The Best Damn Windows Server 2003 Book Period- P63

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:10

Thêm vào BST

Báo xấu

47
lượt xem 2
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

The Best Damn Windows Server 2003 Book Period- P63:The latest incarnation of Microsoft’s server product,Windows Server 2003, brings many new features and improvements that make the network administrator’s job easier.This chapter will briefly summarize what’s new in 2003 and introduce you to the four members of the Windows Server 2003 family: the Web Edition, the Standard Edition, the Enterprise Edition, and the Datacenter Edition.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: The Best Damn Windows Server 2003 Book Period- P63

586 Chapter 17 • Working with Group Policy in an Active Directory Environment Folder redirection can be seen as a subset of roaming proﬁles. By specifying an alternate location for these folders on a network share, the user has access to these folders no matter which computer he or she uses to log on. Of the four folders that can be redirected, setting the My Documents folder for redirection is probably the most advantageous. Not only will the user have his or her data available at any com- puter, but storing this data on the server allows the data to be easily backed up to tape or other ofﬂine storage media. As an administrator, you can also set quotas on server storage, helping to keep the size of the My Documents folder in check.You can also take advantage of the ofﬂine folders feature of Windows 2000 and Windows XP to keep the data available to users when they are not on the network. When setting up folder redirection, you should allow the system to create the folders in the location where the data will be directed. A number of permissions must be set correctly to maintain security on the redirected folders.Your best bet is to let the system handle this part of the process. Folder redirection settings are located in the User Conﬁguration area of the GPO under Windows Settings.To enable redirection of one of the four folders, follow these steps: 1. Right-click the folder name and select Properties. 2. In the Target tab of the window, you can select the setting to use for redirection, as shown in Figure 17.18.You can select between two options for the location of the redi- rected folder.The basic option redirects the folder to the same folder path for all users. For the Application Data and Desktop folders, there are three options for the folder location: I Creating a directory for each user in the path speciﬁed I Redirecting all users to the same location I Pointing the folder to the local user proﬁle location Figure 17.18 Selecting Options for Redirecting My Documents
Working with Group Policy in an Active Directory Environment • Chapter 17 587 If you choose to point the folder to the path in the user proﬁle, the folder will point to the default location as if no redirection had been applied. Redirecting the folder to a speciﬁc location will create that location either on the network or on a local path, and all users who have this policy applied will point to the same folder. For the Start Menu and Desktop folders, this might be a bene- ﬁcial setting, as you can centrally control the appearance and contents of those folders in one loca- tion, but you need to be aware of the security settings on the folder. The primary choice for this setting will probably be to create a folder for each user in a loca- tion speciﬁed, as shown in Figure 17.19. As you can see, when the root path is speciﬁed, the dialog box gives you an example of what the folder path will be. Figure 17.19 Setting the Folder Location for Redirection The Start Menu and My Documents folders have slightly different options for redirection. When redirecting the Start Menu, you do not have the option of specifying a unique path for each individual user. Whether setting up basic or advanced redirection of the Start Menu, you can only specify one common location for all users or redirect the folder back to the local user proﬁle. The Start Menu options are simpler than the Application Data and Desktop folder settings, but the My Documents options are more complex. When redirecting the My Documents folder, there are four location options for storing the folder. As with the Application Data and Desktop folders, you can store the My Documents folder in the local user proﬁle, a common directory for all users, or have the system create a folder for each user in a common location.There is a fourth option, however, for My Documents.That option allows you to redirect the My Documents folder to the user’s home folder on the network.This option will not create a My Documents folder in the user’s home folder. It will simply point the My Documents folder to the user’s home directory on the network. There are a few items you should pay attention to if you consider implementing this option. First, you must have implemented the home folder settings for all users, and you must have created those folders prior to implementing this option. Second, the security settings on the home folder are not changed by the folder redirection policy, so you need to be aware of the settings applied to the user home folder on the network. Finally, you have the choice of including the My Pictures folder
