donna-warren.com
Download
Report
Transcript donna-warren.com
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
UNIT 11
Windows Server 2008
Security
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
What is Group Policy?
• A group of policies applied directly to
Active Directory Objects
• Policies can be linked to:
– Sites
– Domains
– OUs
• Policies are applied by assigning them
to the objecta do they apply to specific
users or groups
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Functions
• Control the user environment.
– Manipulate Start menu options, wallpaper, colors,
and so on.
– Prevent users from using the Control Panel.
• Control the computer settings.
– Configure DNS client settings.
– Configure the time server client computers use.
• Distribute software.
– Force software installation.
– Allow for easy optional software installation
through Add/Remove Programs.
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Settings
• Registry-based – control the user environment
that are stored in HKEY_CURRENT_USER
and HKEY_LOCAL_MACHINE
• Software installations and repairs – to keep
patches up to date and fix broken apps
• Folder redirection and offline storage – force
use of network drive for backup
• Disk quotas – can enforce quotas
• Offline file storage works with folder
redirection to provide the ability to cache files
locally. This allows files to be available evenDPW
DPW
when the network is inaccessible
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy
• Run Scripts – Including logon, logoff, startup,
and shutdown scripts
• Windows Deployment Services (WDS) –
rebuilding or deploying workstations quickly
and efficiently
• Microsoft Internet Explorer settings
– Provide quick links and bookmarks for user
accessibility
– Enforce browser options such as proxy use,
acceptance of cookies, and caching options
• Security settings – Protect resources on
computers in the enterprise.
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Benefits
• Company benefits
– Reduce Total Cost of Ownership (TOC)
– Improve Return on Investment (ROI)
• User benefits
– Access to files either offline or online.
– Consistent environment.
– Files are centrally backed up.
• Administrator benefits
– Centralized management of computer and
user settings.
– Centralized application distribution.
– Centralized backup.
– Centralized security enforcement.
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Group Policies
• Two Default group policies are created
when active directory is installed
• Default Domain Policy - affects all users
and computers in the domain
• Default Domain Controllers Policy affects all domain controllers within this
object
• As domain controllers are added to the
domain, they are automatically placed in
this OU and are affected by any settings
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Objects (GPOs)
• Contain all of the Group Policy settings
that you wish to implement to user and
computer objects within a site, domain,
or OU
• Must be associated (linking) with the
container to which it is applied
• There are three types of GPOs:
– Local GPOs
– Domain GPOs
– Starter GPOs
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Objects (GPOs)
• Local GPO
– Gpedit.msc (Local Computer Policy)
– Local Security Policy
• Non-Local Group Policy Objects
– Not inherited from the domain
– Stored in Sysvol
– Linked to sites, domains, or OUs
– Applied to all users and computers in the
container
– If conflict with local AD based group
policies, non-local take precedence
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policies in Active Directory
• Linked to site—Affects all users and
computers in the site to which the
policy is linked, regardless of domain
membership
• Linked to domain—Affects all users
and computers in the domain to which
the policy is linked
• Linked to OU—Affects all users and
computers in the OU to which the
DPW
policy is linked
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy
• Group Policies can be linked to sites,
domains, or OUs (not groups) to apply
those settings to all users and
computers within these Active Directory
containers
• You can use security group filtering,
which allows you to apply GPO settings
to specific users or groups within a
container by selectively granting the
“Apply Group Policy” permission to one
or more users or security groups
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Local GPO
• The local GPO settings are stored on the
local computer in the
%systemroot%/System32/GroupPolicy folder
• Local GPOs contain fewer options
– They do not support folder redirection or
Group Policy software installation
– Fewer security settings are available
• When a local and a nonlocal (Active
Directory–based) GPO have conflicting
settings, the local GPO is overwritten by the
nonlocal GPO
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Nonlocal GPOs
• Nonlocal GPOs are created in Active Directory
• They are linked to sites, domains, or OUs.
– Once linked to a container, the GPO is applied to
all users and computers within that container by
default
• GPOs are stored in two places:
– Group Policy container (GPC) — An Active
Directory object that stores the properties of the
GPO
– Group Policy template (GPT) — Located in the
Policies subfolder of the SYSVOL share, the GPT
is a folder that stores policy settings, such as DPW
DPW
security settings and script files
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Starter GPOs
• A new feature in Windows Server 2008
• Used as GPO templates within Active
Directory
• Allow you to configure a standard set of
items that will be configured by default
in any GPO that is derived from a
starter GPO
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Creating & Managing Group Policies
• The Group Policy Management Console
(GPMC) is the Microsoft Management
Console (MMC) snap-in that is used to
create and modify Group Policies and
their settings
• When you configure a GPO, you will use
the Group Policy Management Editor,
which can be accessed through the
GPMC or through Active Directory Users
and Computers
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Settings
• Configuring Group Policy settings
enables you to customize the
configuration of a user’s desktop,
environment, and security settings.
