Project On Group Policy Satpal
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Project On Group Policy Satpal as PDF for free.
More details
- Words: 2,740
- Pages: 20
HCL CAREER DEVELOPMENT CENTRE PROJECT ON GROUP POLICIES Under The Guidance Of: Md. Mohsinul Malik Submitted By: Satpal (MCSE01) HCNA
ACKNOWLEDGEMENT I would sincerely like to thank my instructor, Md. Mohsinul Malik who has been there always to help me in carrying out this project, acting as the guiding spirit behind the compiling of this project for putting a tremendous effort from his side to assist me as much as possible. Satpal MCSA (HCNE01)
CONTENTS 1. Introduction of Group Policy 2. Creating An Effective Local Security Policy 3. How Group Policies Work • How To Use The Templates • Auditing The Computer • Building A Custom Template • Applying The Template 4. Password Policy
DESCRPITION Introduction of Group Policy Every organization uses site, domain, or organizational unit (OU) Group Policies, we can use the Windows XP's Security Configuration and Analysis Snap-in to configure and enforce local group policies to make our XP workstations more secure. We need to understand a few things about the way that group policies work. Group policies are hierarchical in nature. They are applied at various levels and are combined to form what’s known as the resultant set of policy. The hierarchy comes into play when a workstation connects to a network that utilizes Active Directory. When a user logs on, the local Windows XP group policy is applied. After that, additional group policies are applied at various levels of Active Directory. Group policies can be applied at the site, domain, and organizational unit level. Each group policy contains identical group policy elements (settings). Most of the time, a group policy won’t even come close to using every available policy element. Even so, the potential exists for setting contradictions to occur. Windows resolves conflicts by using a “most recent policy wins” algorithm. For example, the final group policy to be applied in the hierarchy is the OU level policy. So if a policy element in the OU level group policy contradicts a policy element implemented at a lower level, the previous policy element will
be overwritten by the policy element in the higher level group policy. The local group policy is the first one applied at login. So elements within the local group policy are very likely to get overwritten by higher level group policy elements. Even so, it’s important to make sure your local group policies are strong, because there are situations in which higher level group policies may not be available. In these situations, the local group policy becomes the machine’s only line of defense. This situation would occur if a user logged in using a local user account rather than a domain account. It might also occur if a user attempted to log into a domain, but the domain controller could not be contacted. In either case, any group policies contained within Active Directory are unavailable and the local security policy forms the machine’s entire resultant set of policy.
Creating An Effective Local Security Policy Although Windows XP’s local security policy doesn’t have a single policy element set by default, Windows XP includes a number of templates that we can use to configure precisely the policy elements needed to secure Windows XP within our particular environment. These templates have two different purposes. First, they can be used to activate the necessary group policy elements within the local security policy. Second, they can be used to audit the local security policy. Remember that security isn't a "set it and forget it" operation. We need to make sure that the security policy elements that you set are still properly set. The templates can assist with this by comparing the existing security settings with the desired security settings to make sure that everything still matches.
How Group Policy Works How to use the templates We must begin by opening an empty Microsoft Management Console (MMC) session. To do so, enter the MMC command at the Run prompt. Next, select the Add/Remove Snap-Ins command from the console’s File menu. You'll see the Add/Remove Snap-In properties sheet. Click the Add button on the properties sheet’s Standalone tab and you'll see a dialog box containing all of the available snap ins. Scroll toward the bottom of the list and select the Security Configuration And Analysis option from the list and click the Add button. Then click Close and OK. If this is the first time you've used the Security Configuration And Analysis tool on this machine, you'll need to create a new database. Right-click on the console’s Security Configuration And Analysis container and select the Open Database command from the shortcut menu. Windows will launch the Open Database dialog box. Since no databases presently exist, just type a name that you would like to call your database and then click Open. Windows will display the Import Template dialog box. This dialog box allows you to select which template to use to secure or to audit the workstation. Technically, you aren’t limited to using a single template. You can import multiple templates into the database. If you do import multiple templates, the group policy elements within those templates will be combined. In the event of contradictory group policy elements within the templates, the template that was the most recently imported takes precedence.
