Saarah Rasheed

2.1 Configuring Security Policies Hello there. I am [brief intro] and today I am going to show you how to configure security policy in Group Policy Management Console or Environment (GPMC). Now if you are not aware of what a GPM is, you can catch up on the previous videos before proceeding with this one, for this one to make any sense to you. So in the previous videos, we discussed about what a GPM is, how to install it, what a group policy object is, and how it works as well as creating them in GPMC. Today I am going to talk about working with security policies and how to configure them. So first off, let’s discuss a bit of what is a security policy. So security policy is concerned with the norms you set up in your network; what are the limitations, the security protocols and rules by which the system works. Think of employees not being able to access administrative features or being able to access social media websites. It is considered as a good practice in the IT industry because it serves as a code of conduct to work along. It is continually updated as per the advances in the technology. So the purpose of this video is to teach you how to configure these security policies; basic as well as additional ones. So here we have our server manager, click on it to open. I have pinned over here for easy access, you can find it in the start menu. So this opens up our dashboard. Now on the top right corner, you will find the tools meu. Click on it to open the Group Policy Management Console (GPMC). Now here in our forest tetranoodle.com, (well for you it’ll appear differently, based on the host name of your PC), you can see under our domain, tetranoodle.com, there is a folder of Group Policy Objects (GPOs), select it. If you don’t know what a Group Policy Object is or can’t find the GMPC in the tools menu, you can watch the previous videos in the series before moving on with this one. Now as you can see here, there are already some GPOs created over here but the top two ones are here by default. These are default domain policy and default domain controller policy. Now one of these, i.e. the default domain policy is in fact the parent policy that is directly linked to the domain. This policy is inherited automatically to all child organizational units or sub OUs. Whereas the default domain controller policy is only linked to the OU of Domain Controller. So let’s discuss these two terms first. So a domain controller is basically a centerpiece of an active directory, which controls what hosts have access to the network. While a default domain policy is something. Now let’s check what objects our domain controller has. So switching to the server manager window, in the tools menu, open Active Directory Users and Computers (ADUC), now in the Domain Controller OU when you click on it, you can see we have here only one GPO which is the global catalogue server of our domain. A Global Catalogue Server works like a backup depository for the concerned forest and domain, storing all the full copies of the GPOs in that domain as well as partial copies of GPOs from other domains. So the domain controller policies effect the GPOs in here that is the GPOs of the Domain Controller OU. Now let’s assign a security policy to this domain. Note that we will assign it to the default domain so it gets inherited to all the sub OUs in the directory. Starting off by creating a GPO. Select the Group Policy Object from the folder. Right click on it, this dialogue box opens. You can name the GPO, let’s call it Security_Policy. Click on Okay. And we have our GPO as you can see in the main console window. Right click on this newly created GPO here, and click on edit. This opens up the GPM Editor Console. On the left pane, go to Computer Configuration and then to Policies under which you will find Windows Settings. Here expand Security Settings and then the Local Policies then select Security Options. Now from the list that appears in the main console screen, from the devices select Allowed to Format and eject removable media, this one right here. Double click on it to open its settings. In the dialogue box that opens up check out the Explain tab for more information on it, like I am doing so. So here it says this security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to 1. Administrators, 2. Administrators and Interactive Users. Okay so by default this policy is not defined and only administrators have this ability. Now in the Security Policy tab you can choose and define for which users is this policy applicable? Currently it is set to administrators only. Click on the drop down, let’s change it to administrators and interactive users. Now click on apply and then okay. Now here you can see it shows that this not just that this policy has been defined but also for whom has it been defined for. Okay now let’s set another policy from devices; Restrict CD ROM access to locally logged on users only. So devices here refers to the fact that these policies are devices oriented – that is related to hardware devices of a PC. Anyway getting back to our policy, in the same way, double click on it, then from the dialogue box in security policy settings tab, check on define and switch it to enable. Now let’s see in the explain-tab what this policy does. This policy is enabled. It allows only interactively logged in users to access removable CD ROM media. If policy is enabled and no one is logged on interactively, then the CD ROM can be accessed from over the network. So by default this policy is not defined and CD ROM access is not restricted to locally logged on users. Now this policy is required in a production environment hence let’s enable it. Apply and then okay. Okay so let’s check out another policy now related to network securities. So scroll down a bit. Let’s enable this one: Force log out when login hours expire. So this a more common sort of policy which we usually come across. Enabling this policy means that if a user is logged on to a computer, and that computer has been idle for a while (a certain threshold amount of hours), then in order to combat security vulnerabilities, this policy forces the user logout so no one else can attempt to access that PC. Alright so we have configured three security policies over here. Let’s close the editor. And here we have our GPO, Security_Policy. Now it is time we link it to the domain. In order to do that, let’s select the default domain we have, which for me is tetranoodle.com. Right click on it and select link an existing GPO, from the dialogue box that appears select the GPO we created which is security_policy, and then click on okay. Now as you can see here, under the domain we have two policies now: default domain policy and our added policy, security_policy. Now to verify whether the policy got inherited into all the sub OUs because of it being linked directly to the default domain, let’s select one of the OU; let’s go for Tetra. Select it and in the Group Policy Inheritance tab you can see there are now two policies which were inherited to this OU; default domain policy and security_policy. Similarly you can check the group policy inheritance of the other OUs to verify that. Let’s check Tetra2 yes here we have the two inherited policies and one of its own local one. And in the domain controller as well, the two inherited policies are here. So we have today learned how to create a security policy and link it so the inter-domain structure inherits this policy. It is considered as a very good practice in the industry. Thank you for watching this video! For more in the series, do subscribe !