Transcript OUHSC Group Policy Objects

OUHSC Information Security Update
IT, Information Security Services
Randy Moore
Nathan Gibson
Greg Bostic
Security Project Update
– Active Directory Cleanup Project
• “Cleaning the house” -- getting rid of old computer accounts
– Active Directory GPO project
• Establishing a security baseline
– E-Policy Orchestrator Project
• Mirroring ePO with AD
• Centrally Managing
• Using the tools we have available
Active Directory Cleanup
Purpose
• GPOs cannot be applied on the computers
container
• ePO Sync would be inaccurate
• Hard to manage with erroneous accounts present
Current Status
• 1200 inactive computer accounts disabled and moved
into the disabled.comps OU
• Computer Accounts have been moved from the
Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps OU
New Procedures
• All new computers should have account created prior to
joining domain.
• Computer Account Lifecycle procedure
– 30 days UnAssigned.Comp – Active
– 30 days disabled.comps – Inactive
– On the 60th day Computer Account deleted
• New Computer Checklist
Cleaning Your OU
• Weed out old Computer Accounts
–
–
–
–
–
Use Active Directory Users and Computers
Go to “View” in the MMC
Check “Advanced Features”
Go to “View” and choose “Add/Remove Columns”
In the left hand “Available columns” table choose
“Modified” and click “Add ->”
– Hit OK
McAfee E-Policy Orchestrator Project(ePO)
ePO
McAfee E Policy Orchestrator
• Provides a way to centrally manage Anti Virus
protection on all managed devices
• Syncs with Active Directory
• Automatically installs/uninstalls AV
• Automatic DAT updates
• Customizable policies
• Notification Capabilities
• Report Generation
Training
Greg Bostic
2nd Annual Cyber Security Day
October 24, 2007
10:00 am
Cyber Security Day
• Tier 1 Training
• Business Manager Briefings
• End User Briefings
Security Baseline
Active Directory GPO Project
GPO Review
• Group Policy Objects:
1. Allows you to configure baseline settings to ensure all
resources have the same settings
2. Ease the administrative overhead in applying and
modifying end user device and servers.
3. “One-Stop-Shop” for demonstrating policy compliance
AD GPO Project
• Round 2 Settings
Setting 1HSC-IT-Automatic Updates (Workstation Only)
– Enable Windows Updates Power management to automatically wake up the system:
Enabled
– 4- Auto Download and Schedule the Install
– Schedule Install Day: 0-Everyday
– Scheduled Install Time: 0300
Setting 2HSC-IT-No Display Last User Login
– Interactive logon: do not display last user name: Enabled
No Last User Name Impact
6,387
Computer that will be
affected by “No Last
Username GPO”
3,419
Computer with “No
Last Username”
already set
Screen Saver Impact
3,419
Computers
that have
screensavers
7,132
Computers
with no
screensaver
House Cleaning Help
• Standardize GPO naming scheme
–
–
–
–
Dept-XXXX
Delete Old GPOs
Combine GPOs If possible
Remove GPOs with settings applied at higher lever
FUTURE GPO Settings
• Event Logging
–
–
–
–
Account Management: Success
Account Logon/Logoff: Success/Failure
Policy Change: Success
System Events: Success/Failure
• Screen Saver
–
–
–
–
Hide Screen Saver Tab: Enabled
Screen Saver: Enabled
Password protect the Screen Saver: Enabled
Screen Saver Timeout: 600(900?)
Let’s Talk
Questions &
Concerns
???
http://it.ouhsc.edu/services/infosecurity/Projects.asp