigger install• Assigned to Computer means software already installed before user even logs on 16
  17. 17. Why .msi?• Contains useful info about structure of program• So can “self heal” if files accidentally deleted• Installer creates system restore point before Network Design & Administration installing – so reverts automatically if install goes wrong• Has sophisticated options for various methods of installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately 17• Can be constructed using Wix (Microsoft Installer Toolkit) – has a large learning curve
  18. 18. How to setup and use[12]• Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users• Create GPO for software deployment (and associate with chosen domain/site/OU)• Configure software deployment properties for the GPO – Network Design & Administration location of SDP, default handling of new packages etc.• Add the installation packages to the GPO (indicating whether to be published or assigned)• Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation • Uninstall This Application When It Falls Out Of The Scope Of Management 18
  19. 19. Some snags…• No licence control is performed – so Published software had better be on a site licence!• Need to plan carefully how to structure the software e.g. common packages to be assigned Network Design & Administration to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage• If users need admin privilege to install, risky! Can configure installer to “always install elevated”, but this also poses a security risk. 19
  20. 20. Microsoft Software Licensing• Needs care in Windows networks• Need to consider whether Per User or Per Device is most cost-effective way.• (Also might need to buy additional Client Access Licences Network Design & Administration for Remote Desktop Services if remote users log in to a server)• Each Server 2008 computer runs a Licence Logging service, which keeps track. • The information is replicated to a Site Licence Server• Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
  21. 21. Process to maintain licences• Identify Site Licence Server (normally first domain controller in a site)• Administer licences using Licensing in Administrative Tools Network Design & Administration• To add new licences, select New License, and specify number added• Alternatively, use 3rd party tool that can also handle other licences e.g. volume• Monitor licence status regularly 21
  22. 22. Next time & References • Powershell Scripting References[1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx[2] MOAC 70-290 Ch 7 Network Design & Administration[3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html[4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business-Tool-Security-Nightmare.html[5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI[6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html[7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx[8] http://support.microsoft.com/kb/555324[10] MOAC 70-270 Ch 9[11] http://technet.microsoft.com/en-us/library/cc782152.aspx[12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22