SlideShare a Scribd company logo

Lecture 11 managing the network

Download as pptx, pdf
Wiliam Ferraciolli
Wiliam Ferraciolli

Group Policy Objects (GPOs) allow administrators to apply settings and restrictions to users and computers in Active Directory. GPOs can configure software, security, and other settings. Administrators use the Group Policy Management console to create and edit GPOs. Administrative templates define where specific policy settings are stored in the registry and are used to configure GPO settings. GPOs help administrators centrally manage network configurations and security policies.

1 of 22
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Lecture 11: Managing the network Network Design & Administration
Group Policy Objects (GPO) [11] • A GPO applies rights or limitations to all the AD objects in a container (or set of containers) • A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups! • Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines Network Design & Administration 2
GPO Applicability[1] • GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more! • Hierarchy of GPO’s: higher levels overrule lower Network Design & Administration • Filtering (& delegation) can be applied to limit scope/customise • Some cases where GPO’s fail to apply – can be tricky to debug 3
Who is allowed to set them? • The relevant predefined Active Directory GLOBAL groups are: • Domain Admins • Enterprise Admins (only appear in Forest root Network Design & Administration domain) • Group Policy Creator Owners (by default, domain admin acct is member of this group) • However, by default, predefined AD groups only get rights/permissions when added to domain local groups 4
Who is allowed to set them? • Every AD domain has a builtin container, where it creates security groups with domain local scope. • These have the relevant rights and permissions • Most important group here is Administrators – Network Design & Administration by default, the global Enterprise and Domain Admin groups are added to this • Admin have large set of RIGHTS by default, though these may be delegated to others 5
Group Policy Management • There can be lots of GPO’s within a domain! • The Group Policy Management console provides you with a way to manage these GPO’s. • Provides access to the Group Policy Editor where Network Design & Administration individual policy objects can be created and edited. • Provides access to Administrative templates (.adm) which describe where registry-based group policy settings are stored, and are used to 6 change settings on GPO’s
Group Policy Management Console Network Design & Administration This is for checking Cannot edit from effects here. Just right click selected 7 policy, and GP editor comes up
Administrative Templates • There are a number of built-in administrative templates: • system.adm • inetres.adm • wmplayer.adm Network Design & Administration • conf.adm • wuau.adm • Each of these files contains many individual policy descriptions, and where they are stored in Registry • If an admin wants to add NEW policies, Microsoft recommend to create custom .adm files rather than 8 modify these
Example Policies in .adm Enable disk quotas System.adm Enforce disk quota limit Default quota limit and warning level Log event when quota limit exceeded Log event when quota warning level exceeded inetres.adm Scripting of Java applets Network Design & Administration Logon options Run .NET Framework-reliant components signed with Authenticode Run .NET Framework-reliant components not signed with Authenticode Download signed ActiveX controls Download unsigned ActiveX controls Configure Automatic Updates wuau.adm Specify intranet Microsoft update service location Enable client-side targeting Reschedule Automatic Updates scheduled installations 9 No auto-restart for scheduled Automatic Updates installations
Security Policies (secpol.msc) Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirement Store passwords using reversible encryption for all users in the domain !! Account lockout duration Network Design & Administration Account lockout threshold Reset lockout counter after Maximum lifetime for service ticket Password policy Maximum lifetime for user ticket Kerberos policy Maximum lifetime for user ticket renewal Audit policy Security options Audit account logon events Audit account management Audit logon events 10 Interactive logon: Require smart card Audit policy change Interactive logon: Smart card removal behavior Audit system events
Effect of not using GPO for accounts[4],[5],[6] • In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. Network Design & Administration • Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted. "It appears that Miley didn't learn the lesson last year and hasn't been taking enough care over her password security to avoid the same fate, other users should make sure they choose strong passwords that can't be easily cracked, and Twitter itself should play a key part in enforcing this." In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitter's lax security regarding repeated login attempts made it fairly simple for the 11 hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
And to follow on from this[7] “… I started wondering how vulnerable other sites might be to this type of attack. … I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts… And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a Network Design & Administration very large dictionary database:” Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") WinHttpReq.Open "POST", "http://www.domain.com/login", false WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded" WinHttpReq.Send("login=Chris&password=Pa$$w0rd") “I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to 12 Twitter, but why doesn’t this happen every day?”
Example security issue helped by GPO[8] • A particular problem is the need to disable USB sticks and other removable media in secure installations • Can set up custom adm to include this, and apply Network Design & Administration via GPO to a group of workstations • Disables various drivers • A lot better than gluing up the USB ports! • Vista/7 includes extensions to GP to make this easier (Removable Storage Management) BUT 13 also includes approx. 800 other new policy settings
Other Issues with GPO’s • For Server 2003 and XP, they run in winlogon and then update on irregular time basis • For Vista, they have their own “hardened” service which cannot be stopped Network Design & Administration • .adm files are added to sysvol every time a new GPO is created – this can lead to lots of copied files around the system, and replication traffic overhead • Some of the GPO’s have to be considered as merely obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings 14
Managing Software on the Network[10],[11] • GPO’s allow admins to specify which .msi packages are to be assigned or published • Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it) Network Design & Administration • GPO can also define how upgrade/removal handled 15
Assign vs. Publish • Published software is available in the Add/Remove Programs applet, but user has to decide whether to install • Assigned to User means icon for app is on Network Design & Administration desktop (“advertised”) - activation or opening associated document for 1st time will trigger install • Assigned to Computer means software already installed before user even logs on 16
Why .msi? • Contains useful info about structure of program • So can “self heal” if files accidentally deleted • Installer creates system restore point before Network Design & Administration installing – so reverts automatically if install goes wrong • Has sophisticated options for various methods of installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately 17 • Can be constructed using Wix (Microsoft Installer Toolkit) – has a large learning curve
How to setup and use[12] • Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users • Create GPO for software deployment (and associate with chosen domain/site/OU) • Configure software deployment properties for the GPO – Network Design & Administration location of SDP, default handling of new packages etc. • Add the installation packages to the GPO (indicating whether to be published or assigned) • Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation • Uninstall This Application When It Falls Out Of The Scope Of Management 18
Some snags… • No licence control is performed – so Published software had better be on a site licence! • Need to plan carefully how to structure the software e.g. common packages to be assigned Network Design & Administration to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage • If users need admin privilege to install, risky! Can configure installer to “always install elevated”, but this also poses a security risk. 19
Microsoft Software Licensing • Needs care in Windows networks • Need to consider whether Per User or Per Device is most cost-effective way. • (Also might need to buy additional Client Access Licences Network Design & Administration for Remote Desktop Services if remote users log in to a server) • Each Server 2008 computer runs a Licence Logging service, which keeps track. • The information is replicated to a Site Licence Server • Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
Process to maintain licences • Identify Site Licence Server (normally first domain controller in a site) • Administer licences using Licensing in Administrative Tools Network Design & Administration • To add new licences, select New License, and specify number added • Alternatively, use 3rd party tool that can also handle other licences e.g. volume • Monitor licence status regularly 21
Next time & References • Powershell Scripting References [1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx [2] MOAC 70-290 Ch 7 Network Design & Administration [3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html [4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business- Tool-Security-Nightmare.html [5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI [6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html [7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx [8] http://support.microsoft.com/kb/555324 [10] MOAC 70-270 Ch 9 [11] http://technet.microsoft.com/en-us/library/cc782152.aspx [12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22

