THE UNIVERSITY OF SCIENCE, VNU-HCM

FACULTY OF ELECTRONICS AND TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS AND NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter
SECURING WINDOWS
1 Group Policy
04 NETWORKS

October 4, 2022

Nguyen Viet Ha, Ph.D. Email: nvha@hcmus.edu.vn 2

Group Policy Group Policy

❖Group Policy
❖Making settings changes on one or two systems? ➢Allows you:
o Create a policy
o Target that policy to users or systems within organizational units
(OUs), security groups, or even on an individual basis.

❖How about 100 systems, ➢Offers hundreds of configuration items that allow you to centrally
manage the configuration and security of all your domain-joined
systems.

➢Can be applied to thousands of users and computers in an

❖or 2,000 systems organization to reduce the time and effort that it takes to administer
→ impossible task. a large domain.
3/74
/50 4/74
/50
 Group Policy
❖Group Policy Object (GPO) is a collection of settings.
➢Must be linked to a site, domain, or OU object.
➢GPOs do not apply to Active Directory groups.
❖GPO settings are strictly enforced.
➢Users cannot configure or override settings applied by GPOs.
❖Group Policy settings are stored in two different sections in a GPO:
➢Computer Configuration
➢User Configuration
5/74
/50
Group Policy
❖By default, Group Policy refreshes every 90 minutes, although there
may be a randomized delay of up to 30 minutes.
➢If apply a change, it may take up to 120 minutes for that change to
be applied to all systems/users.
❖Some settings do not refresh in this way and require the user to log out
and log back in or require a restart of the system.
➢E.g., folder redirection, drive mappings, and some file preferences.
7/74
/50
Group Policy
❖At boot time, Computer Configuration from all GPOs are applied.
➢Affect settings on the computer regardless of who logs into the
system.
❖When a user logs in, User Configuration from all GPOs are applied.
➢Used to make changes that would impact the user.
➢User GPOs follow the user regardless of which system the user logs
in from.
❖Last applied wins.
➢A later GPO may be overwriting the behavior of an earlier GPO.
6/74
/50
Group Policy
❖There are two default GPOs in each Active Directory domain that
provide default security configuration for computers:
➢The Default Domain Policy GPO is linked to the domain object
and applies to all user and computer accounts in the domain.
➢The Default Domain Controllers Policy GPO is linked to the
Domain Controllers OU and applies to domain controller computer
accounts.
8/74
/50
 Inheritance Inheritance
❖A single user or computer account may receive the settings from ❖A common issue that occurs is when a system administrator makes a
several GPOs. change to a domain-level policy, but the change doesn't seem to be
applying.
❖To prevent conflicts in the event that
two or more of these GPOs contain
➢The most common culprit is an
different values for the same setting,
OU-level policy that is overwriting
GPOs are applied following order:
the setting from the domain policy.
1. Local policies (set by gpedit.msc)
2. Site policies
3. Domain policies
4. Parent OU policies
5. Child OUs

9/74
/50 10/74
/50

Blocking GPOs Blocking GPOs

❖Configure the Block Inheritance setting on an OU
to prevent user and computer accounts in the OU
from applying GPOs that are linked to parent OUs, Indicates that the
domains, or sites. Block Inheritance
setting has been
configured

❖Configure the Block Inheritance setting on a

domain to prevent domain user and computer
accounts from applying GPOs that are linked to sites.

11/74
/50 12/74
/50
 Enforcing GPOs Enforcing GPOs
❖Configure the Enforced setting, the associated GPO will be applied to
user and computer accounts in domains and OUs that have Block
Inheritance configured, and will be applied following other GPOs to
Indicates that it is
ensure that its settings override the same settings in other GPOs.
Enforced to ensure
that the Default
Domain Policy GPO
applies to all OUs,
including the R&D OU

13/74
/50 14/74
/50

Filtering GPOs Linking GPOs

❖The Default Domain Policy applies to all user and computer accounts in ❖You can link GPO to one or more site, domain, or OU objects.
domain because the Authenticated Users group (which contains all ➢After a GPO is linked to a site, domain, or OU object, a link object for
authenticated user and computer accounts in the domain) is listed in the the GPO is displayed underneath.
Security Filtering.