In case you are wondering, a template is really nothing more than an .INF file that’s located in the \WINDOWS\SECURITY\TEMPLATES folder. The template basically tells Windows which registry keys to modify or check. You can see a small portion of a template file’s contents in Figure A.
A template
file
looks
like
in
text
form.
Windows XP gives you seven templates to choose from or you can create your own. Each of these templates gives you a different level of security. But not all of these templates are appropriate for Windows XP. Microsoft actually ported
the Security Configuration And Analysis Snap-in and all of the templates directly from Windows 2000. So some of the templates are intended to be used on servers and are inappropriate for a Windows XP workstation.
Auditing the computer While it might be tempting to jump right in and apply the security template, I recommend auditing the system first, because an audit will compare the computer’s current settings against the settings within the template and notify you of any differences. This provides a great opportunity to study the group policy element settings within the template and to check for any undesirable settings. We can change the settings or make a custom template. To perform an audit of the current security settings, select the Analyze Computer Now option. Windows will prompt you to enter the error log file path. The default location is the \My Documents\Security\Logs folder. Make your selection and click OK to begin the audit. When the audit completes, Windows will display the group policy tree within the console window. As you navigate through the tree, select any branch that you would like to examine. When you do, the pane on the right will display all of the group policy elements within that branch. Along side of these elements, you'll see the database setting for that group policy element and the computer’s current setting. This allows
you to look for discrepancies.
Building a custom template Basically, if we want to create a custom template any time none of the built-in templates meet your needs. Creating a custom template if you've had to import multiple templates into the database is easy. Even if you haven’t changed anything after importing multiple templates, creating a custom template will save work in the long run, because when we next audit the system, we don’t have to import a bunch of templates. Instead we can use a single template that contains the resultant set of policy from the multiple templates that we originally assembled. We have only imported a single template and need to make some changes to it. Making the change is easy. Simply right-click on the group policy element you want to modify, and then select the Properties command from the shortcut menu. You'll see a properties sheet for the policy element, similar to the one.
The value displayed within this screen is the computer’s current value, not the template’s value. If we want to modify the template, select the Define This Policy within the Database check box. We may also modify the policy element’s value if necessary. For example, in Figure, the computer is configured to keep a single password in the password history. When modifying the database, we could keep this value or we could change it to remember 24 passwords. Just remember that if you change the value, it doesn’t have any direct effect on the computer. It only modifies the database. Click OK to make the modification within the database.
Applying the template
When you're ready to apply the policy elements within the database to the computer, right-click on the Security Configuration And Analysis container and select the Configure Computer Now command. When you do, Windows will prompt you for the path to the error log file. Make your selection, and then click OK to apply the template.
PASSWORD POLICY Purpose: The purpose of this article is to teach you how to configure password policies and account policies in windows xp. Password Policy: A collection of policy settings that define the password requirements for users. Account Lockout Policy:
Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords. To configure password policies Follow these steps in order to accomplish the task 1.
Click Start à Programs à Administrative Tools à Local Security Policy.
2.
Expand Account Policies and you will see Password Policy and Account Lockout Policy. Click on Password Policy.
Enforce password history. The number of unique, new passwords that must be associated with a user account before an old password can be reused. When used in conjunction with Minimum password age, this setting prevents reuse of the same password over and over. Most IT departments set a value greater than 10. Maximum password age. The number of days a password can be used before the user must change it. Changing passwords regularly is one way to prevent passwords from being compromised. Typically, the default varies from 30 to 42 days. Minimum password age. The number of days a password must be used before the user can change it. The default value
is zero, but it is recommended that this be reset to a few days. When used in conjunction with similarly short settings in Enforce password history, this restriction prevents reuse of the same password over and over. Minimum password length. The minimum number of characters a user's password can contain. The default value is zero. Seven characters is a recommended and widely used minimum. Passwords must meet complexity requirements. The default password filter (Passfilt.dll) included with Windows 2000 Server and Windows XP Professional requires that a password have the following characteristics: Does not contain your name or user name. Contains at least six characters. Contains characters from each of the following three groups:
1. 2. 3.