588 Chapter 17 • Working with Group Policy in an Active Directory Environment with the redirected My Documents folder, or having the My Pictures folder stored in a different location.This might be advisable if server disk storage is a concern. If you choose this option, the My Pictures item in the My Documents folder will be a shortcut pointing to the correct location for the actual folder. The advanced option allows you to select the folder location based on security group.This is one way to specify a different target location for the folder for different groups of users.You can set multiple security groups to have different target locations within a single GPO in the domain. Another way to accomplish this, especially if you only have a small set of users whose folders should be redirected, is to set folder redirection GPOs at other locations within the directory and ﬁlter access to those GPOs based on security. When selecting the advanced redirection option, you can add the individual security groups for redirection, and have the same choices for folder location as with the basic option. Setting advanced folder redirection is functionally equivalent to setting up multiple GPOs with basic redirection settings and security ﬁltering.The difference is that there is only one GPO to manage instead of several. Conﬁguring User and Computer Security Settings When browsing through the Group Policy Object Editor, you might have noticed that there are security settings for both the user conﬁguration and computer conﬁguration. Some of these settings are the same for both conﬁgurations, such as the Autoenrollment Settings for certiﬁcates discussed earlier.There are many differences between the two options, however, and we cover some of those differences in this section. Computer Conﬁguration With these security settings, you can provide additional control and management over objects in the directory.The settings contained in this area can govern how users authenticate to computers and other resources on the network, can provide additional permissions or restrictions for resources in the directory, can control audit settings, and can alter group membership.The settings in this area of group policy are primarily used to specify alternate settings for speciﬁc computers on the network. Table 17.2 lists the main option groups under Security Settings in the Computer Conﬁguration in the Group Policy Object Editor, along with a description of the security setting. Table 17.2 Security Settings for Computer Conﬁguration Security Setting Collection Description Account Policies Contains setting groups for password policy settings, account lockout settings, and Kerberos policy settings. Local Policies Contains setting groups for auditing policy settings, user rights assignment settings, and security options settings. Event Log Contains settings for application, system, and security event logs. Restricted Groups Contains groups for speciﬁc security restrictions. Continued
Working with Group Policy in an Active Directory Environment • Chapter 17 589 Table 17.2 Security Settings for Computer Conﬁguration Security Setting Collection Description System Services Contains settings for controlling startup and permissions for system services. Registry Keys Contains Registry keys and permissions to add. File System Contains ﬁles or folders and permissions to add. Wireless Network Contains policies governing speciﬁc wireless network connections. Policies Public Key Policies Contains setting groups for Encrypted File System policy settings, Automatic Certiﬁcate Request settings, Trusted Root Certiﬁcation Authorities settings, and Enterprise Trust settings. Software Restriction Contains settings, when enabled, for restricting access to certain Policies software, such as 16-bit applications. User Conﬁguration There are fewer options for conﬁguring security settings in the User Conﬁguration area of group policy.The two groups of policies in this area are listed in Table 17.3. Table 17.3 Security Settings for User Conﬁguration Security Setting Collection Description Public Key Policies Contains settings for certiﬁcate autoenrollment and Enterprise Trust. Software Restriction Contains settings that identify, through various means, Policies applications that are authorized to run on a system. Redirect the My Documents Folder In this example, we walk through the process of redirecting the My Documents folder for a speciﬁc group of users in the directory. We will take the Information Technology group and redirect their folders to a shared location on the network, and use advanced redirection to limit folder redirection only to members of that group. We will point the My Documents directory to a common location and use the network’s home directory path as the root folder for the redirected folder. 1. Open Active Directory Users and Computers. 2. Right-click the domain container and select Properties. 3. Click the Group Policy tab and click New. 4. Name the policy Folder Redirection Policy and click Edit.
590 Chapter 17 • Working with Group Policy in an Active Directory Environment 5. Under User Conﬁguration, expand Windows Settings. 6. Expand Folder Redirection. 7. Right-click My Documents and select Properties. 8. In the Setting drop-down menu, select Advanced – Specify locations for various user groups. 9. In the Security Group Membership pane, click Add. 10. In the Security Group Membership pane, enter the name of the security group, or click Browse and ﬁnd the group in the directory.This example uses the Information Technology group. 11. In the Target Folder Location pane, select Create a folder for each user under the root path from the drop-down menu. 12. Enter the UNC path to the desired folder in the Root Path ﬁeld, or click Browse to ﬁnd the desired path.This example uses the path \\CORPADFP1\Home for the root path. 13. Click OK. 14. The My Documents Properties window should now appear as shown in Figure 17.20. Click the Settings tab. Figure 17.20 Viewing the Redirection Settings for My Documents 15. Make sure the check boxes for Grant the user exclusive rights to My Documents and Move the contents of My Documents to the new location are enabled. 16. Click the Redirect the folder back to the local user proﬁle location when policy is removed option button. 17. The Settings tab should appear as shown in Figure 17.21. Click OK.