❖To apply the Default Domain

Policy GPO to specific users and ❖If you link multiple GPOs to the
computers, you can remove the same site, domain, or OU, you
Authenticated Users group from can modify the link order for the
the Security Filtering section GPOs.
and add specific user and
computer groups, or specific
user and computer accounts.

15/74
/50 16/74
/50
 Group Policy
❖All setting is automatically saved to the GPO object in the Active
Directory database as well as copied to the associated file in the
SYSVOL share, where it can be accessed by domain computers.

❖Local GPO is stored in the hidden C:\Windows\system32\grouppolicy

2 GPO Settings
folder and contains no configured settings by default.
➢However, if settings are configured in the local GPO, they will be
applied before the settings in any GPOs that are linked to site,
domain, and OU objects.

17/74
/50 18

GPO Settings GPO Settings

❖The Computer Configuration and User Configuration sections of each ❖The Computer Configuration and User Configuration sections of each
GPO contain two folders: GPO contain two folders:
➢Policies contains Group Policy settings:
o Software Settings ➢Preferences contains Group Policy preferences:
▪ specifies software packages that are deployed to computers. o Provide configuration for Windows features.
o Windows Settings
▪ provides operating system o Unlike Group Policy settings, Group Policy preference
configuration. configuration is not strictly enforced and can be modified by users
o Administrative Templates afterward.
▪ provides configuration for
desktop and operating
system components.

19/74
/50 20/74
/50
 Software Settings
❖Allows you to deploy software to computers.
❖This software is typically hosted in a shared folder on a file server and
packaged as a Windows Installer file (.msi).
❖Moreover, there are three software deployment methods that you can
choose from:
➢Software that is Published under Software Settings in the User
Configuration of a GPO can be optionally installed by users.
o To install published software, users can click Install a program
from the network in the Programs and Features section of Control
Panel, select the software package, and click Install.
21/74
/50
Software Settings
❖Allows you to deploy software to computers.
❖This software is typically hosted in a shared folder on a file server and
packaged as a Windows Installer file (.msi).
❖Moreover, there are three software deployment methods that you can
choose from:
➢Software that is Assigned under Software Settings in the Computer
Configuration of a GPO is automatically installed the next time
the computer is booted.
23/74
/50
Software Settings
❖Allows you to deploy software to computers.
❖This software is typically hosted in a shared folder on a file server and
packaged as a Windows Installer file (.msi).
❖Moreover, there are three software deployment methods that you can
choose from:
➢Software that is Assigned under Software Settings in the User
Configuration of a GPO is made available as a program icon on the
Start menu, as well as a file association.
o This software is automatically installed the first time that a
user clicks the program icon on the Start menu, or opens a
file that is associated with the program.
22/74
/50
Software Settings
❖For example, the Mozilla Firefox software package is published under
the Software Settings in the User Configuration of the Default Domain
Policy GPO.
❖If users in the domain choose to install this package in the Programs
and Features section of Control Panel, the associated Firefox Setup
72.0.2.msi file will be downloaded and installed from the software share
on server.domainx.com.
24/74
/50
 Software Settings
❖Group Policy can also be configured to automatically uninstall software
when the GPO no longer applies to the user or computer account to
which the software was deployed.
❖A GPO will no longer apply to a user or computer account in the
following situations:
➢The server administrator removes the software package from the
GPO configuration and chooses the Immediately uninstall the
software from users and computers option when prompted.
➢The server administrator removes the GPO.
➢The server administrator removes the GPO link to the object that
contains the user or computer account.
➢The user or computer account is moved to another OU that does not
receive the settings from the GPO.
25/74
/50
Windows Settings
❖Security Settings allows you to configure most Windows security-
related settings, such as password and account lockout policies,
Kerberos settings, auditing, operating system rights, security options,
event log settings, groups membership that is enforced by Group Policy,
system service configuration, registry keys, files and folders, wireless
LAN configuration, Windows Defender Firewall configuration, certificate
configuration, IPSec configuration, as well as policies that can be used
to restrict the applications that are allowed to run on a system.
➢Most available security settings are located under Computer
Configuration only.
27/74
/50
Windows Settings
❖Name Resolution Policy under Computer Configuration allows you to
configure DNS settings for use with DNSSEC (Domain Name System
Security Extensions) and DirectAccess.
❖Scripts (Startup/Shutdown) under Computer Configuration allows
you to specify scripts (e.g., PowerShell scripts) that should be executed
when a computer boots or is shut down.
❖Scripts (Logon/Logoff) under User Configuration allows you to
specify scripts (e.g., PowerShell scripts) that should be executed when a
user logs into or out of their Windows system.
❖Deployed Printers allows you to deploy shared printers.
26/74
/50
Windows Settings
❖Folder Redirection under User Configuration allows you to store the
contents of user folders (e.g., Desktop, Documents, Pictures) in a
private shared folder for each user account on a file server.
➢When users access these folders on their PC, they are automatically
redirected to the associated folder on the file server.
➢This configuration ensures that user files are only kept on a file
server, where they are centrally backed up and protected using fault-
tolerant storage.
❖Policy-based QoS allows you to limit the bandwidth used by TCP,
UDP, or HTTP traffic.
28/74
/50
 Windows Settings Administrative Templates
❖Security Settings ❖Most configuration settings in a GPO are stored under the
➢Account Policies Administrative Templates.
o Password policy
o Account Lockout Policy
o Kerberos Policy

