Group Policy Management Console White Paper

COMP3371 SESSION 6: CONTROLLING WINDOWS DESKTOP SECURITY WITH LOCAL and GROUP POLICY TEMPLATES

Exercise 6(a): Registry

As you’ll have seen from previous lectures, the Windows registry is the key to local security.

The Registry is stored as a number of files that can be viewed using a simple software tool that is part of Windows, but only accessible via CLI

1. Log on to the network… you have to do this, of course, but it means that some of the memory will be overwritten. Take a look now by invoking the regedit.exe tool from the command prompt.

1. Note that the viewable registry is made up of five components, or hives.There are five hives.

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CURRENT_CONFIG

Click on any of the hives to open it up…

1. Most of these hives are generated from files within registry. Take a look now atC:\windows\system32\config. You may find that even read access is restricted by the university’s admin staff, but you will have access to the registry on your own device

In fact, there are sixregistry files (no file extensions) in this folder. They allcorrespond to subhives in the LOCAL_MACHINEregistry hive:

Try opening each of these subhives in turn. Note that two subhives (Sam, Security) cannot be viewed. SAM = security accounts manager, in case you had forgotten from week 1! Why do you think these files can’t be opened?

To remind you: revisit prac1, and download the relevant video files, as you did before. Run the video again…

1. Before a user logs on, the registry files will have already been copied into memory.

When you log on locally, it will overwrite settings using the local policy file.

When a user logs onto a Windows network, the copy of their computer’s registry in memory is partially overwritten by the policy files.

If you were able to log on locally, and separately logon on to the network you’d notice the differences.(PTO)

However, regedit is still very useful to identify differences between locally provided settings and settings that have been set through the various group policies.

1. Now… Double click on any key to get subkey values… notice this is hierarchical.

Find out the settings that run automatically as the logon completes – from LOCAL-MACHINE, go to software… Microsoft… Windows… Current Version… Run)

As a matter of interest, Windows networks themselves can be complex. The order of application of Windows network policies to the local registry area is:

• local policy (settings into copy of registry already residing in memory)
• site level policies (if they exist… if it is an enterprise network made up of a number of domains), added in the administratively specified order.
• domain level group policies, again in the specified order.
• group policies associated with the organizational units within a domain. If a single organizational unit contains multiple group policies, the policies are applied in an administratively specified order.

Exercise 6(b): Starting up MMC & Installing the “Security Configuration and Analysis” and “Security Templates” Snap-ins

Local policiescan be managed on an “end-point” computer using Microsoft Management Console (MMC)

MMC does not itself perform Windows network administrative functions, but it does host many “snap-in” tools that do, by means of what are called console files. It provides a wizard for accessing the various snap-ins which control Windows registry settings, including Security features. It also provides access to templates for configuring/controlling all aspects of machine security policy and group security policy. With Windows 8.1 and 10, version 3.0 was released.

Two modes of operation:

user mode - working with existing MMC consoles to administer a system

author mode - creating new consoles or modifying existing MMC consoles.

In the exercise that follows, as a local user you will be able to “author” a new user console on the local machine than can be saved as a policy file.

1. Download and (if the system allows you…) install the security administrative templates to work with MMC from:

1. If you can’t install the templates don’t worry… there are plenty of other templates buried within Windows 10 ( path C:\windows\INF )

1. Login.

1. MMC could be accessed from the desktop… however in this case, use the command line…

Type MMC and press ENTER. The MMC window will appear.

1. The main MMC window has a default name console1. On the console menu, click File, and thenAdd/Remove Snap-in. A new dialogue box should open.

1. Click on Security Configuration and Analysis, and click on Add.

1. Repeat to AddSecurity Templates. However, the security templates default folder path is wrong! Change it to the one where you downloaded the new templates to – or to the folder where the existing ones are buried. Delete the old path.

