SlideShare uma empresa Scribd logo

Lecture 11 managing the network

Transferir como PPTX, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 de 22
Lecture 11: Managing the network Network Design & Administration
Group Policy Objects (GPO) [11] • A GPO applies rights or limitations to all the AD objects in a container (or set of containers) • A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups! • Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines Network Design & Administration 2
GPO Applicability[1] • GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more! • Hierarchy of GPO’s: higher levels overrule lower Network Design & Administration • Filtering (& delegation) can be applied to limit scope/customise • Some cases where GPO’s fail to apply – can be tricky to debug 3
Who is allowed to set them? • The relevant predefined Active Directory GLOBAL groups are: • Domain Admins • Enterprise Admins (only appear in Forest root Network Design & Administration domain) • Group Policy Creator Owners (by default, domain admin acct is member of this group) • However, by default, predefined AD groups only get rights/permissions when added to domain local groups 4
Who is allowed to set them? • Every AD domain has a builtin container, where it creates security groups with domain local scope. • These have the relevant rights and permissions • Most important group here is Administrators – Network Design & Administration by default, the global Enterprise and Domain Admin groups are added to this • Admin have large set of RIGHTS by default, though these may be delegated to others 5
Group Policy Management • There can be lots of GPO’s within a domain! • The Group Policy Management console provides you with a way to manage these GPO’s. • Provides access to the Group Policy Editor where Network Design & Administration individual policy objects can be created and edited. • Provides access to Administrative templates (.adm) which describe where registry-based group policy settings are stored, and are used to 6 change settings on GPO’s
Group Policy Management Console Network Design & Administration This is for checking Cannot edit from effects here. Just right click selected 7 policy, and GP editor comes up
Administrative Templates • There are a number of built-in administrative templates: • system.adm • inetres.adm • wmplayer.adm Network Design & Administration • conf.adm • wuau.adm • Each of these files contains many individual policy descriptions, and where they are stored in Registry • If an admin wants to add NEW policies, Microsoft recommend to create custom .adm files rather than 8 modify these
Example Policies in .adm Enable disk quotas System.adm Enforce disk quota limit Default quota limit and warning level Log event when quota limit exceeded Log event when quota warning level exceeded inetres.adm Scripting of Java applets Network Design & Administration Logon options Run .NET Framework-reliant components signed with Authenticode Run .NET Framework-reliant components not signed with Authenticode Download signed ActiveX controls Download unsigned ActiveX controls Configure Automatic Updates wuau.adm Specify intranet Microsoft update service location Enable client-side targeting Reschedule Automatic Updates scheduled installations 9 No auto-restart for scheduled Automatic Updates installations
Security Policies (secpol.msc) Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirement Store passwords using reversible encryption for all users in the domain !! Account lockout duration Network Design & Administration Account lockout threshold Reset lockout counter after Maximum lifetime for service ticket Password policy Maximum lifetime for user ticket Kerberos policy Maximum lifetime for user ticket renewal Audit policy Security options Audit account logon events Audit account management Audit logon events 10 Interactive logon: Require smart card Audit policy change Interactive logon: Smart card removal behavior Audit system events
Effect of not using GPO for accounts[4],[5],[6] • In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. Network Design & Administration • Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted. "It appears that Miley didn't learn the lesson last year and hasn't been taking enough care over her password security to avoid the same fate, other users should make sure they choose strong passwords that can't be easily cracked, and Twitter itself should play a key part in enforcing this." In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitter's lax security regarding repeated login attempts made it fairly simple for the 11 hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
And to follow on from this[7] “… I started wondering how vulnerable other sites might be to this type of attack. … I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts… And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a Network Design & Administration very large dictionary database:” Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") WinHttpReq.Open "POST", "http://www.domain.com/login", false WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded" WinHttpReq.Send("login=Chris&password=Pa$$w0rd") “I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to 12 Twitter, but why doesn’t this happen every day?”
Example security issue helped by GPO[8] • A particular problem is the need to disable USB sticks and other removable media in secure installations • Can set up custom adm to include this, and apply Network Design & Administration via GPO to a group of workstations • Disables various drivers • A lot better than gluing up the USB ports! • Vista/7 includes extensions to GP to make this easier (Removable Storage Management) BUT 13 also includes approx. 800 other new policy settings
Other Issues with GPO’s • For Server 2003 and XP, they run in winlogon and then update on irregular time basis • For Vista, they have their own “hardened” service which cannot be stopped Network Design & Administration • .adm files are added to sysvol every time a new GPO is created – this can lead to lots of copied files around the system, and replication traffic overhead • Some of the GPO’s have to be considered as merely obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings 14
Managing Software on the Network[10],[11] • GPO’s allow admins to specify which .msi packages are to be assigned or published • Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it) Network Design & Administration • GPO can also define how upgrade/removal handled 15
Assign vs. Publish • Published software is available in the Add/Remove Programs applet, but user has to decide whether to install • Assigned to User means icon for app is on Network Design & Administration desktop (“advertised”) - activation or opening associated document for 1st time will trigger install • Assigned to Computer means software already installed before user even logs on 16
Why .msi? • Contains useful info about structure of program • So can “self heal” if files accidentally deleted • Installer creates system restore point before Network Design & Administration installing – so reverts automatically if install goes wrong • Has sophisticated options for various methods of installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately 17 • Can be constructed using Wix (Microsoft Installer Toolkit) – has a large learning curve
How to setup and use[12] • Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users • Create GPO for software deployment (and associate with chosen domain/site/OU) • Configure software deployment properties for the GPO – Network Design & Administration location of SDP, default handling of new packages etc. • Add the installation packages to the GPO (indicating whether to be published or assigned) • Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation • Uninstall This Application When It Falls Out Of The Scope Of Management 18
Some snags… • No licence control is performed – so Published software had better be on a site licence! • Need to plan carefully how to structure the software e.g. common packages to be assigned Network Design & Administration to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage • If users need admin privilege to install, risky! Can configure installer to “always install elevated”, but this also poses a security risk. 19
Microsoft Software Licensing • Needs care in Windows networks • Need to consider whether Per User or Per Device is most cost-effective way. • (Also might need to buy additional Client Access Licences Network Design & Administration for Remote Desktop Services if remote users log in to a server) • Each Server 2008 computer runs a Licence Logging service, which keeps track. • The information is replicated to a Site Licence Server • Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
Process to maintain licences • Identify Site Licence Server (normally first domain controller in a site) • Administer licences using Licensing in Administrative Tools Network Design & Administration • To add new licences, select New License, and specify number added • Alternatively, use 3rd party tool that can also handle other licences e.g. volume • Monitor licence status regularly 21
Next time & References • Powershell Scripting References [1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx [2] MOAC 70-290 Ch 7 Network Design & Administration [3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html [4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business- Tool-Security-Nightmare.html [5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI [6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html [7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx [8] http://support.microsoft.com/kb/555324 [10] MOAC 70-270 Ch 9 [11] http://technet.microsoft.com/en-us/library/cc782152.aspx [12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22

