Policy
Instructors should do the following:
Explain that Group Policy is used for centralized manage-ment of security settings.
Point out that security settings govern:
How users and computers are authenticated to the network
How resources are allocated
Group membership policies
How user and group activities are recorded in event logs
Point out that the security settings applied in the policies node include public key policies and software restriction pol-icies.
Explain that account policies dictate how a user interacts with a computer or a domain.
Explain that fine-grained password policies (FGPP) can be used to override the domain-wide policy and can be applied to multiple users and computers or groups.
Point out that the three subcategories found within account
policies for security settings are:
Password policies
Account lockout policies
Kerberos policies
Demonstrate how to define a domain-wide account policy using Group Policy Management Console.
Demonstrate how to configure a domain-wide account lock-out policy using Group Policy Management Console.
Point out that in order to enable FGPP, the Password Settings Object (PSO) must be configured.
Explain that one or more PSOs may be created within a do-main.
Explain that in domain accounts, the Kerberos policy allows settings to be configured for Active Directory authentication functions.
Point out that Kerberos is a default mechanism for authenti-cating domain users in Windows Server 2008.
Demonstrate how to configure the Kerberos policy using Group Policy Management Console.
Planning and Configuring Other
Policies
Instructors should do the following:
Explain that local policies allow administrators to set user privileges on the local computer that govern what users can do on that computer.
Explain that auditing allows administrators to track events that take place on a local computer and are important parts of monitoring and managing activities.
Point out that local policy settings in GPOs have three sub-categories:
User rights assignment
Security options
Audit policy
Explain that user rights assignment is extensive and includes settings for items that pertain to rights needed by users to perform system-related tasks.
Explain that the security options category includes security settings related to interactive logon, digital signing of data, restrictions of access to some storage devices, unsigned driver installation behavior, and logon dialog box behavior.
Discuss that an audit policy allows administrators to log both successful and failed security events.
Explain that auditing is used to track user activities and sys-tem activities.
Point out the following guidelines to help in planning an audit policy:
Audit only pertinent items
Archive security logs to provide a documented histo-ry
Configure the size of your security logs carefully
Explain that security logs can be configured to monitor the following:
System errors
Policy change events
Account management events
Logon events
Account logon events
Point out that configuring objects for auditing is necessary when either Audit Directory Service Access or Audit Object Access has been configured.
Demonstrate how to configure an audit policy using Group Policy Management Console.
Demonstrate how to configure an active directory object for auditing using the Active Directory Users and Computers Snap-in.
Demonstrate how to configure files and folders for auditing using Windows Explorer properties.
Point out that customizing event log policies allows admin-istrators to configure settings that control each log.
Demonstrate how to customize event log policies using the Administrative Tools Event Viewer window.
Explain that restricted group settings allow the administrator to specify the group membership list.
Explain that the system services category is used to config-ure the startup and security settings for services running on a computer.
Explain that folder redirection is applied to a group policy folder that is located within the User Configuration node of a Group Policy.
Demonstrate how to configure folder restrictions by creating a Group Policy Object.
Explain that configuring offline files is a separate Group Policy category that can allow files to be available to users even when not connected to the Internet.
Explain that disk quotas are set to limit the amount of space available on a server for user data.
Demonstrate how to configure disk quotas through the local disk properties.
Demonstrate how to configure disk quotas using Group Poli-cy.
Point out that the following are types of refresh policies :
Computer configuration Group Policy refresh interval
Domain controllers Group Policy refresh interval
User configuration Group Policy refresh interval
Explain that manually refreshing Group Policy is used when modified settings need to be applied immediately.
Demonstrate how to optimize Group Policy processing using the Group Policy Management Console.
Lesson Quiz
True/False1. In Windows Server 2008, only a single password policy can be set at the domain level.
2. Audit policies can be configured under local policies to con-trol settings for the Event Log on a computer.
3. Restricted groups can be used to remove users from groups to which they were added using Active Directory Users and Computers.
4. Group Policy can be configured to make user files stored on a network share available when the network connection is down by configuring the File Caching Group Policy option.
5. Windows Server 2008 supports Disk Quota configuration on the NTFS and FAT file systems.
Multiple Choice
1. Which of the following are the three Account Policy subcate-gory configuration options?
a) Password policies
b) Account lockout policies c) Kerberos policies
d) Account security policies
2. To monitor successful logon attempts to a domain controller, you should configure Group Policy to manage which type of events?
a) System events
b) Domain logon events c) Account logon events d) Logon events
3. System Services can be configured with all of the following startup options except:
a) Enabled b) Automatic c) Manual d) Disabled
4. Folder redirection can be used to redirect the contents of a folder to a network location using group policy. What are the three configuration options for folder redirections?
a) Basic—Redirect Everyone’s folder to the same loca-tion
b) Advanced—Specify location for various users c) Advanced—Specify location for various user groups d) Not Configured
5. Domain Controller Group Policy settings will refresh by de-fault every ________ minutes.
a) 90 b) 5 c) 2 d) 15
Quiz Answers
True/False1. False. Windows Server 2008 supports fine-grained password policies, allowing multiple password policies in a single do-main.
2. True.
3. True.
4. False. You would need to configure the Offline Files Group Policy settings.
5. False. Disk Quota configuration supports the NTFS file sys-tem only.
Multiple Choice 1. A, B, C 2. D 3. D 4. B, C, D 5. C
Class Projects
Lesson 8—Exercise 1List and explain the options available for configuring disk quo-tas using Group Policy.
Lesson 8—Project 1
Explain what settings can be configured under the Account Pol-icy Settings area. How do these options differ from the settings that were available in Windows Server 2003?
Microsoft Video Resources
Windows Server 2008 Read-Only Domain Controllers—
Password Replication Policies
Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). This video takes a look at the pass-word replication policies that are used to control credentials stored on RODCs.
Length: 4:58
Securing Branch Office User Accounts
Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office ac-counts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal.
Length: 12:08