Uppercase and lowercase letters (A, a, B, b, C, c, and so on) Numerals Symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on)
3. Double click the policy that you want to set and define the policy.
To configure account lockout policies 1.
Click on Account Lockout Policy.
Account lockout duration. The number of minutes (from 1 to 99999) an account remains locked out before it unlocks. By setting the value to 0, you can specify that the account remains locked out until an administrator unlocks it. Account lockout threshold. The number of failed logon attempts before a user account is locked out. A locked out account cannot be used until an administrator resets it, or until the account lockout duration expires. Reset account lockout counter after. Determines how many minutes (1 to 99999) must elapse after a failed logon attempt before the counter resets to 0 bad logon attempts. This value must be less than or equal to the account lockout duration.
2.
Double click the policy that you want to set and define the policy.
Summary: You have successfully configured your computer to use the password and account lockout policies that you have defined. Account policies affect Windows XP Professional computers in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows XP Professional computers that are joined to that domain.
ACCOUNT LOCKOUT POLICY Sometimes you, or other users of a server or workstation, have a hard time remembering the correct username and password. It may be from a simple typo while entering the information or it may be a result of having too many different usernames and passwords to remember. Whatever the reason, there are times when incorrect authentication information will be entered when someone is trying to log in. You don't need to be alarmed by a single failed attempt. You probably don't even need to be concerned about two or three attempts. At some point though you have to figure that it is no longer an honest mistake and is either a program or individual systematically trying to guess different username or password combinations to gain unauthorized access to the machine. Windows offers a way to protect the machine from such attempts through the Account Lockout Policies. By configuring the operating system to lock the account and bar access after a certain number of failed login attempts you allow the system to proactively block such attempts. You can open the Local Security Settings console by following the following steps: 1. Click on Start 2. Click on Control Panel 3. Click on Administrative Tools 4. Click on Local Security Policy You can also get to the same place by typing "secpol.msc" at a command prompt. Once you have the Local Security Settings
interface open you should click on Account Policies and then click on Account Lockout Policy. You will see three policies in the right pane along with the current status of each. The three policies are the Account Lockout Threshold, Reset Account Lockout Counter After and Account Lockout Duration. Here is a brief synopsis of each. Account Lockout Threshold: The Account Lockout Threshold policy specifies the number of failed login attempts allowed before the account is locked out. If the threshold is set at 3 the account will be locked out after a user enters incorrect login information 3 times within a specified timeframe. Reset Account Lockout Counter After: This policy defines a timeframe for counting the incorrect login attempts. If the policy is set for 1 hour and the Account Lockout Threshold is set for 3 attempts a user can enter the incorrect login information 3 times within 1 hour. If they enter the incorrect information twice, but get it correct the third time the counter will reset after 1 hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at 1. Account Lockout Duration: The Account Lockout Duration policy allows you to specify a timeframe after which the account will automatically unlock and resume normal operation. If you specify 0 the account will be locked out indefinitely until an administrator manually unlocks it. Again, users may at times enter incorrect information for innocent reasons such as a typo or simply forgetting what the password is. For a typical server or workstation you don't want to configure the policy settings so tight that users are locked out frequently for honest mistakes. For most computers I would recommend using settings within the following parameters:
Account Lockout Threshold: A number between 3 and 5 should suffice to account for honest mistakes and typographical errors. Reset Account Lockout Counter After: Using a timeframe between 30 and 60 minutes is sufficient to deter automated attacks as well as manual attempts by an attacker to guess a password. Account Lockout Duration: Once the threshold is triggered and the account is locked out you want to leave it locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A lockout duration of 1 hour to 90 minutes should work well.