➢Local Policies

➢Event Log

➢etc.

29/74
/50 30/74
/50

Administrative Templates Administrative Templates

❖Most configuration settings in a GPO are stored under the ❖Most configuration settings in a GPO are stored under the
Administrative Templates. Administrative Templates.
➢Control Panel allows you to control access to Control Panel or ➢Printers under Computer Configuration allows you to configure
specific tools and configuration areas in Control Panel, as well as printing and Print Spooler service features.
automatically configure Control Panel settings, such as region and
language options. ➢Server under Computer Configuration allows you to configure
system backup features.
➢Desktop under User Configuration allows you to provide desktop
configuration (e.g., a standard desktop wallpaper), as well as restrict
➢Shared Folders under User Configuration allows you to configure
access to desktop features and functionality.
the ability to publish shared folders.

➢Network allows you configure network-related settings (e.g., DNS),

as well as the functionality of network-related technologies (e.g., ➢Start Menu and Taskbar allows you to configure or restrict access
Offline Files) to Start menu and taskbar features
31/74
/50 32/74
/50
 Administrative Templates
❖Most configuration settings in a GPO are stored under the ❖Many third party
Administrative Templates. software manufacturers
➢System allows you to configure operating system features and allow you to download
functionality, such as power management, shutdown options, and and install administrative
access to removable storage. template files that can be
imported into a GPO and
➢Windows Components allows you to configure settings for used to configure
operating system components and programs, such as Windows settings for their
Update and File Explorer. software.

➢All Settings displays the individual Administrative Templates

configuration settings available in the User or Computer
Configuration section in alphabetical order.

33/74
/50 34

Ex: Accessing a website using HTTPS

3 Deploying Public Key Certificates

35 36/74
/50
 Weakness of the key transfer process Certification Authority (CA)
❖Man-in-the-middle attack ❖Public keys are sent
➢A hacker could intercept the public key as it is sent from the Web to a trusted third-
server to the Web browser and substitute their own public key. party computer called
a Certification
Authority (CA) for
o The Web browser don’t know the received public key was from
endorsement before
the Web server or the hacker.
they are used for
secure technologies
▪ Hacker could intercept the
(e.g., HTTPS).
communication and decrypt the
symmetric encryption key using
their private key.
▪ Hacker can redirect HTTPS traffic
to a malicious website for the
purposes of stealing information.
37/74
/50 38/74
/50

