SectionAImplementingGroupPolicy

1. DescribethecomponentsofGroupPolicy.

GroupPolicysettingsareconfigurationsettingsthatallowadministratorstoenforcesettings
by
modifyingthecomputerspecificanduserspecificregistrysettingsondomainbased
computers.YoucangrouptogetherGroupPolicysettingstomakeGPOs,whichyoucanthen
applytosecurityprinciples(users,groupsorcomputers).

GPOs
AGPOisanobjectthatcontainsoneormorepolicysettingsthatapplyconfigurationsetting
forusers,computers,orboth.GPOsarestoredinSYSVOL,andcanbemanagedbyusing
theGroupPolicyManagementConsole(GPMC).WithintheGPMC,youcanopenandedita
GPObyusingtheGroupPolicyManagementEditor.GPOsarelogicallylinkedtoActive
Directorycontainerstoapplysettingstotheobjectsinthosecontainers.

GroupPolicySettings
AGroupPolicysettingisthemostgranularcomponentofGroupPolicy.Itdefinesaspecific
configurationchangetoapplytoanobject(acomputerorauser,orboth)withinActive
DirectoryDomainServices(ADDS).GroupPolicyhasthousandsofconfigurablesettings.
Thesesettingscanaffectnearlyeveryareaofthecomputingenvironment.Notallsettingscan

beappliedtoallolderversionsofWindowsServerandWindowsoperatingsystems.Each
newversionintroducesnewsettingsandcapabilitiesthatonlyapplytothatspecificversion.If
acomputerhasaGroupPolicysettingappliedthatitcannotprocess,itsimplyignoresit.

Mostpolicysettingshavethreestates:
NotConfigured.TheGPOwillnotmodifytheexistingconfigurationoftheparticularsetting
fortheuserorcomputer.
Enabled.Thepolicysettingwillbeapplied.
Disabled.Thepolicysettingisspecificallyreversed.

Bydefault,mostsettingsaresettoNotConfigured.

Theeffectsoftheconfigurationchangedependsonthepolicysetting.Forexample,ifyou
enable
theProhibitAccesstoControlPanelpolicysetting,userswillbeunabletoopenControl
Panel.Ifyoudisablethepolicysetting,youensurethatuserscanopenControlPanel.Notice
thedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,thereby
allowingtheaction.

GroupPolicySettingsStructure
TherearetwodistinctareasofGroupPolicysettings:
Usersettings.ThesearesettingsthatmodifytheHKeyCurrentUserhiveoftheregistry.
Computersettings.ThesearesettingsthatmodifytheHKEYLocalMachinehiveofthe
registry.
Userandcomputersettingseachhavethreeareasofconfiguration,asdescribedinthe
followingtable.

GroupPolicyManagementEditor

TheGroupPolicyManagementEditordisplaystheindividualGroupPolicysettingsthatare
availableinaGPO.Thesearedisplayedinanorganizedhierarchythatbeginswiththe
divisionbetweencomputersettingsandusersettings,andthenexpandstoshowthe
ComputerConfigurationnodeandtheUserConfigurationnode.TheGroupPolicy
ManagementEditoriswhereallGroupPolicysettingsandpreferencesareconfigured.

2. DescribemultiplelocalGPOs.

InWindowsoperatingsystemspriortoWindowsVista,therewasonlyoneavailable
userconfigurationinthelocalGroupPolicy.Thatconfigurationwasappliedtoalluserswho
loggedonfromthatlocalcomputer.Thisisstilltrue,butWindowsVistaandnewerWindows
clientoperatingsystems,andWindowsServer2008andnewerWindowsServeroperating
systemshaveanaddedfeaturemultiplelocalGPOs.
InWindows8andWindowsServer2012,youcanalsonowhavedifferentuser
settingsfordifferentlocalusers,butthisisonlyavailablefortheusersconfigurationsthatare
inGroupPolicy.Infact,thereisonlyonesetofcomputerconfigurationsavailableinWindows
8andWindowsServer2012thataffectsallusersofthecomputer.Windows8andWindows
Server2012providethisabilitywiththefollowingthreelayersoflocalGPOs:
LocalGroupPolicy(containsthecomputerconfigurationsettings)
AdministratorandNonAdministratorGroupPolicy
UserspecificLocalGroupPolicy

HowtheLayersAreProcessed
ThelayersoflocalGPOsareprocessedinthefollowingorder:

1.LocalGroupPolicy
2.AdministratorsandNonAdministratorsGroupPolicy
3.UserspecificLocalGroupPolicy

WiththeexceptionofthecategoriesofAdministratororNonAdministrator,itisnotpossibleto
applylocalGPOstogroups,butonlytoindividuallocaluseraccounts.Domainusersare
subjecttothelocalGroupPolicy,ortheAdministratororNonAdministratorsettings,as
appropriate.