ACKNOWLEDGEMENT I would sincerely like to thank my instructor, Md. Mohsinul Malik who has been there always to help me in carrying out this project, acting as the guiding spirit behind the compiling of this project for putting a tremendous effort from his side to assist me as much as possible. Satpal MCSA (HCNE01)
CONTENTS 1. Introduction of Group Policy 2. Creating An Effective Local Security Policy 3. How Group Policies Work • How To Use The Templates • Auditing The Computer • Building A Custom Template • Applying The Template 4. Password Policy
DESCRPITION Introduction of Group Policy Every organization uses site, domain, or organizational unit (OU) Group Policies, we can use the Windows XP's Security Configuration and Analysis Snap-in to configure and enforce local group policies to make our XP workstations more secure. We need to understand a few things about the way that group policies work. Group policies are hierarchical in nature. They are applied at various levels and are combined to form what’s known as the resultant set of policy. The hierarchy comes into play when a workstation connects to a network that utilizes Active Directory. When a user logs on, the local Windows XP group policy is applied. After that, additional group policies are applied at various levels of Active Directory. Group policies can be applied at the site, domain, and organizational unit level. Each group policy contains identical group policy elements (settings). Most of the time, a group policy won’t even come close to using every available policy element. Even so, the potential exists for setting contradictions to occur. Windows resolves conflicts by using a “most recent policy wins” algorithm. For example, the final group policy to be applied in the hierarchy is the OU level policy. So if a policy element in the OU level group policy contradicts a policy element implemented at a lower level, the previous policy element will
be overwritten by the policy element in the higher level group policy. The local group policy is the first one applied at login. So elements within the local group policy are very likely to get overwritten by higher level group policy elements. Even so, it’s important to make sure your local group policies are strong, because there are situations in which higher level group policies may not be available. In these situations, the local group policy becomes the machine’s only line of defense. This situation would occur if a user logged in using a local user account rather than a domain account. It might also occur if a user attempted to log into a domain, but the domain controller could not be contacted. In either case, any group policies contained within Active Directory are unavailable and the local security policy forms the machine’s entire resultant set of policy.
Creating An Effective Local Security Policy Although Windows XP’s local security policy doesn’t have a single policy element set by default, Windows XP includes a number of templates that we can use to configure precisely the policy elements needed to secure Windows XP within our particular environment. These templates have two different purposes. First, they can be used to activate the necessary group policy elements within the local security policy. Second, they can be used to audit the local security policy. Remember that security isn't a "set it and forget it" operation. We need to make sure that the security policy elements that you set are still properly set. The templates can assist with this by comparing the existing security settings with the desired security settings to make sure that everything still matches.
How Group Policy Works How to use the templates We must begin by opening an empty Microsoft Management Console (MMC) session. To do so, enter the MMC command at the Run prompt. Next, select the Add/Remove Snap-Ins command from the console’s File menu. You'll see the Add/Remove Snap-In properties sheet. Click the Add button on the properties sheet’s Standalone tab and you'll see a dialog box containing all of the available snap ins. Scroll toward the bottom of the list and select the Security Configuration And Analysis option from the list and click the Add button. Then click Close and OK. If this is the first time you've used the Security Configuration And Analysis tool on this machine, you'll need to create a new database. Right-click on the console’s Security Configuration And Analysis container and select the Open Database command from the shortcut menu. Windows will launch the Open Database dialog box. Since no databases presently exist, just type a name that you would like to call your database and then click Open. Windows will display the Import Template dialog box. This dialog box allows you to select which template to use to secure or to audit the workstation. Technically, you aren’t limited to using a single template. You can import multiple templates into the database. If you do import multiple templates, the group policy elements within those templates will be combined. In the event of contradictory group policy elements within the templates, the template that was the most recently imported takes precedence.