Working with Group Policy in an Active Directory Environment • Chapter 17 591 Figure 17.21 Conﬁguring the Settings for My Documents Folder Redirection Now when members of the Information Technology group log on, their My Documents folders will be created in the network share, and the data from their existing folders will be moved into the new folders. Using Software Restriction Policies One of the relatively new challenges facing system administrators today is the signiﬁcant increase of malicious code. Not only are more and more individuals writing malicious code, such as viruses, but with the ever-increasing use of e-mail and the Internet, these programs are being spread faster and faster. Some organizations are struggling with the proliferation of other programs, not speciﬁcally mali- cious in nature, but productivity killers nonetheless. Or users might download and install programs that cause conﬂicts with existing programs, generating additional support calls to your help desk. Making use of software restriction policies will allow you to place controls on “untrusted” code within your organization.Through a combination of rules, you can identify speciﬁc applications or types of applications that are either allowed to run or prevented from running.These rules are pow- erful and complex, but by themselves cannot provide full protection against malicious code. Use of software restriction policies will augment the protections you might already have in place, but you should not plan to rely solely on these policies to completely protect your environment. Setting Up Software Restriction Policies The settings for Software Restriction are located in the Security Settings area of Group Policy.You might have to enable software restriction policies before you can make changes, as most systems do not have these policies enabled by default. When software restriction policies are enabled, you will ﬁnd a number of settings in the area.The Enforcement policy determines if the software policies will apply to all ﬁles or exclude library (.dll) ﬁles.This policy also identiﬁes whether the policies apply to all users of the system or just to non-administrators. If you want to exclude administrators from soft- ware restriction policies, this is where you would set that option.
592 Chapter 17 • Working with Group Policy in an Active Directory Environment Another policy you will ﬁnd here is the Designated ﬁle types policy.You can specify which ﬁle types, based on ﬁle extension, to which software restriction policies should apply.You can add addi- tional ﬁle types by adding the ﬁle extension to the list in this policy window. The third policy you will ﬁnd here is the Trusted Publishers policy. In this policy setting, you can specify what user level is allowed to enable trust for software publishers, and how to check for expired certiﬁcates for those publishers. The other area located here is the Additional Rules folder, where the speciﬁc rules you will create for your system will be located. Software Policy Rules There are four types of rules that you can use to identify applications to which policy should apply: the hash rule, certiﬁcate rule, path rule, and Internet zone rule. Each rule identiﬁes a different way to identify ﬁles that should have rules applied. Within the rule, you can set the security setting for the resulting ﬁle or ﬁles to either Disallowed or Unrestricted. A Disallowed setting in a rule will prevent the user from accessing the ﬁle or ﬁles. An Unrestricted setting will allow the user to access the ﬁle or ﬁles. Hash Rule When you create a hash rule, you identify a speciﬁc ﬁle to which you want the rule to apply, and the system generates a hash on the ﬁle, including attributes such as date and time of creation and ﬁle size. After the policy is in place, the system performs a hash on each ﬁle accessed, and if the hash matches the hash in the rule, the rule is applied. Certiﬁcate Rule When you create a certiﬁcate rule, you identify a set of ﬁles that are signed by a speciﬁc certiﬁcate. In creating the rule, you select the speciﬁc certiﬁcate for the rule. When the system processes a ﬁle request, it will check the certiﬁcate settings on the ﬁle to check for a match against the certiﬁcate in the rule, and will process the rule if there is a match. Certiﬁcate rules to not apply to .exe and .dll ﬁles, but will apply to all other ﬁle types listed in the Designated File Types policy. Path Rule When you create a path rule, you identify a ﬁle or set of ﬁles based on their location on disk.The path can identify the path to a folder, a speciﬁc ﬁle, or a set of ﬁles based on a wildcard. When the system processes a ﬁle request when path rules are in place, it will compare the ﬁle requested to the path rules, and process the rule if there is a match. Internet Zone Rule When you create an Internet zone rule, you specify settings based on the Internet zones identiﬁed in Internet Explorer: Internet, Local Computer, Local Intranet, Restricted Sites, and Trusted Sites. Internet zone rules only apply to Windows installer packages. If a user downloads an installer package from a site in one of the zones, the zone settings will determine if the user will be able to execute the installer.