3. DescribestorageoptionsfordomainGPOs.

GroupPolicysettingsarepresentedasGPOsintheGPMC,butaGPOisactuallytwo
components:aGroupPolicytemplate,andaGroupPolicycontainer.

GroupPolicyTemplate
GroupPolicytemplatesaretheactualcollectionofsettingsthatyoucanchange.
GroupPolicytemplatesarestoredinthe%SystemRoot%\PolicyDefinitionsfolder.Windows
Server2012containsGroupPolicytemplateswiththousandsofconfigurablesettings.When
youcreateanewGroupPolicy,theGroupPolicyManagementEditorpresentsthetemplates
inanewGPO.WhenyoueditandsavetheGPO,anewGroupPolicycontaineriscreated.

GroupPolicyContainer
TheGroupPolicycontainerisanActiveDirectoryobjectthatisstoredintheActive
Directorydatabase.EachGroupPolicycontainerincludesagloballyuniqueidentifier(GUID)
attributethatuniquelyidentifiestheobjectwithinADDS.TheGroupPolicycontainerdefines
basicattributesoftheGPOsuchaslinksandversionnumbers,butitdoesnotcontainanyof
thesettings.Instead,thesettingsarecontainedintheGroupPolicytemplate,whichisa
collectionoffilesstoredintheSYSVOLofeachdomaincontroller.

SYSVOLislocatedinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,
whereGPOGUIDistheGUIDoftheGroupPolicycontainer.Whenyoumakechangestothe
settingsofaGPO,thechangesaresavedtotheGroupPolicytemplateoftheserverfrom
whichtheGPOwasopened.Bydefault,whenGroupPolicyrefreshoccurs,theGroupPolicy
clientsideextensions(CSEs)applysettingsinaGPOonlyiftheGPOhasbeenupdated.
TheGroupPolicyClientcanidentifyanupdatedGPObyitsversionnumber.Each
GPOhasaversionnumberthatisincrementedeachtimeachangeismade.Theversion
numberisstoredasanattributeoftheGroupPolicycontainer,andinatextfile,GPT.ini,in
theGroupPolicyTemplatefolder.TheGroupPolicyClientknowstheversionnumberofeach
GPOthatithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyClient
discoversthattheversionnumberoftheGroupPolicycontainerhasbeenchanged,theCSEs
willbeinformedthattheGPOisupdated.
WheneditingaGroupPolicy,theversiononthecomputerthathastheprimarydomain
controller(PDC)emulatorFlexibleSingleMasterOperations(FSMO)roleistheversionbeing
edited.Itdoesnotmatterwhatcomputeryouareusingtoperformtheediting,theGPMCis
focusedonthePDCemulatorbydefault.ItispossibletochangethefocusoftheGPMCto
editaversiononadifferentdomaincontroller.

4. DescribetheGroupPolicyprocessingorder.

GPOsarenotappliedsimultaneouslyrather,theyareappliedinalogicalorder.GPOsthat
areappliedlaterintheprocessofapplyingGPOsoverwriteanyconflictingpolicysettingsthat
wereappliedearlier.GPOsareappliedinthefollowingorder:
1. LocalGPOs.EachoperatingsystemthatisrunningWindows2000ornewer
potentiallyalreadyhasalocalGroupPolicyconfigured.

2. SiteGPOs.Policiesthatarelinkedtositesareprocessednext.
3. DomainGPOs.Policiesthatarelinkedtothedomainareprocessednext.Thereare
oftenmultiplepoliciesatthedomainlevel.Thesepoliciesareprocessedinorderof
preference.
4. OUGPOs.PolicieslinkedtoOUsareprocessednext.Thesepoliciescontainsettings
thatareuniquetotheobjectsinthatOU.Forexample,theSalesusersmighthave
specialrequiredsettings.YoucanlinkapolicytotheSalesOUtodeliverthose
settings.
5. ChildOUpolicies.AnypoliciesthatarelinkedtochildOUsareprocessedlast.Objects
inthecontainersreceivethecumulativeeffectofallpoliciesintheirprocessingorder.

