• Using a GPO Created with the Security Compliance Manager Tool
  • Using migration tables
  • Windows Server® 2008 Security Guide Security Compliance Management Toolkit Version 1




    Download 2.17 Mb.
    bet8/41
    Sana03.10.2020
    Hajmi2.17 Mb.
    #12000
    1   ...   4   5   6   7   8   9   10   11   ...   41

    Recommended GPOs


    To implement the OU design described above requires a minimum of the following GPOs:

    • A policy for the domain.

    • A policy to provide the baseline security settings for all domain controllers.

    • A policy to provide the baseline security settings for all member servers.

    • A policy for each server role in your organization.

    • A policy for the Windows 7 Users OU.

    • A policy for the Desktop OU.

    • A policy for the Laptop OU.

    The following figure expands on the preliminary OU structure to show the linkage between these GPOs and the OU design.



    Figure 1.3 Example OU structure and GPO links for computers running Windows 7 and Windows Server 2008

    While the guide you are reading only covers a single product from Microsoft, the previous figure illustrates an environment that combines recommendations from the following security guides available in the Security Compliance Management Toolkit Series:



    • Windows Server 2008 Security Guide

    • Windows 7 Security Guide

    • 2007 Microsoft Office Security Guide

    • Internet Explorer 8.0 Security Guide

    Presumably you network is running multiple versions of the Windows operating system and perhaps 2007 Office or Internet Explorer 2008. The combined example in the previous figure presents a notional AD DS design for OUs and Group Policy objects (GPOs). You will need to design your own OU hierarchy and Group Policy to fit the versions of Windows deployed in your environment, as well as settings for Microsoft Office or Internet Explorer as needed.

    In the example in the previous figure, laptop computers are members of the Laptop OU. The first policy that is applied is the local security policy on the laptop computers. Because there is only one site in this example, no GPO is applied at the site level, which leaves the Domain GPO as the next policy that is applied. Finally, the Laptop GPO is applied.

    Also in this figure, a File server is a member of the File Server OU. The first policy that is applied to the server is the local security policy. However, in general, little if any configuration of the servers is done by local policy. Security policies and settings should always be enforced by Group Policy.

    Because there is only one File server in this example, no GPOs are applied at this level, which leaves the Domain GPO as the next policy that is applied to the servers. The Windows Server 2008 EC Baseline Policy is then applied to the Member Servers OU. Finally, any specific polices for the Web servers in the environment are applied to the Web Server OU.

    As a precedence example, consider a scenario in which the policy setting for Allow logon through Terminal Services is set to apply to the following OUs and user groups:


    • Member Servers OU – Administrators group

    • Web Server OU – Remote Desktop Users and Administrators groups

    In this example, logon through Terminal Services has been restricted to the Administrators group for servers in the Member Servers OU. However, a user whose account is in the Remote Desktop Users group can log on to a File server through Terminal Services because the File Servers OU is a child of the Member Servers OU and the child policy takes precedence.

    If you enable the Enforced policy option in the GPO for the Member Servers OU, only users with accounts in the Administrators group can log on to the File server computer through Terminal Services. This is because the Enforced option prevents the child OU policy from overwriting the policy applied earlier in the process.


    Using a GPO Created with the Security Compliance Manager Tool


    The specific setting recommendations presented in this guide are available as pre-built baselines in the SCM tool. You can use these baselines created by Microsoft "as is", however most organizations will require some customization. When a baseline reflects your organization’s requirements, use the SCM tool to generate a GPO backup file. For more information about using the SCM tool, review the information available in the Help Topics for the tool. You can then use the Group Policy Management Consol (GPMC) to import the settings from the backed-up GPOs into your AD DS domain.

    To import policy settings from a backed-up GPO into a GPO

    1. In the GPMC console tree, expand Group Policy Objects in the forest and domain containing the GPO into which you want to import policy settings.

    2. Right-click the GPO into which you want to import policy settings, and then click Import Settings.

    3. When the Import Settings Wizard opens, follow the instructions in the wizard that opens, and then click Finish.

    4. After the import operation completes, a summary will state whether the import succeeded. Click OK.

    Using migration tables


    Because some data in a GPO is domain-specific and might not be valid when copied directly to another domain, the GPMC provides migration tables. A migration table is a simple table that specifies a mapping between a source value and a destination value.

    A migration table converts, during the copy or import operation, the references in a GPO to new references that will work in the target domain. You can use migration tables to update security principals and UNC paths to new values as part of the import or copy operation. Migration tables are stored with the file name extension .migtable, and are actually XML files. You do not need to know XML to create or edit migration tables; the GPMC provides the MTE for manipulating migration tables.

    A migration table consists of one or more mapping entries. Each mapping entry consists of a source type, source reference, and destination reference. If you specify a migration table when performing an import or copy operation, each reference to the source entry is replaced with the destination entry when the policy settings are written into the destination GPO. Before you use a migration table, ensure that the destination references specified in the migration table already exist.

    The following items can contain security principals and can be modified by using a migration table:



    • Security policy settings of the following types:

    • User rights assignments.

    • Restricted groups.

    • System services.

    • File system.

    • Registry.

    • Advanced folder redirection policy settings.

    • The GPO Discretionary Access Control List (DACL), if it is preserved during a copy operation.

    • The DACL on software installation objects, which is only preserved if the option to copy the GPO DACL is specified.

    Also, the following items can contain UNC paths, which might need to be updated to new values as part of the import or copy operation, because servers in the original domain might not be accessible from the domain to which the GPO is being migrated:

    • Folder redirection Group Policy settings.

    • Software installation Group Policy settings.

    • References to scripts, such as for logon and startup scripts, that are stored outside the source GPO. The script itself is not copied as part of the GPO copy or import operation, unless the script is stored inside the source GPO.

    For more information about using the GPMC to import settings see the Group Policy Planning and Deployment Guide.


    Download 2.17 Mb.
    1   ...   4   5   6   7   8   9   10   11   ...   41




    Download 2.17 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Windows Server® 2008 Security Guide Security Compliance Management Toolkit Version 1

    Download 2.17 Mb.