Certification Authority (CA) Certification Authority (CA)

❖After the CA verifies the identity of the user or computer that generated ❖Digital signature:
the public key, it creates a public key certificate (often shortened to ➢A hash of the public key that is encrypted using the private key of
certificate) that includes: the CA.
➢A serial number. ➢To decrypt data that is encrypted using a
➢A certificate name. private key, you must use the associated
➢Intended certificate uses and technologies (e.g., EFS, HTTPS, IPSec, public key of the CA.
L2TP, IKEv2, email encryption, secure authentication, etc.). o If a digital signature can be decrypted
➢A public key. by using the CA’s public key, it proves:
➢A digital signature of the public key. ▪ The CA’s private key must have been
➢A time period for which the certificate is valid (typically 1 year). used to create the digital signature.
➢The location of the Certificate Revocation List (CRL). ▪ The CA verified the identity of the
➢The location of the CA’s public key (called the trusted root). computer or user that generated the
public key.

39/74
/50 40/74
/50
 Certification Authority (CA) Certification Authority (CA)
❖After a CA creates a certificate, CA returns it to the computer that
generated the public key.
➢CA does not directly participate in the encryption process.
➢CA maintains a list of any issued certificate serial numbers that
should not be used in the Certificate Revocation list (CRL).

❖A CRL is a list of digital certificates that have been revoked by CA

before their actual or assigned expiration date.
➢Client computers should check the CRL before using the public key in
the certificate.

41/74
/50 42/74
/50

Public CAs Enterprise CAs

❖There are many public CAs (or called commercial CAs) on the Internet
that issue certificates for a fee (Viettel, VNPT, and FPT), as well as some
that issue certificates for free (e.g., LetsEncrypt).
❖Because obtaining certificates from a public CA for each user and
computer in your organization is impractical,.
➢Configure a Windows Server 2019 system as an enterprise CA in
your organization that can be used to issue certificates automatically
to users and computers using certificate templates and Group Policy
(This process is called auto-enrollment).

➢Because the trusted root of an enterprise CA is normally provided to

organization computers only, only users and computers in your
organization can validate certificates that were issued by an
enterprise CA.

43/74
/50 44/74
/50
 Enterprise CAs Installing an Enterprise CA
❖When auto-enrollment is configured, the trusted root of an enterprise
CA is automatically distributed to each domain computer using Group
Policy.

❖Organizations that use an enterprise CA to issue certificates to their

users and computers are said to have a public key infrastructure
(PKI).

❖Large organizations can have several CAs configured in a CA hierarchy.

➢The first CA deployed in a hierarchy is called the root CA and other
CAs that participate in the hierarchy are called subordinate CAs.
o In most organizations, only a single enterprise root CA is
necessary.
45/74
/50 46/74
/50

802.1X Wireless
❖Many users today use mobile devices, such as smartphones and
laptops, to access organization resources by connecting to a wireless
LAN (WLAN) that relays traffic to a physical LAN in the organization.

4 802.1X Wireless
❖Each WLAN consists of one or
more wireless access points
(WAPs) that allow mobile devices
to connect using Wi-Fi.

47 48/74
/50
 802.1X Wireless 802.1X Wireless
❖To keep data confidential, most WAPs are configured to encrypt traffic ❖Because all WLAN users use the same Wi-Fi password, there are many
between the mobile device and the WAP using Wi-Fi Protected wireless cracking tools available that can decrypt WPA2 WLAN traffic by
Access (WPA), which uses symmetric encryption exclusively. comparing it to hash tables of known wireless patterns.

