Professional Documents
Culture Documents
Chapter4 - Securing Windows Networks (Full) - 2
Chapter4 - Securing Windows Networks (Full) - 2
COURSE
NETWORK TECHNOLOGY
Chapter
SECURING WINDOWS
1 Group Policy
04 NETWORKS
October 4, 2022
❖How about 100 systems, ➢Offers hundreds of configuration items that allow you to centrally
manage the configuration and security of all your domain-joined
systems.
❖GPO settings are strictly enforced. ❖When a user logs in, User Configuration from all GPOs are applied.
➢Users cannot configure or override settings applied by GPOs. ➢Used to make changes that would impact the user.
➢User GPOs follow the user regardless of which system the user logs
in from.
❖Group Policy settings are stored in two different sections in a GPO:
➢Computer Configuration ❖Last applied wins.
➢User Configuration ➢A later GPO may be overwriting the behavior of an earlier GPO.
5/74
/50 6/74
/50
❖Some settings do not refresh in this way and require the user to log out ➢The Default Domain Controllers Policy GPO is linked to the
and log back in or require a restart of the system. Domain Controllers OU and applies to domain controller computer
➢E.g., folder redirection, drive mappings, and some file preferences. accounts.
7/74
/50 8/74
/50
Inheritance Inheritance
❖A single user or computer account may receive the settings from ❖A common issue that occurs is when a system administrator makes a
several GPOs. change to a domain-level policy, but the change doesn't seem to be
applying.
❖To prevent conflicts in the event that
two or more of these GPOs contain
➢The most common culprit is an
different values for the same setting,
OU-level policy that is overwriting
GPOs are applied following order:
the setting from the domain policy.
1. Local policies (set by gpedit.msc)
2. Site policies
3. Domain policies
4. Parent OU policies
5. Child OUs
9/74
/50 10/74
/50
11/74
/50 12/74
/50
Enforcing GPOs Enforcing GPOs
❖Configure the Enforced setting, the associated GPO will be applied to
user and computer accounts in domains and OUs that have Block
Inheritance configured, and will be applied following other GPOs to
Indicates that it is
ensure that its settings override the same settings in other GPOs.
Enforced to ensure
that the Default
Domain Policy GPO
applies to all OUs,
including the R&D OU
13/74
/50 14/74
/50
15/74
/50 16/74
/50
Group Policy
❖All setting is automatically saved to the GPO object in the Active
Directory database as well as copied to the associated file in the
SYSVOL share, where it can be accessed by domain computers.
17/74
/50 18
19/74
/50 20/74
/50
Software Settings Software Settings
❖Allows you to deploy software to computers. ❖Allows you to deploy software to computers.
❖This software is typically hosted in a shared folder on a file server and ❖This software is typically hosted in a shared folder on a file server and
packaged as a Windows Installer file (.msi). packaged as a Windows Installer file (.msi).
❖Moreover, there are three software deployment methods that you can ❖Moreover, there are three software deployment methods that you can
choose from: choose from:
➢Software that is Published under Software Settings in the User ➢Software that is Assigned under Software Settings in the User
Configuration of a GPO can be optionally installed by users. Configuration of a GPO is made available as a program icon on the
o To install published software, users can click Install a program Start menu, as well as a file association.
from the network in the Programs and Features section of Control o This software is automatically installed the first time that a
Panel, select the software package, and click Install. user clicks the program icon on the Start menu, or opens a
file that is associated with the program.
21/74
/50 22/74
/50
23/74
/50 24/74
/50
Software Settings Windows Settings
❖Group Policy can also be configured to automatically uninstall software ❖Name Resolution Policy under Computer Configuration allows you to
when the GPO no longer applies to the user or computer account to configure DNS settings for use with DNSSEC (Domain Name System
which the software was deployed. Security Extensions) and DirectAccess.
❖A GPO will no longer apply to a user or computer account in the ❖Scripts (Startup/Shutdown) under Computer Configuration allows
following situations: you to specify scripts (e.g., PowerShell scripts) that should be executed
➢The server administrator removes the software package from the when a computer boots or is shut down.
GPO configuration and chooses the Immediately uninstall the
software from users and computers option when prompted. ❖Scripts (Logon/Logoff) under User Configuration allows you to
➢The server administrator removes the GPO. specify scripts (e.g., PowerShell scripts) that should be executed when a
➢The server administrator removes the GPO link to the object that
user logs into or out of their Windows system.
contains the user or computer account.
➢The user or computer account is moved to another OU that does not ❖Deployed Printers allows you to deploy shared printers.
receive the settings from the GPO.
25/74
/50 26/74
/50
27/74
/50 28/74
/50
Windows Settings Administrative Templates
❖Security Settings ❖Most configuration settings in a GPO are stored under the
➢Account Policies Administrative Templates.
o Password policy
o Account Lockout Policy
o Kerberos Policy
➢Local Policies
➢Event Log
➢etc.
29/74
/50 30/74
/50
33/74
/50 34
35 36/74
/50
Weakness of the key transfer process Certification Authority (CA)
❖Man-in-the-middle attack ❖Public keys are sent
➢A hacker could intercept the public key as it is sent from the Web to a trusted third-
server to the Web browser and substitute their own public key. party computer called
a Certification
Authority (CA) for
o The Web browser don’t know the received public key was from
endorsement before
the Web server or the hacker.
they are used for
secure technologies
▪ Hacker could intercept the
(e.g., HTTPS).
communication and decrypt the
symmetric encryption key using
their private key.