1. Click Finish, Close, and then OK, to remove any open dialogue boxes, but keep the main window open.

1. Now save your MMC console, by clicking File/Save As,noting the folder it will be saved toby default, and save it with a suitable name (the suffix will be added automatically).

1. Right click on the security configuration and analysis snap in, and use Open Database feature to create a database (give it a name… e.g. SecurityTools).

1. When it saves, the suffix will be .sdb but don’t try to save yet. Associate a policy templatewith it (choosedefltbse.inf for now…).

If the file will not import, there is again a permissions problem – try it all again on your own computer instead. When you do save successfully, the sdb suffix is added automatically.

1. Now right click on the security configuration and analysis snap in and click on “analyse computer now”, to get a full run down of the current settings in registry– which make up the “local policy” (i.e. settings for the local machine).

1. Select local policies look at the options in each of the three categories. Plenty of options available… are they all appropriately set?

1. Next, select security settings, and linger a little longer than on “local policies”. You should now be presented with a particularly large number of settings that control security aspects of local policy. Note that each setting can be set to enabled, disabled, or not configured.

The “local machine” settings (copied into registry and held there from boot up onwards) interact with group policy security settings after domain logon to provide a security profile that is appropriate for that group of users.

Exercise 6(c): Creating a Policy from a Template

A group policy is particularly useful when it is applied at domain level, to provide local control of settings whenever a user logs on based on the group(s) they belong to. Group policies don’t just stop at the domain level, but can apply right across a domain tree.

The Group Policy Object Editor is divided into two basic sections, Computer Configuration and User Configuration.

Computer configuration settings such as audit policy, (all) user rights assignments, and security options) are associated with the local policy object

User Configuration relates to the settings that relate directly to user desktop settings.

1. Open the MMC console file again that you saved in the last exercise.

1. Use File menu to access snap-ins, and this time try to add Group Policy Object Editor. Note that “Group Policy” is referring to the Local Computer. Nevertheless, what follows is a useful exercise… [Note: If the system refuses, it is because you don’t have administrator access, and you’ll need to use your own Windows 10 device.]

1. All three “snap ins” should now be visible in the add/remove snap in window. Now let’s take a look at that existing local policy…

For a start, do a bit of exploring to find out where the security settings you looked at in the last exercise through the analysis tool are actually stored.

Now double-click on the local policy itself: note the two types of settings, user configuration and computer configuration. This format is standard.

1. Double click on security templates… Now double click again to look again at the massive list of pre-prepared templates. Look at the contents of defltbse.inf. In particular, look at the three categories in “account policies” and “local policies”. Also, note that “system services” contains settings for all of the Windows programs offered as “services”, which may currently be “undefined”. Same format for presentation of results in fact as in the previous exercise.

1. As you can see, the template file is just a configuration file containing lots of settings, rather like a registry file. The settings are divided into a series of sub-groups (e.g. account policy, local policies, event log, restricted groups…), and provide the basis of a security policy for users and groups of users.

Double-click as necessary to look closely at all the settings.

1. Now repeat 3 with a different template file. Can you see how the template file name relates to its function?

1. Working with a partner, spend some time discussing the appropriateness of each of these settings for users on a typical medium-security network connected to the Internet. A print out of some settings is available, and might be helpful to you, but if a setting is not currently defined, it will not be displayed at all.

1. Make a note of the agreed settings you would wish to impose on users as a local policy. Be prepared to defend such changes in a discussion… Now change the settings on one of the templates, and resave it with a different name. You can save your template file to a USB stick if you wish. Notice that local policy is saved with settings in the same two sections: user configuration & computer configuration.

Exercise 6(d) Group Policy

Templates (policy files) can also be applied via the network when the user logs on.

An easy-to-use tool is available to manage group policy, and the combined effect of multiple group policy files. This is called gpmc. It is downloadable. If interested google the name and take a look. However, group policies are only applied to domain controllers, not end-point devices.

1 RCH1