➢Wi-Fi Protected Access II (WPA2) is the most common version. ❖To prevent this, some WAPs allow you to configure a VPN connection
for each mobile device.
➢Must specify the Wi-Fi password for ➢However, most organizations instead use a RADIUS server to
the WLAN (also called the pre- randomly generate symmetric encryption keys for each mobile client.
shared key, or PSK). o This technology is called 802.1X Wireless and prevents wireless
o This Wi-Fi password is then used cracking tools from decrypting WLAN traffic.
to generate a symmetric
encryption key for the Wi-Fi
connection between the mobile
device and the WAP.
49/74
/50 50/74
/50

802.1X Wireless 802.1X Wireless

Step 1: When a mobile device user Step 3: The user is authenticated to a
connects to a WAP, their mobile device domain controller.
automatically downloads a certificate
from a RADIUS server.
❖ This certificate is used to create a Step 4: If the credentials match those in
secure tunnel between the mobile a user account, the RADIUS server
device, WAP, and RADIUS server. randomly generates a symmetric
encryption key for use with WPA2.

Step 2: The user is prompted to log into

Step 5: RADIUS server sends the key to
the RADIUS server using Active Directory
both the mobile device and WAP for use
domain credentials that are passed to
when encrypting traffic.
the RADIUS server across the secure
tunnel.

51/74
/50 52/74
/50
 802.1X Wireless
❖To provide additional security against wireless
cracking tools, the RADIUS server periodically
generates a new symmetric encryption key and
repeats steps 4 and 5.
802.1X Wireless
❖Wi-Fi Protected Access III (WPA3) is a recent technology that is
supported by some WAPs.
➢While WPA3 does not use a Wi-Fi password in the same way that
WPA2 does, it can still be compromised by wireless cracking tools.
➢As a result, organizations also use 802.1X Wireless to protect WPA3
WLANs.

❖Moreover, each mobile device that connects to

the WAP using 802.1X Wireless receives a
different symmetric encryption key that it uses
to encrypt traffic.

53/74
/50 54/74
/50

802.1X Wireless
❖Most organizations implement a separate WLAN for guest access that
does not use 802.1X Wireless.
➢This WLAN is configured to allow access to Internet resources only,
and not organization resources.

❖While less common, 802.1X can

also be used to protect access to
5 Windows Server Update Services
Ethernet network switches that
support it.
➢This technology is called
802.1X Wired.

55/74
/50 56
 Windows Server Update Services
❖When flaws and security weaknesses are discovered in operating
systems and other software products, the software vendor releases an
associated software update to solve the issue.
➢Should ensure that the software products in your organization are
regularly updated to provide stability and security.
Windows Server Update Services
❖Microsoft update servers on the Internet provide the latest updates for
Microsoft software products, and Windows users can use the Windows
update section of Control Panel or Settings (Windows 10, Windows
Server 2016, and later) to search for and install these updates, or
schedule automatic update installation.

57/74
/50 58/74
/50

Windows Server Update Services Windows Server Update Services

❖If several computers in an organization obtain
updates from Microsoft Update at the same
time, the bandwidth on the organization’s
Internet connection could become saturated,
preventing access to Microsoft Update and
other Internet resources.
❖To solve these problems, you can implement a Windows Server
update Services (WSUS) server in your organization.
➢This WSUS server can be configured to regularly download updates
from Microsoft Update for each software product that you have in
your organization (a process called synchronization), as well as
distribute them to the computers in your organization.

❖Moreover, by allowing computers in the ➢To ensure that computers

domain to obtain updates from Microsoft obtain updates from the
Update directly, you cannot easily identify WSUS server instead of
computers that have installed a particular Microsoft Update, you must
update, or prevent the installation of updates configure a GPO that provides
that cause problems with other software the appropriate settings.
applications.
59/74
/50 60/74
/50
 Windows Server Update Services Installing WSUS
❖In large organizations, you can
implement multiple WSUS servers
to balance the load of update
requests.
➢These WSUS servers can be
configured to obtain updates
from a central WSUS server that
synchronizes with Microsoft
Update.

61/74
/50 62/74
/50

Windows Defender
❖In Windows Server 2019, Windows defender is started by default and
provides many different operating system security features, including
malware protection, as well as firewall and IPSec functionality.