Inthecaseofaconflictbetweensettings,thelastpolicyappliedtakeseffect.For
example,adomainlevelpolicymightrestrictaccesstoregistryeditingtools,butyou
couldconfigureanOUlevelpolicyandlinkittotheITOUtoreversethatpolicy.
BecausetheOUlevelpolicyisappliedlaterintheprocess,accesstoregistrytools
wouldbeavailable.

5. DescribeaGPOlink.

OnceyouhavecreatedaGPOanddefinedallthesettingsthatyouwantitto
deliver,thenextstepistolinkthepolicytoanActiveDirectorycontainer.AGPOlinkis
thelogicalconnectionofthepolicytoacontainer.YoucanlinkasingleGPOto
multiplecontainersbyusingtheGPMC.YoucanlinkGPOstothefollowingtypesof
containers:
Sites

Domains
OUs
OnceaGPOislinkedtoacontainer,bydefaultthepolicyisappliedtoallthe
objectsinthecontainer,andsubsequentlyallthechildcontainersunderthatparent
object.ThisisbecausethedefaultpermissionsoftheGPOaresuchthat
AuthenticatedUsershaveReadandApplyGroupPolicypermission.Youcanmodify
thisbehaviorbymanagingpermissionsontheGPO.
Youcandisablelinkstocontainers,whichremovestheconfigurationsettings.
Youcanalsodeletelinks.DeletinglinksdoesnotdeletetheactualGPO,onlythe
logicalconnectiontothecontainer.GPOscannotbelinkeddirectlytousers,groups,or
computers.Inaddition,GPOscannotbelinkedtothesystemcontainersinADDS,
includingBuiltIn,Computers,Users,orManagedServiceAccounts.TheADDS
systemcontainersreceiveGroupPolicysettingsfromGPOsthatarelinkedtothe
domainlevelonly.

6. DescribetheCentralStore.

Ifyourorganizationhasmultipleadministrationworkstations,therecouldbepotential
issueswheneditingGPOs.IfyoudonothaveaCentralStoreinwhichtocontainthetemplate
files,thentheworkstationyouareeditingfromwillusethe.admx(ADMX)and.adml(ADML)
filesthatarestoredinthelocalPolicyDefinitionsfolder.Ifdifferentadministrationworkstations
havedifferentoperatingsystemsorareatdifferentservicepacklevels,theremightbe
differencesintheADMXandADMLfiles.Forexample,theADMXandADMLfilesthatare
storedonaWindows7workstationwithnoservicepackinstalledmightnotbethesameas
thefilesthatarestoredonaWindowsServer2012domaincontroller.

TheCentralStoreaddressesthisissue.TheCentralStoreprovidesasinglepoint
fromwhichadministrationworkstationscandownloadthesameADMXandADMLfileswhen
editingaGPO.TheCentralStoreisdetectedautomaticallybyWindowsoperatingsystems
thataretheWindowsVistaversionornewer,andWindowsServer2008operatingsystems.
Assuch,thelocalworkstationthattheadministratorusestoperformadministration
alwayscheckstoseeifaCentralStoreexistsbeforeloadingthelocalADMXandADMLfiles
intheGroupPolicyObjectEditor.WhenthelocalworkstationdetectsaCentralStore,itthen
downloadsthetemplatefilesfromthere.Inthisway,thereisaconsistentadministration
experienceamongmultipleworkstations.
YoumustcreateandprovisiontheCentralStoremanually.Firstyoumustcreatea
folderonadomaincontroller,namethefolderPolicyDefinitions,andstorethefolderat
C:\Windows\SYSVOL\sysvol\{DomainName}\Policies\.ThisfolderwillnowbeyourCentral
Store.YoumustthencopyallthecontentsoftheC:\Windows\PolicyDefinitionsfoldertothe
CentralStore.TheADMLfilesinthisfolderarealsoinalanguagespecificfolder(suchas
enUS).

SectionBSecuringWindowsServer2012withGPO
1. DescribebestpracticesforincreasingWindowsServer2012security.