In case you are wondering, a template is really nothing more than an .INF file that’s located in the \WINDOWS\SECURITY\TEMPLATES folder. The template basically tells Windows which registry keys to modify or check. You can see a small portion of a template file’s contents in Figure A.
A template
file
looks
like
in
text
form.
Windows XP gives you seven templates to choose from or you can create your own. Each of these templates gives you a different level of security. But not all of these templates are appropriate for Windows XP. Microsoft actually ported
the Security Configuration And Analysis Snap-in and all of the templates directly from Windows 2000. So some of the templates are intended to be used on servers and are inappropriate for a Windows XP workstation.
Auditing the computer While it might be tempting to jump right in and apply the security template, I recommend auditing the system first, because an audit will compare the computer’s current settings against the settings within the template and notify you of any differences. This provides a great opportunity to study the group policy element settings within the template and to check for any undesirable settings. We can change the settings or make a custom template. To perform an audit of the current security settings, select the Analyze Computer Now option. Windows will prompt you to enter the error log file path. The default location is the \My Documents\Security\Logs folder. Make your selection and click OK to begin the audit. When the audit completes, Windows will display the group policy tree within the console window. As you navigate through the tree, select any branch that you would like to examine. When you do, the pane on the right will display all of the group policy elements within that branch. Along side of these elements, you'll see the database setting for that group policy element and the computer’s current setting. This allows
you to look for discrepancies.
Building a custom template Basically, if we want to create a custom template any time none of the built-in templates meet your needs. Creating a custom template if you've had to import multiple templates into the database is easy. Even if you haven’t changed anything after importing multiple templates, creating a custom template will save work in the long run, because when we next audit the system, we don’t have to import a bunch of templates. Instead we can use a single template that contains the resultant set of policy from the multiple templates that we originally assembled. We have only imported a single template and need to make some changes to it. Making the change is easy. Simply right-click on the group policy element you want to modify, and then select the Properties command from the shortcut menu. You'll see a properties sheet for the policy element, similar to the one.
The value displayed within this screen is the computer’s current value, not the template’s value. If we want to modify the template, select the Define This Policy within the Database check box. We may also modify the policy element’s value if necessary. For example, in Figure, the computer is configured to keep a single password in the password history. When modifying the database, we could keep this value or we could change it to remember 24 passwords. Just remember that if you change the value, it doesn’t have any direct effect on the computer. It only modifies the database. Click OK to make the modification within the database.
Applying the template
When you're ready to apply the policy elements within the database to the computer, right-click on the Security Configuration And Analysis container and select the Configure Computer Now command. When you do, Windows will prompt you for the path to the error log file. Make your selection, and then click OK to apply the template.
PASSWORD POLICY Purpose: The purpose of this article is to teach you how to configure password policies and account policies in windows xp. Password Policy: A collection of policy settings that define the password requirements for users. Account Lockout Policy:
Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords. To configure password policies Follow these steps in order to accomplish the task 1.
Click Start à Programs à Administrative Tools à Local Security Policy.
2.
Expand Account Policies and you will see Password Policy and Account Lockout Policy. Click on Password Policy.
Enforce password history. The number of unique, new passwords that must be associated with a user account before an old password can be reused. When used in conjunction with Minimum password age, this setting prevents reuse of the same password over and over. Most IT departments set a value greater than 10. Maximum password age. The number of days a password can be used before the user must change it. Changing passwords regularly is one way to prevent passwords from being compromised. Typically, the default varies from 30 to 42 days. Minimum password age. The number of days a password must be used before the user can change it. The default value
is zero, but it is recommended that this be reset to a few days. When used in conjunction with similarly short settings in Enforce password history, this restriction prevents reuse of the same password over and over. Minimum password length. The minimum number of characters a user's password can contain. The default value is zero. Seven characters is a recommended and widely used minimum. Passwords must meet complexity requirements. The default password filter (Passfilt.dll) included with Windows 2000 Server and Windows XP Professional requires that a password have the following characteristics: Does not contain your name or user name. Contains at least six characters. Contains characters from each of the following three groups:
1. 2. 3.