Working with Group Policy in an Active Directory Environment • Chapter 17 593 Precedence of Policies Since several rules can be applied to the same program, there is an established order of precedence that is applied. A rule based on a higher precedence will override a conﬂicting rule applied with a lower precedence. 1. Hash rule 2. Certiﬁcate rule 3. Path rule 4. Internet zone rule Based on this order, if a program is unrestricted based on a hash rule but disallowed based on a path rule, the program will run, as the hash rule has precedence over the path rule. For path rules, there is an additional order of precedence based on the path speciﬁed. If there are conﬂicting path rules, the more restrictive path rule will apply.The following list identiﬁes the precedence of paths from most restrictive to least restrictive. 1. Drive:\Folder1\Folder2\ﬁlename.extension 2. Drive:\Folder1\Folder2\*.extension 3. *.extension 4. Drive:\Folder1\Folder2\ 5. Drive:\Folder1\ When similar rules are applied, such as multiple path rules, the more restrictive rule applies. For example, if a program is set to Disallow in one path rule and set to Unrestricted in another, access to the program will be denied, as Disallow is the more restrictive setting. Best Practices The following items include some of the recommendations for implementing software restriction policies. I Test, test, test Never implement software restrictions without testing, especially when applying a Disallow setting. Placing restrictions on certain types of ﬁles can negatively impact the operation of your computer and/or the network environment. I Couple software restriction policies with access control restrictions Using access control in conjunction with software restriction makes a more complete restriction solu- tion. I Use anti-virus software Software restriction policies are not a sufﬁcient substitute for a solid anti-virus package.The tools used in conjunction can increase the security of the system, but do not plan on using software restriction in place of anti-virus tools. I Use Disallow as default with great caution If you take the approach of using Disallow as the default and identifying speciﬁc applications to allow, be sure you test the
594 Chapter 17 • Working with Group Policy in an Active Directory Environment system thoroughly. Some applications can launch other applications in normal course of operation. As stated in the ﬁrst item, test your implementation thoroughly before unleashing it on an unsuspecting audience. Applying Group Policy Best Practices If you have been reading straight through this chapter, you’ve seen that there are a vast number of ways that group policy can be implemented in an Active Directory environment. How should you approach a group policy implementation in your environment? This section covers some of the best practices related to implementing group policy. I The fewer, the better Keep the number of policies deﬁned as small as possible. Since each user policy the user encounters must be processed at logon, you can keep user logon delays to a minimum by reducing the number of user policies. In addition, a smaller number of policy objects means fewer places for you to look for problems or conﬂicts when troubleshooting group policy issues. Computer policies are processed at boot time, so reducing the number of these will speed the boot process of the computer. I Avoid conﬂicting policies whenever possible Although you can set up a lower-level policy to override a higher-level one, you should avoid doing this unless necessary. Again, simplicity should be the rule. I Filter out unnecessary settings If you set up a policy object that only contains user policy settings, set the properties on the object so that only the user conﬁguration portion is processed.This will help cut down on unnecessary processing time. I Avoid nonstandard group policy processing whenever possible Even though you can use Block Policy Inheritance, No Override, and loopback processing options, you should only do so for special cases. Because each of these options alters the standard way in which policy is applied, they can cause confusion when attempting to troubleshoot policy problems. I Keep policy objects contained within the domain It is possible to link a container to a GPO that resides in another domain, but it is unwise to do so. Pulling a GPO from a different domain slows the processing of policy settings at logon time. I Use WMI ﬁlters sparingly This suggestion relates to processing time.The more WMI ﬁlters there are to process, the longer it takes to apply policy at logon. I Keep policy object names unique If you name each policy object to describe its function, this should not be a difﬁcult practice to adopt. Even though the directory can support multiple GPOs with the same name, it could get very, very confusing for you when trying to troubleshoot a policy problem. I Link policies to a container only once You can link the same GPO to a container more than once, but you shouldn’t.The system will attempt to process each policy linked to a container, and even if there are different options set on each instance of the policy link, it can still yield unexpected results.
Working with Group Policy in an Active Directory Environment • Chapter 17 595 Troubleshooting Group Policy Even the most experienced system administrator is going to encounter times when he or she has misapplied policy or inadvertently created a policy conﬂict where it was not expected. Fear not, however, because our good friend Resultant Set of Policy and its sidekick, gpresult.exe, can help us out of these jams. Along with a few guidelines, these tools can help you resolve even the stickiest policy problems. The ﬁrst step in troubleshooting policy problems is mapping. Ideally, when you ﬁrst start devel- oping a plan for group policy, you will map out policy settings as they apply to your Active Directory environment. Not only will a policy map help you to understand how policy settings will impact the network during planning, but an up-to-date map can help you know where to go looking for problems when they occur. If you do not have a policy map, you should draw one up before you get too far into your troubleshooting process. It might take some extra time up front, but it can save you time and headaches later. Figure 17.22 shows a sample policy map drawn up based on information used in the examples in this chapter.The diagram was created in Visio, but you can use any diagramming tool (including a pencil and paper) that will help you understand the layout of your policy settings. In the diagram, solid lines indicate a logical connection of Active Directory containers, speciﬁcally a domain and its associated OUs.The dashed lines indicate links between containers and GPOs.The policy object is located on the level where it is deﬁned. In Figure 17.22, the Manager Tools policy was created at the domain level, but because the policy was disabled at that level, it is not linked in the diagram. Figure 17.22 Viewing a Sample Policy Map Corporate Folder Redirection Policy Default Domain Manager Tools Policy Policy Accounting IT Marketing Sales Marketing Policy Accounting IT Manager IT Managers Marketing Sales Managers Policy Managers Managers Let’s walk through a couple of quick scenarios. A user whose user object is in the Marketing container will have group policy applied in the following order upon logon: Local Computer policy, Default Domain policy, Folder Redirection policy, and Marketing policy.