• The actual settings are divided into two
subcategories:
– Computer Configuration
– User Configuration
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Settings
• The Computer Configuration and the User
Configuration nodes contain three subnodes
– Software Settings
• Used to install software
– Windows Settings
• Used for define security settings and
scripts
– Administrative Templates
• Includes thousands of Administrative
Template policies, which contain all
registry-based policy settings
• They are used to generate the user
interface for the Group Policy setting
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
GPO Inheritance
• You link a GPO to a domain, site, or
OU or create and link a GPO to one of
these containers in a single step
• The settings within that GPO apply to
all child objects within the object
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
How Group Policies are Used
• During computer startup, a list of GPOs for the computer
is obtained.
• Computer settings are applied during startup.
• Startup scripts are run.
• Windows Logon prompt appears when step 3
completes.
• Upon successful validation of user, the user profile
loads.
• A list of GPOs for the user is obtained.
• Logon scripts are run.
• The user interface appears.
• At log off and shutdown any log off and shutdown scripts
DPW
DPW
are run
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Processing Group Policy
•
Processing Order
1.
2.
3.
4.
Local Policies
Site Policies
Domain Policies
OU Policies
•
Multiple policies at the same level applied
bottom up
•
If there is a conflict on a particular setting
–
–
By default, the last policy applied wins
Exceptions: No Override, Block Policy
Inheritance, and User Group Policy
loopback processing mode
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
No Override
• Ensures policy is applied, regardless of
priority, hierarchy, inheritance blocking,
or conflicting settings
• Configured on a per-policy basis
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Block Policy Inheritance
• Prevents policies from being inherited
from higher levels in the Active
Directory hierarchy
• Can be used at the Domain or OU level
only—not per policy
• Cannot stop a policy marked as No
Override
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Security Settings
• Account – password and account lock out
and user authentication) for the domain
• Local – audit, user rights and security for the
local Machine
• Event Log Policy – size, history and
accessibility
• Restricted Groups – control the “members”
and “members of” properties in security
groups (used to populate local machines
groups with the domain values)
• System Services – control service startup
DPW
mode and access permissions
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Security Settings
• Registry & File System – access permissions and
audit setting per key or per file system object
•
Wireless network – preferred networks,
authentication types, etc.
•
Public Key - Encrypted File System, automatic
request certificate request, trusted root certificates,
and an enterprise trust list
• Software Restriction – allow or disallow application
redirection for specific applications, folder
redirection, offline files control and disk quotas
• IPSec for AD – assign policies based on IP
address
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Account Policies
• Account policies influence how a user
interacts with a computer or a domain
• By default, they are linked to the Default
Domain Policy
• This account policy is applied to all accounts
throughout the domain by default, unless you
create one or more Fine-Grained Password
Policies (FGPP) that override the domainwide policy.
• These Fine-Grained Password Policies can
be applied
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Fine-Grained Password Policy
• Prior to Windows Server 2008 Active Directory
domain you were only able to configure a
single
– Password Policy
– Account Lockout Policy
• The only choice was configuring a separate
domain or forcing all users within the domain
to conform to a single password policy
• Beginning in Windows Server 2008, you can
configure Fine-Grained Password Policies,
which allow you to define multiple password
DPW
policies within a single domain
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Kerberos Policy
• Kerberos is the default mechanism for
authenticating domain users in Windows Server
2008, Windows Server 2003, and Microsoft
Windows 2000
• Kerberos is a ticket-based system that allows
domain access by using a Key Distribution Center
(KDC)
– These tickets have a finite lifetime and are based in
part on system time clocks
– Note that Kerberos has a 5-minute clock skew
tolerance between the client and the domain
controller
– If the clocks are off by more than 5 minutes, theDPW
DPW
client will not be able to log on
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Kerberos Policy
• Enforce User Logon Restrictions tells
Windows Server 2008 to validate each
request for a session ticket against the
rights associated with the user account
• Although this process can slow the
response time for user access to
resources, it is an important security
feature that should not be overlooked or
disabled
• Enforce User Logon Restrictions is
enabled by default
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Local Policies
• Allow administrators to set user
privileges on the local computer that
govern what users can do on the
computer and determine if these
actions are tracked within an event log
(auditing):
– User Rights Assignment.
– Security Options.
– Audit Policy.
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Audit Policy
• System events — Events that trigger a log
entry include
– system startups and shutdowns
– system time changes
– system event resources exhaustion, such
as when an event log is filled and can no
longer append entries
– security log cleaning
– any event that affects system security or
the security log
• In the Default Domain Controllers GPO, this
DPW
setting is set to log successes by default DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Policy Change Events
• By default, this policy is set to audit
successes in the Default Domain
Controllers GPO.