Recomendados

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Cloud introduction
Cloud introductionCloud introduction
Cloud introductionDr.Neeraj Kumar Pandey
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingVikash Kushvaha
 
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Novell
 
Managing bitlocker with MBAM
Managing bitlocker with MBAMManaging bitlocker with MBAM
Managing bitlocker with MBAMOlav Tvedt
 
Deployment day session 4 deployment using sccm
Deployment day session 4 deployment using sccmDeployment day session 4 deployment using sccm
Deployment day session 4 deployment using sccmMicrosoft TechNet - Belgium and Luxembourg
 

Recomendados

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Cloud introduction
Cloud introductionCloud introduction
Cloud introductionDr.Neeraj Kumar Pandey
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingVikash Kushvaha
 
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Novell
 
Managing bitlocker with MBAM
Managing bitlocker with MBAMManaging bitlocker with MBAM
Managing bitlocker with MBAMOlav Tvedt
 
Deployment day session 4 deployment using sccm
Deployment day session 4 deployment using sccmDeployment day session 4 deployment using sccm
Deployment day session 4 deployment using sccmMicrosoft TechNet - Belgium and Luxembourg
 
Cloud Computing Conf 1209
Cloud Computing Conf 1209Cloud Computing Conf 1209
Cloud Computing Conf 1209mandeepdhami
 
SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1 SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1 Novell
 
Manage your enterprise with System Center
Manage your enterprise with System CenterManage your enterprise with System Center
Manage your enterprise with System CenterC/D/H Technology Consultants
 
Best of Microsoft Management Summit 2012
Best of Microsoft Management Summit 2012Best of Microsoft Management Summit 2012
Best of Microsoft Management Summit 2012C/D/H Technology Consultants
 
Should You Consider Virtual Desktops
Should You Consider Virtual DesktopsShould You Consider Virtual Desktops
Should You Consider Virtual DesktopsC/D/H Technology Consultants
 
Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master Ron_Roberts
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1Microsoft TechNet
 
All About Virtualization
All About VirtualizationAll About Virtualization
All About VirtualizationEMC
 
Imran Zahid Hussain Dalvi
Imran Zahid Hussain DalviImran Zahid Hussain Dalvi
Imran Zahid Hussain DalviImran Dalvi
 
Got Problems? Let's Do a Health Check
Got Problems? Let's Do a Health CheckGot Problems? Let's Do a Health Check
Got Problems? Let's Do a Health CheckLuis Guirigay
 
BP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health CheckBP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health CheckLuis Guirigay
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateNovell
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Novell
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12gameaxt
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Digital Rights Management One For Sharepoint
Digital Rights Management One For SharepointDigital Rights Management One For Sharepoint
Digital Rights Management One For Sharepointpabatan
 
Unit-II-part 3.pdf
Unit-II-part 3.pdfUnit-II-part 3.pdf
Unit-II-part 3.pdfayushsrivastava750286
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataMongoDB
 

Mais conteúdo relacionado

Mais procurados

Cloud Computing Conf 1209
Cloud Computing Conf 1209Cloud Computing Conf 1209
Cloud Computing Conf 1209mandeepdhami
 
SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1 SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1 Novell
 
Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master Ron_Roberts
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1Microsoft TechNet
 
All About Virtualization
All About VirtualizationAll About Virtualization
All About VirtualizationEMC
 
Imran Zahid Hussain Dalvi
Imran Zahid Hussain DalviImran Zahid Hussain Dalvi
Imran Zahid Hussain DalviImran Dalvi
 
Got Problems? Let's Do a Health Check
Got Problems? Let's Do a Health CheckGot Problems? Let's Do a Health Check
Got Problems? Let's Do a Health CheckLuis Guirigay
 
BP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health CheckBP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health CheckLuis Guirigay
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateNovell
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Novell
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds
 

Mais procurados (16)

Cloud Computing Conf 1209
Cloud Computing Conf 1209Cloud Computing Conf 1209
Cloud Computing Conf 1209
 
SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1 SUSE Linux Enterprise Server for System z SP1
SUSE Linux Enterprise Server for System z SP1
 
Manage your enterprise with System Center
Manage your enterprise with System CenterManage your enterprise with System Center
Manage your enterprise with System Center
 
Best of Microsoft Management Summit 2012
Best of Microsoft Management Summit 2012Best of Microsoft Management Summit 2012
Best of Microsoft Management Summit 2012
 
Should You Consider Virtual Desktops
Should You Consider Virtual DesktopsShould You Consider Virtual Desktops
Should You Consider Virtual Desktops
 
Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master Nov 2014 2 blu pointe continuity cloudrar-master
Nov 2014 2 blu pointe continuity cloudrar-master
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1Deploying Windows Vista Service Pack 1
Deploying Windows Vista Service Pack 1
 
All About Virtualization
All About VirtualizationAll About Virtualization
All About Virtualization
 
Imran Zahid Hussain Dalvi
Imran Zahid Hussain DalviImran Zahid Hussain Dalvi
Imran Zahid Hussain Dalvi
 
Got Problems? Let's Do a Health Check
Got Problems? Let's Do a Health CheckGot Problems? Let's Do a Health Check
Got Problems? Let's Do a Health Check
 
BP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health CheckBP103 - Got Problems? Let's Do a Health Check
BP103 - Got Problems? Let's Do a Health Check
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin Orchestrate
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012
 

Semelhante a Lecture 11 managing the network

Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12gameaxt
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Digital Rights Management One For Sharepoint
Digital Rights Management One For SharepointDigital Rights Management One For Sharepoint
Digital Rights Management One For Sharepointpabatan
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataMongoDB
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Jayesh Naik
 
Application hardening
Application hardeningApplication hardening
Application hardeningJayesh Naik
 
Environment Manager Policy
Environment Manager PolicyEnvironment Manager Policy
Environment Manager PolicyIvanti
 
Deployment Download and Policy Workstream Update - Gábor Pécsy, Nokia
Deployment Download and Policy Workstream Update - Gábor Pécsy, NokiaDeployment Download and Policy Workstream Update - Gábor Pécsy, Nokia
Deployment Download and Policy Workstream Update - Gábor Pécsy, Nokiamfrancis
 
Arcelor Mittal intern
Arcelor Mittal internArcelor Mittal intern
Arcelor Mittal internAnshul Jain
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Cloudera, Inc.
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Senturus
 