▪ Hacker can redirect HTTPS traffic
to a malicious website for the
purposes of stealing information.
37/74
/50 38/74
/50
39/74
/50 40/74
/50
Certification Authority (CA) Certification Authority (CA)
❖After a CA creates a certificate, CA returns it to the computer that
generated the public key.
➢CA does not directly participate in the encryption process.
➢CA maintains a list of any issued certificate serial numbers that
should not be used in the Certificate Revocation list (CRL).
41/74
/50 42/74
/50
43/74
/50 44/74
/50
Enterprise CAs Installing an Enterprise CA
❖When auto-enrollment is configured, the trusted root of an enterprise
CA is automatically distributed to each domain computer using Group
Policy.
802.1X Wireless
❖Many users today use mobile devices, such as smartphones and
laptops, to access organization resources by connecting to a wireless
LAN (WLAN) that relays traffic to a physical LAN in the organization.
4 802.1X Wireless
❖Each WLAN consists of one or
more wireless access points
(WAPs) that allow mobile devices
to connect using Wi-Fi.
47 48/74
/50
802.1X Wireless 802.1X Wireless
❖To keep data confidential, most WAPs are configured to encrypt traffic ❖Because all WLAN users use the same Wi-Fi password, there are many
between the mobile device and the WAP using Wi-Fi Protected wireless cracking tools available that can decrypt WPA2 WLAN traffic by
Access (WPA), which uses symmetric encryption exclusively. comparing it to hash tables of known wireless patterns.
➢Wi-Fi Protected Access II (WPA2) is the most common version. ❖To prevent this, some WAPs allow you to configure a VPN connection
for each mobile device.
➢Must specify the Wi-Fi password for ➢However, most organizations instead use a RADIUS server to
the WLAN (also called the pre- randomly generate symmetric encryption keys for each mobile client.
shared key, or PSK). o This technology is called 802.1X Wireless and prevents wireless
o This Wi-Fi password is then used cracking tools from decrypting WLAN traffic.
to generate a symmetric
encryption key for the Wi-Fi
connection between the mobile
device and the WAP.
49/74
/50 50/74
/50
51/74
/50 52/74
/50
802.1X Wireless 802.1X Wireless
❖To provide additional security against wireless ❖Wi-Fi Protected Access III (WPA3) is a recent technology that is
cracking tools, the RADIUS server periodically supported by some WAPs.
generates a new symmetric encryption key and ➢While WPA3 does not use a Wi-Fi password in the same way that
repeats steps 4 and 5. WPA2 does, it can still be compromised by wireless cracking tools.
➢As a result, organizations also use 802.1X Wireless to protect WPA3
WLANs.
53/74
/50 54/74
/50
802.1X Wireless
❖Most organizations implement a separate WLAN for guest access that
does not use 802.1X Wireless.
➢This WLAN is configured to allow access to Internet resources only,
and not organization resources.
55/74
/50 56
Windows Server Update Services Windows Server Update Services
❖When flaws and security weaknesses are discovered in operating ❖Microsoft update servers on the Internet provide the latest updates for
systems and other software products, the software vendor releases an Microsoft software products, and Windows users can use the Windows
associated software update to solve the issue. update section of Control Panel or Settings (Windows 10, Windows
Server 2016, and later) to search for and install these updates, or
schedule automatic update installation.
➢Should ensure that the software products in your organization are
regularly updated to provide stability and security.
57/74
/50 58/74
/50
61/74
/50 62/74
/50
Windows Defender
❖In Windows Server 2019, Windows defender is started by default and
provides many different operating system security features, including
malware protection, as well as firewall and IPSec functionality.
6
been renamed to Microsoft
Windows Defender defender starting with
Windows 10 build 1909.
63 64/74
/50
Windows Defender Windows Defender
❖ Four main features provided by Windows Defender: ❖ Four main features provided by Windows Defender:
1. Virus & threat protection allows you to perform a malware scan 2. Firewall & network protection allows you to enable or disable
on your system, schedule periodic malware scans, as well as the firewall for your computer when connected to a domain,
enable real-time and cloud-delivered malware protection. You can public, or private network.
also enable controlled folder access to prevent ransomware from
modifying files, folders, and memory on your system. ▪ Computers that can contact a domain controller on the
network are automatically part of a domain network.
67/74
/50 68/74
/50
Windows Defender Windows Defender
❖ Four main features provided by Windows Defender: ❖ Four main features provided by Windows Defender:
4. Device security 4. Device security
o Secure boot o Core isolation provides added protection against malware and
▪ Secure boot prevents a sophisticated and dangerous type of other attacks by isolating computer processes from your
malware—a rootkit—from loading when you start your operating system and device.
device.
- Rootkits use the same permissions as the operating system ▪ It does this by running those core processes in a virtualized
and start before it, which means they can completely hide environment.
themselves.
- Rootkits are often part of an entire suite of malware that
can bypass local logins, record passwords and keystrokes,
transfer private files, and capture cryptographic data.
69/74
/50 70/74
/50