• Policy change audit log entries are
triggered by
– user rights assignment changes
– establishment or removal of trust
relationships
– IPSec policy agent changes
– grants or removals of system access
privileges
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Account Management Events
• This policy setting is set to audit
successes in the Default Domain
Controllers GPO
• This setting triggers an event based on
changes to account and group
properties
– user or group account creation
– Deletion
– Renaming
– Enabling
– Disabling
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Logon Events
• This setting logs events related to
successful user log-ons on a computer
– The event is logged on the computer that
processes the request
– The default setting is to log successes in
the Default Domain Controllers GPO.
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Audit Policy
• Audit Directory Service Access —logs
user access to Active Directory objects,
such as other user objects or OUs
• Audit Object Access —logs user
access to files, folders, registry keys,
and printers, etc.
• You MUST enable Audit Object Access
• Then specify what objects you want to
audit
• Audit results are written to the Event
DPW
DPW
Viewer security log
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Configuring Object Access Auditing
• Right-click the file or folder you want to
audit.
• Select Properties
• On the Security tab, click Advanced
• In the Advanced Security Settings
dialog box, select the Auditing tab
• Select the appropriate user or group
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Restricted Groups Policy
• Allows an administrator to specify
group membership lists
• You can control membership in
important groups, such as the local
Administrators
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Folder Redirection Policy
• Folder redirection redirects the contents of
certain folders to a network location or to
another location on the user’s local computer
• Contents of folders on a local computer
located in the Documents and Settings folder
can be redirected
– Basic – Redirects Everyone's Folder To The
Same Location and you must specify the Target
folder location in the Settings dialog box
– Advanced – can Specify Locations For Various
User Groups and you must specify the target
folder location for each group that you add in the
DPW
DPW
Settings dialog box
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Offline Files Policy
• Can allow files to be available to users, even when
the users are disconnected from the network.
– The Offline Files feature works well with Folder
Redirection
– When Offline Files is enabled, users can access
necessary files as if they were connected to the network
– When the network connection is restored, changes made
to any documents are automatically updated to the server
– Folders can be configured so that either all files or only
selected files within the folder are available for offline use
– When it is combined with Folder Redirection, users have
the benefits of being able to redirect files to a network
location and still have access to the files when the network
connection is not present
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Disk Quotas
• Limit the amount
of space available
on the server for
user data
• Can be enforce
on all users
domain wide
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Refresh
• Computer configuration group policies
are refreshed every 90 minutes (+/- 30
minutes) by default
• Domain controller group policies are
refreshed every 2 minutes
• You can force group policies by using
the gpupdate command:
gpupdate /force
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
GPUpdate Command
• If you make changes to a group policy,
users may not see changes take effect
until
– They log off or log back in
– They Reboot the computer
– They wait 90 minutes (+/- 30 minutes) for
stand-alone servers/workstations and 2
minutes for domain controllers
• To manually push group policies, you
need to use the gpupdate command
Gpupdate /force
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
AD Rights Management
• A new feature that allows users to
provide better security for Microsoft
applications
• Basically a second level of protection
beyond the normal access list
permission restrictions
• It chief advantage is the ability to block
document forwarding and printing
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Feature
AD RMS
Secure/Multipurp
ose Internet Mail
Extension
(S/MIME)
Signing
S/MIME
Encryption
Access control
lists (ACLs)
Encrypting
File Systems
(EFS)
Attests to the identity of the
publisher
Differentiates permissions
by a user
Prevents unauthorized
viewing
Encrypts protected content
Offers content expiration
Controls content reading
Modifying, or printing by
user
Extends protection beyond
initial publication
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
Software Lifecycle
S
E
R
V
E
R
2
0
0
8
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Policy Software Management
• Group Policy can be used to
– Install
– Upgrade
– Patch
– remove software applications
• Under the following conditions
– when a computer is started
– when a user logs on to the network
– when a user accesses a file associated with a
program that is not currently on the user’s computer
• Group Policy can be used to fix problems
associated with applications
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Windows Installer Service .MSI File
• Is a relational database file that is copied to the
target computer system with the program files it
deploys
• Assists in the self-healing process for damaged
applications and clean application removal
• Consists of external source files that may be
required for the installation or removal of software
• Includes summary information about the software
and the package
• Includes reference point to the path where the
installation files are located
• is responsible for automating the installation andDPW
DPW
configuration of the designated software
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
.MST File
• You may need to modify Windows
Installer files to better suit the needs of
your corporate network.