Introduction to the IBM Java Tools
Introduction to the IBM Java ToolsIntroduction to the IBM Java Tools
Introduction to the IBM Java ToolsChris Bailey
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Amazon Web Services
 

Semelhante a Lecture 11 managing the network (20)

Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Digital Rights Management One For Sharepoint
Digital Rights Management One For SharepointDigital Rights Management One For Sharepoint
Digital Rights Management One For Sharepoint
 
Unit-II-part 3.pdf
Unit-II-part 3.pdfUnit-II-part 3.pdf
Unit-II-part 3.pdf
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Webinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB DataWebinar: Best Practices for Securing and Protecting MongoDB Data
Webinar: Best Practices for Securing and Protecting MongoDB Data
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Application hardening
Application hardeningApplication hardening
Application hardening
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
Environment Manager Policy
Environment Manager PolicyEnvironment Manager Policy
Environment Manager Policy
 
Deployment Download and Policy Workstream Update - Gábor Pécsy, Nokia
Deployment Download and Policy Workstream Update - Gábor Pécsy, NokiaDeployment Download and Policy Workstream Update - Gábor Pécsy, Nokia
Deployment Download and Policy Workstream Update - Gábor Pécsy, Nokia
 
Arcelor Mittal intern
Arcelor Mittal internArcelor Mittal intern
Arcelor Mittal intern
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1
 
Introduction to the IBM Java Tools
Introduction to the IBM Java ToolsIntroduction to the IBM Java Tools
Introduction to the IBM Java Tools
 
Domain wide organisation policy
Domain wide organisation policyDomain wide organisation policy
Domain wide organisation policy
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
 

Mais de Wiliam Ferraciolli

Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

Mais de Wiliam Ferraciolli (19)

Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13
 

Lecture 11 managing the network

  • 2. Group Policy Objects (GPO) [11] • A GPO applies rights or limitations to all the AD objects in a container (or set of containers) • A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups! • Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines Network Design & Administration 2
  • 3. GPO Applicability[1] • GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more! • Hierarchy of GPO’s: higher levels overrule lower Network Design & Administration • Filtering (& delegation) can be applied to limit scope/customise • Some cases where GPO’s fail to apply – can be tricky to debug 3
  • 4. Who is allowed to set them? • The relevant predefined Active Directory GLOBAL groups are: • Domain Admins • Enterprise Admins (only appear in Forest root Network Design & Administration domain) • Group Policy Creator Owners (by default, domain admin acct is member of this group) • However, by default, predefined AD groups only get rights/permissions when added to domain local groups 4
  • 5. Who is allowed to set them? • Every AD domain has a builtin container, where it creates security groups with domain local scope. • These have the relevant rights and permissions • Most important group here is Administrators – Network Design & Administration by default, the global Enterprise and Domain Admin groups are added to this • Admin have large set of RIGHTS by default, though these may be delegated to others 5
  • 6. Group Policy Management • There can be lots of GPO’s within a domain! • The Group Policy Management console provides you with a way to manage these GPO’s. • Provides access to the Group Policy Editor where Network Design & Administration individual policy objects can be created and edited. • Provides access to Administrative templates (.adm) which describe where registry-based group policy settings are stored, and are used to 6 change settings on GPO’s
  • 7. Group Policy Management Console Network Design & Administration This is for checking Cannot edit from effects here. Just right click selected 7 policy, and GP editor comes up
  • 8. Administrative Templates • There are a number of built-in administrative templates: • system.adm • inetres.adm • wmplayer.adm Network Design & Administration • conf.adm • wuau.adm • Each of these files contains many individual policy descriptions, and where they are stored in Registry • If an admin wants to add NEW policies, Microsoft recommend to create custom .adm files rather than 8 modify these
  • 9. Example Policies in .adm Enable disk quotas System.adm Enforce disk quota limit Default quota limit and warning level Log event when quota limit exceeded Log event when quota warning level exceeded inetres.adm Scripting of Java applets Network Design & Administration Logon options Run .NET Framework-reliant components signed with Authenticode Run .NET Framework-reliant components not signed with Authenticode Download signed ActiveX controls Download unsigned ActiveX controls Configure Automatic Updates wuau.adm Specify intranet Microsoft update service location Enable client-side targeting Reschedule Automatic Updates scheduled installations 9 No auto-restart for scheduled Automatic Updates installations
  • 10. Security Policies (secpol.msc) Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirement Store passwords using reversible encryption for all users in the domain !! Account lockout duration Network Design & Administration Account lockout threshold Reset lockout counter after Maximum lifetime for service ticket Password policy Maximum lifetime for user ticket Kerberos policy Maximum lifetime for user ticket renewal Audit policy Security options Audit account logon events Audit account management Audit logon events 10 Interactive logon: Require smart card Audit policy change Interactive logon: Smart card removal behavior Audit system events
  • 11. Effect of not using GPO for accounts[4],[5],[6] • In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. Network Design & Administration • Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted. "It appears that Miley didn't learn the lesson last year and hasn't been taking enough care over her password security to avoid the same fate, other users should make sure they choose strong passwords that can't be easily cracked, and Twitter itself should play a key part in enforcing this." In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitter's lax security regarding repeated login attempts made it fairly simple for the 11 hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
  • 12. And to follow on from this[7] “… I started wondering how vulnerable other sites might be to this type of attack. … I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts… And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a Network Design & Administration very large dictionary database:” Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") WinHttpReq.Open "POST", "http://www.domain.com/login", false WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded" WinHttpReq.Send("login=Chris&password=Pa$$w0rd") “I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to 12 Twitter, but why doesn’t this happen every day?”
  • 13. Example security issue helped by GPO[8] • A particular problem is the need to disable USB sticks and other removable media in secure installations • Can set up custom adm to include this, and apply Network Design & Administration via GPO to a group of workstations • Disables various drivers • A lot better than gluing up the USB ports! • Vista/7 includes extensions to GP to make this easier (Removable Storage Management) BUT 13 also includes approx. 800 other new policy settings
  • 14. Other Issues with GPO’s • For Server 2003 and XP, they run in winlogon and then update on irregular time basis • For Vista, they have their own “hardened” service which cannot be stopped Network Design & Administration • .adm files are added to sysvol every time a new GPO is created – this can lead to lots of copied files around the system, and replication traffic overhead • Some of the GPO’s have to be considered as merely obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings 14
  • 15. Managing Software on the Network[10],[11] • GPO’s allow admins to specify which .msi packages are to be assigned or published • Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it) Network Design & Administration • GPO can also define how upgrade/removal handled 15
  • 16. Assign vs. Publish • Published software is available in the Add/Remove Programs applet, but user has to decide whether to install • Assigned to User means icon for app is on Network Design & Administration desktop (“advertised”) - activation or opening associated document for 1st time will trigger install • Assigned to Computer means software already installed before user even logs on 16
  • 17. Why .msi? • Contains useful info about structure of program • So can “self heal” if files accidentally deleted • Installer creates system restore point before Network Design & Administration installing – so reverts automatically if install goes wrong • Has sophisticated options for various methods of installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately 17 • Can be constructed using Wix (Microsoft Installer Toolkit) – has a large learning curve
  • 18. How to setup and use[12] • Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users • Create GPO for software deployment (and associate with chosen domain/site/OU) • Configure software deployment properties for the GPO – Network Design & Administration location of SDP, default handling of new packages etc. • Add the installation packages to the GPO (indicating whether to be published or assigned) • Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation • Uninstall This Application When It Falls Out Of The Scope Of Management 18
  • 19. Some snags… • No licence control is performed – so Published software had better be on a site licence! • Need to plan carefully how to structure the software e.g. common packages to be assigned Network Design & Administration to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage • If users need admin privilege to install, risky! Can configure installer to “always install elevated”, but this also poses a security risk. 19
  • 20. Microsoft Software Licensing • Needs care in Windows networks • Need to consider whether Per User or Per Device is most cost-effective way. • (Also might need to buy additional Client Access Licences Network Design & Administration for Remote Desktop Services if remote users log in to a server) • Each Server 2008 computer runs a Licence Logging service, which keeps track. • The information is replicated to a Site Licence Server • Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
  • 21. Process to maintain licences • Identify Site Licence Server (normally first domain controller in a site) • Administer licences using Licensing in Administrative Tools Network Design & Administration • To add new licences, select New License, and specify number added • Alternatively, use 3rd party tool that can also handle other licences e.g. volume • Monitor licence status regularly 21
  • 22. Next time & References • Powershell Scripting References [1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx [2] MOAC 70-290 Ch 7 Network Design & Administration [3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html [4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business- Tool-Security-Nightmare.html [5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI [6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html [7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx [8] http://support.microsoft.com/kb/555324 [10] MOAC 70-270 Ch 9 [11] http://technet.microsoft.com/en-us/library/cc782152.aspx [12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22