Uppercase and lowercase letters (A, a, B, b, C, c, and so on) Numerals Symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on)
3. Double click the policy that you want to set and define the policy.
To configure account lockout policies 1.
Click on Account Lockout Policy.
Account lockout duration. The number of minutes (from 1 to 99999) an account remains locked out before it unlocks. By setting the value to 0, you can specify that the account remains locked out until an administrator unlocks it. Account lockout threshold. The number of failed logon attempts before a user account is locked out. A locked out account cannot be used until an administrator resets it, or until the account lockout duration expires. Reset account lockout counter after. Determines how many minutes (1 to 99999) must elapse after a failed logon attempt before the counter resets to 0 bad logon attempts. This value must be less than or equal to the account lockout duration.
2.
Double click the policy that you want to set and define the policy.
Summary: You have successfully configured your computer to use the password and account lockout policies that you have defined. Account policies affect Windows XP Professional computers in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows XP Professional computers that are joined to that domain.
ACCOUNT LOCKOUT POLICY Sometimes you, or other users of a server or workstation, have a hard time remembering the correct username and password. It may be from a simple typo while entering the information or it may be a result of having too many different usernames and passwords to remember. Whatever the reason, there are times when incorrect authentication information will be entered when someone is trying to log in. You don't need to be alarmed by a single failed attempt. You probably don't even need to be concerned about two or three attempts. At some point though you have to figure that it is no longer an honest mistake and is either a program or individual systematically trying to guess different username or password combinations to gain unauthorized access to the machine. Windows offers a way to protect the machine from such attempts through the Account Lockout Policies. By configuring the operating system to lock the account and bar access after a certain number of failed login attempts you allow the system to proactively block such attempts. You can open the Local Security Settings console by following the following steps: 1. Click on Start 2. Click on Control Panel 3. Click on Administrative Tools 4. Click on Local Security Policy You can also get to the same place by typing "secpol.msc" at a command prompt. Once you have the Local Security Settings
interface open you should click on Account Policies and then click on Account Lockout Policy. You will see three policies in the right pane along with the current status of each. The three policies are the Account Lockout Threshold, Reset Account Lockout Counter After and Account Lockout Duration. Here is a brief synopsis of each. Account Lockout Threshold: The Account Lockout Threshold policy specifies the number of failed login attempts allowed before the account is locked out. If the threshold is set at 3 the account will be locked out after a user enters incorrect login information 3 times within a specified timeframe. Reset Account Lockout Counter After: This policy defines a timeframe for counting the incorrect login attempts. If the policy is set for 1 hour and the Account Lockout Threshold is set for 3 attempts a user can enter the incorrect login information 3 times within 1 hour. If they enter the incorrect information twice, but get it correct the third time the counter will reset after 1 hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at 1. Account Lockout Duration: The Account Lockout Duration policy allows you to specify a timeframe after which the account will automatically unlock and resume normal operation. If you specify 0 the account will be locked out indefinitely until an administrator manually unlocks it. Again, users may at times enter incorrect information for innocent reasons such as a typo or simply forgetting what the password is. For a typical server or workstation you don't want to configure the policy settings so tight that users are locked out frequently for honest mistakes. For most computers I would recommend using settings within the following parameters:
Account Lockout Threshold: A number between 3 and 5 should suffice to account for honest mistakes and typographical errors. Reset Account Lockout Counter After: Using a timeframe between 30 and 60 minutes is sufficient to deter automated attacks as well as manual attempts by an attacker to guess a password. Account Lockout Duration: Once the threshold is triggered and the account is locked out you want to leave it locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A lockout duration of 1 hour to 90 minutes should work well.
Related Documents
Project On Group Policy Satpal
November 2019 10
Group Policy
April 2020 11
Group Policy
May 2020 8
Policy Group
December 2019 16
Group Policy
June 2020 7