❖Windows Defender has

6
been renamed to Microsoft
Windows Defender defender starting with
Windows 10 build 1909.

63 64/74
/50
 Windows Defender
❖ Four main features provided by Windows Defender:
1. Virus & threat protection allows you to perform a malware scan
on your system, schedule periodic malware scans, as well as
enable real-time and cloud-delivered malware protection. You can
also enable controlled folder access to prevent ransomware from
modifying files, folders, and memory on your system.
Windows Defender
❖ Four main features provided by Windows Defender:
2. Firewall & network protection allows you to enable or disable
the firewall for your computer when connected to a domain,
public, or private network.
▪ Computers that can contact a domain controller on the
network are automatically part of a domain network.

▪ Connect to a new network

outside of your organization:
public network (e.g.,
WLAN at coffee shop) or a
private network (e.g., a
home network).
65/74
/50 66/74
/50

Windows Defender Windows Defender

❖ Four main features provided by Windows Defender:
3. App & browser control allows you to configure the action taken
when new apps are accessed from the Internet (the default action
is to warn the user), as well as configure app exploit protection
features.
❖ Four main features provided by Windows Defender:
4. Device security
o Secure boot is a security standard developed by members of the
PC industry to help make sure that a device boots using only
software that is trusted by the Original Equipment Manufacturer
(OEM).
o When the PC starts, the firmware checks the signature of each
piece of boot software, including UEFI firmware drivers (also
known as Option ROMs), EFI applications, and the operating
system.
▪ If the signatures are valid, the PC boots, and the firmware
gives control to the operating system.

67/74
/50 68/74
/50
 Windows Defender
❖ Four main features provided by Windows Defender:
4. Device security
o Secure boot
▪ Secure boot prevents a sophisticated and dangerous type of
malware—a rootkit—from loading when you start your
device.
- Rootkits use the same permissions as the operating system
and start before it, which means they can completely hide
themselves.
- Rootkits are often part of an entire suite of malware that
can bypass local logins, record passwords and keystrokes,
transfer private files, and capture cryptographic data.
69/74
/50
Windows Defender
❖ Four main features provided by Windows Defender:
4. Device security
o Memory integrity (also known as Hypervisor-protected Code
Integrity - HVCI) is a feature of core isolation.
▪ Can help prevent malicious programs to use low-level drivers
to hijack your computer.
▪ Memory integrity works by creating an isolated environment
using hardware virtualization.
- A driver is a piece of software that lets the operating
system (Windows in this case) and a device (like a
keyboard or a webcam, for two examples) talk to each
other. When the device wants Windows to do something it
uses the driver to send that request.
71/74
/50
Windows Defender
❖ Four main features provided by Windows Defender:
4. Device security
o Core isolation provides added protection against malware and
other attacks by isolating computer processes from your
operating system and device.
▪ It does this by running those core processes in a virtualized
environment.
70/74
/50
Windows Defender
❖ Four main features provided by Windows Defender:
4. Device security displays whether your computer uses UEFI
secure boot and supports the core isolation feature provided by
processor virtualization extensions.
▪ If core isolation is supported, you can enable the memory
integrity setting to prevent malware and network attacks from
accessing high-security processes.
72/74
/50
 Windows Defender
THANK YOU FOR YOUR ATTENTION
❖To configure firewall rules or connection security rules on multiple
computers, you can use Group Policy.

❖After editing a GPO, you can navigate to Computer Configuration,

Policies, Windows Settings, Security Settings, Windows Defender
Firewall with Advanced Security, Windows Defender Firewall with
Advanced Security to access the Inbound Rules, Outbound Rules, and
Connection Security Rules sections.

Nguyen Viet Ha, Ph.D.

Department of Telecommunications and Networks
Faculty of Electronics and Communications
The University of Science, Vietnam National University, Ho Chi Minh City
Email: nvha@hcmus.edu.vn
73/74
/50