Considerthefollowingbestpracticesforincreasingsecurity:
Applyallavailablesecurityupdatesasquicklyaspossiblefollowingtheirrelease.You
shouldstrivetoimplementsecurityupdatesassoonaspossibletoensurethatyour
systemsareprotectedfromknownvulnerabilities.Microsoftpubliclyreleasesthe
detailsofanyknownvulnerabilitiesafteranupdatehasbeenreleased,whichcanlead
toanincreasedvolumeofmalwareattemptingtoexploitthevulnerability.However,
youmuststillensurethatyouadequatelytestupdatesbeforetheyareappliedwidely
withinyourorganization.

 Followtheprincipleofleastprivilege.Provideusersandserviceaccountswiththe
lowestpermissionlevelsrequiredtocompletetheirnecessarytasks.Thisensuresthat
anymalwareusingthosecredentialsislimitedinitsimpact.Italsoensuresthatusers
arelimitedintheirabilitytoaccidentallydeletedataormodifycriticaloperatingsystem
settings.
Restrictadministratorconsolelogon.Loggingonlocallyataconsoleisagreaterriskto
aserverthanaccessingdataremotely.Thisisbecausesomemalwarecanonlyinfect
acomputerbyusingausersessionatthedesktop.Ifyouallowadministratorstouse
RemoteDesktopConnectionforserveradministration,ensurethatenhancedsecurity
featuressuchasUserAccountControlareenabled.
Restrictphysicalaccess.Ifsomeonehasphysicalaccesstoyourservers,thatperson
hasvirtuallyunlimitedaccesstothedataonthatserver.Anunauthorizedpersoncould
useawidevarietyoftoolstoquicklyresetthepasswordonlocaladministrator
accountsandallowlocalaccess,oruseaUSBdrivetointroducemalware.

2. DescribeSecurityComplianceManager(SCM).

TheSecurityComplianceManager(SCM)isafreetoolfromtheMicrosoft
SolutionAcceleratorsteamthatenablesyoutoquicklyconfigureandmanagethe
computersinyourenvironmentandyourprivatecloudusingGroupPolicyand
MicrosoftSystemCenterConfigurationManager.
SCMprovidesreadytodeploypoliciesandDCMconfigurationpacksbasedon
Microsoftsecurityguiderecommendationsandindustrybestpractices,allowingyouto
easilymanageconfigurationdriftandaddresscompliancerequirementsforWindows
operatingsystems,Officeapplications,andotherMicrosoftapplications.
NowyoucaneasilyconfigurecomputersrunningWindowsServer2012,
Windows8,MicrosoftOfficeapplications,andWindowsInternetExplorer10with
industryleadingknowledgeandfullysupportedtools.

Features:
BaselinesbasedonMicrosoftsecurityguiderecommendationsandindustrybest
practices:Thesebaselinesaredesignedtohelpyoumanageconfigurationdrift,
addresscompliancerequirements,andreducesecuritythreats.
Centralizedsecuritybaselinemanagementfeatures:Theseincludeabaseline
portfolio,customizationcapabilities,andsecuritybaselineexportflexibilityto
accelerateyourorganizationsabilitytoefficientlymanagethesecurityandcompliance
processforthemostwidelyusedMicrosofttechnologies.
Goldmastersupport:ImportyourexistingGroupPolicytotakeadvantageofit,or
createasnapshotofareferencemachinetokickstartyourproject.
Standalonemachineconfiguration:Deployyourconfigurationstonondomainjoined
computersusingthenewGPOPackfeature.

 Updatedsecurityguides:Takeadvantageofthedeepsecurityexpertiseandbest
practicesintheupdatedsecurityguides,andtheattacksurfacereferenceworkbooks,
tohelpreducethemostimportantsecurityrisksforyourorganization.
Comparisonsagainstindustrybestpractices:Analyzeyourconfigurationsagainst
prebuiltbaselinesforthelatestWindowsclientandserveroperatingsystems.