• Modifications to .msi files require
transform files, which have an .mst
extension
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Patch file (.msp)
• Patch files are used to apply service packs
and hot fixes to installed software
• Instead, it contains, at minimum, a database
transform procedure that adds patching
information to the target installation package
database
• .msp files should be located in the same
folder as the original .msi file when you want
the patch to be applied as part of the Group
Policy software installation
• This allows the patch file to be applied to the
DPW
DPW
original package or .msi file
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Software Distribution Point
• Before deploying software using Group
Policy, you must create a distribution
share/Software distribution point
• Users who are affected by the Group
Policy assignment should be assigned
NTFS Read permission to the folder
containing the application and package
files
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Assigning and Publishing Software
• Assigning Software
– If you assign the program to a user, it is installed
when the user logs on to the computer
– If you assign the program to a computer, it is
installed when the computer starts, and it is
available to all users who log on to the computer
– When a user first runs the program, the
installation is finalized.
• Publishing Software
– You can publish a program distribution to users.
– When the user logs on to the computer, the
published program is displayed in the Add or
Remove Programs dialog box, and it can be
installed from there
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Software Restrictions Policies
• Provides methods to control the use of
software applications through Group Policy
• Strategy
– Unrestricted - Allow all except explicitly
denied (default)
– Disallowed - Deny all except explicitly
allowed
– Basic User – block applications that require
administrative rights, but allows programs
that are accessible by normal users
• Default Software Restriction Policy Unrestricted
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Software Restrictions Policies
• Four types of software restriction exist
– Hash rule - attaches hash that
governs whether it can run
– Certificate rule – allows execution to
specific file types
– Path rule - can bypass default
security setting for specific files
– Network zone rule – determine if the
application is allowed to be installed
(.msi only)
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
EFS
• Encrypting File System (EFS) sets up a
unique, private encryption key
associated with the user account that
encrypted the folder or file
• When you move an encrypted fi le to
another folder on the same computer,
that file remains encrypted, even if you
rename it
• The cipher command line utility can
encrypt or decrypt folders and files DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
BitLocker
• Trusted Platform Module (TPM) must
be available (chip or controller on
motherboard) – transparent to user
• Can also use a USB drive with the
necessary identification info to access
hard disks
• You must create an operating system
partition no less than 1.5 GB in size
• A second primary partition for bitlocker
• Bit locker has it own control panel
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Network Access Protection
• Ipsec - can prevent non-co,pliant computers
from communication with complient computers
using a network policy server
• NAT – prevents outsiders from knowing a
computer’s IP address
• VPN – secure encrypted network access through
the internet
• DHCP – configured through the network policy
server
• Terminal Services Gateway – uses a network
policy server
• 802.1x – verifies client and provides a secure
DPW
port
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Case Study
• You are a computer consultant
• The Park Publishing network consists of a
single Active Directory domain with four
domain controllers running Windows Server
2008, three file servers, and 300 clients that
are evenly divided between Windows XP
Professional and Windows 7
• Recently, data was lost when an employee's
laptop was stolen and other data was lost
during a fire sprinkler system incident in
which the employee's computer was
DPW
DPW
destroyed
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
• Employees typically store documents in their
My Documents folder
S
E
R
V
E
R
• Editors frequently work on sensitive
documents that should not be accessible to
anyone else
2
0
0
8
Case Study (cont)
• All client computers have P drive mappings
that are supposed to be used for storing files
• Given Park Publishing's concerns, answer
the following questions:
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Case Study (cont)
1. How would you assure that employees
store their data on the server in the
future?
2. How can you address the situation
concerning the sensitive data editors use?
3. How would you address the users with
mobile computers so that they could work
on their files while traveling while keeping
the files safe on the server?
4. What could you do about the existing data
in employees My Documents folder? DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Summary
• Microsoft provides several security
options to protect both protect data nad
monitor who is accessing it
• Group Policies can be assigned to
sites, domains, and Ous
• By default, there is one local policy per
computer and a Default Domain Policy
and a Default Domain Controller Policy
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Summary
• Group Policy processing order
– Local
– Site
– Domain
– OU
• Group Policies applied to parent
containers are inherited by all child
containers and objects
• Inheritance Exceptions No Overide,
Block Policy Inheritance, or Loopback
DPW
DPW
settings
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Summary
• Auditing object access and user rights
• Account policies
• Object auditing
• Bit Locker
• AD Rights management (AD RMS)
• Offline file protection
• Disk quotas
• Network Access Protection
DPW
DPW
© Donna Warren
© 2005-2010
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Lab 11
• Do all the activities in chapter 13 of the
text book
• Take a screen shot of the results of
each activity and paste it into a word
document titles Lab 11
• Email you completed lab 11 document
to [email protected]
DPW
DPW
© Donna Warren
© 2005-2010