3. DescribethepurposeofAppLocker.

AppLocker,whichwasintroducedintheWindows7operatingsystemandWindows
Server2008R2,isasecuritysettingfeaturethatcontrolswhichapplicationsusersare
allowed
torun.AppLockerprovidesadministratorsavarietyofmethodsfordeterminingquicklyand
conciselytheidentityofapplicationsthattheymaywanttorestrict,ortowhichtheymaywant
topermitaccess.
YouapplyAppLockerthroughGroupPolicytocomputerobjectswithinanOU.You
canalsoapplyIndividualAppLockerrulestoindividualADDSusersorgroups.
AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules.AppLocker
canhelporganizationspreventunlicensedormalicioussoftwarefromexecuting,andcan
selectivelyrestrictActiveXcontrolsfrombeinginstalled.
Itcanalsoreducethetotalcostofownershipbyensuringthatworkstationsare
standardizedacrosstheenterprise,andthatusersarerunningonlythesoftwareand
applicationsthatareapprovedbytheenterprise.UsingAppLockertechnology,companies
canreduceadministrativeoverheadandhelpadministrators
controlhowusers

YoucanuseAppLockertorestrictsoftwarethat:
Is not allowed to be used in the company. For example, software that can disrupt
employees business productivity, such associalnetworking software,orsoftwarethat

streams video files or picturesthatcanusealargeamountsofnetworkbandwidthand

diskspace.
Is no longer usedor it hasbeenreplaced witha newerversion.Forexample,software
thatisnolongermaintained,orforwhichlicenseshaveexpired.
Is no longer supported in the company. Software that is not updated with security
updatesmightposeasecurityrisk.
Should be used only by specific departments. You can configure AppLocker settings
by browsing in GPMC to:ComputerConfiguration\Policies\WindowsSettings\Security
Settings\ApplicationControlPolicies.

4. DescribeFirewallProfiles.
WindowsFirewallwithAdvancedSecurityusesfirewallprofilestoprovideaconsistent
configurationfornetworksofaspecifictype,andallowsyoutodefineanetworkaseithera
domainnetwork,apublicnetwork,oraprivatenetwork.WithWindowsFirewallwithAdvanced
Security,youcandefineaconfigurationsetforeachtypeofnetworkeachconfigurationsetis
referredtoasafirewallprofile.Firewallrulesareactivatedonlyforspecificfirewallprofiles.

WindowsFirewallwithAdvancedsecurityincludestheprofilesinthefollowingtable.

Windows Server 2012 allows multiplefirewallprofilestobeactiveonaserversimultaneously.

This means that a multihomed server that is connected to both theinternal network and the
perimeter network can apply the domain firewall profile totheinternalnetwork,andthepublic
orprivatefirewallprofiletotheperimeternetwork.

5. Describeconnectionsecurityrules.
Aconnectionsecurityruleforcesauthentication

betweentwopeercomputersbeforetheycan
establishaconnectionandtransmitsecureinformation.Theyalsosecurethattrafficby
encryptingthedatathatistransmittedbetweencomputers.WindowsFirewallwithAdvanced

SecurityusesIPsectoenforcetheserules.Theconfigurableconnectionsecurityrulesare:
Isolation.Anisolationruleisolatescomputersbyrestrictingconnectionsthatarebased
oncredentialssuchasdomainmembershiporhealthstatus.Isolationrulesallowyou
toimplementanisolationstrategyforserversordomains.
AuthenticationExemption.Youcanuseanauthenticationexemptiontodesignate
connectionsthatdonotrequireauthentication.Youcandesignatecomputersbya
specificIPaddress,anIPaddressrange,asubnet,orapredefinedgroupsuchasa
gateway.
ServertoServer.Aservertoserverruleprotectsconnectionsbetweenspecific
computers.Thistypeofruleusuallyprotectsconnectionsbetweenservers.When
creatingtherule,specifythenetworkendpointsbetweenwhichcommunicationsare
protected.Thendesignaterequirementsandtheauthenticationthatyouwanttouse.
Tunnel.Withatunnelrule,youcanprotectconnectionsbetweengatewaycomputers.
Typically,youwoulduseatunnelrulewhenconnectingacrosstheInternetbetween
twosecuritygateways.
Custom.Useacustomruletoauthenticateconnectionsbetweentwoendpointswhen
youcannotsetupauthenticationrulesthatyouneedbyusingtheotherrulesavailable
inthenewConnectionSecurityRuleWizard.

HowFirewallRulesandConnectionSecurityRulesWorkTogether
Firewallrulesallowtrafficthroughthefirewall,butdonotsecurethattraffic.To
securetrafficwithIPsec,youcancreateconnectionsecurityrules.However,
connectionsecurityrulesdonotallowtrafficthroughafirewall.Youmustcreatea
firewallruletodothis.Connectionsecurityrulesarenotappliedtoprogramsand
servicesinstead,theyareappliedbetweenthecomputersthatmakeupthetwo
endpoints.