More Related Content

What's hot (16)

PDF
Cloud Computing Conf 1209
mandeepdhami
 
PDF
SUSE Linux Enterprise Server for System z SP1
Novell
 
PPTX
Manage your enterprise with System Center
C/D/H Technology Consultants
 
PDF
Best of Microsoft Management Summit 2012
C/D/H Technology Consultants
 
PDF
Should You Consider Virtual Desktops
C/D/H Technology Consultants
 
PPT
Nov 2014 2 blu pointe continuity cloudrar-master
Ron_Roberts
 
PPTX
Microsoft Days 09 Windows 2008 Security
dkaya
 
PPTX
Deploying Windows Vista Service Pack 1
Microsoft TechNet
 
PDF
All About Virtualization
EMC
 
PPTX
Imran Zahid Hussain Dalvi
Imran Dalvi
 
PDF
Got Problems? Let's Do a Health Check
Luis Guirigay
 
PDF
BP103 - Got Problems? Let's Do a Health Check
Luis Guirigay
 
PDF
Run Book Automation with PlateSpin Orchestrate
Novell
 
PDF
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Novell
 
PPTX
Lecture 4 client workstations
Wiliam Ferraciolli
 
PPT
SolarWinds IPAM vs MS Win Server 2012
SolarWinds
 
Cloud Computing Conf 1209
mandeepdhami
 
SUSE Linux Enterprise Server for System z SP1
Novell
 
Manage your enterprise with System Center
C/D/H Technology Consultants
 
Best of Microsoft Management Summit 2012
C/D/H Technology Consultants
 
Should You Consider Virtual Desktops
C/D/H Technology Consultants
 
Nov 2014 2 blu pointe continuity cloudrar-master
Ron_Roberts
 
Microsoft Days 09 Windows 2008 Security
dkaya
 
Deploying Windows Vista Service Pack 1
Microsoft TechNet
 
All About Virtualization
EMC
 
Imran Zahid Hussain Dalvi
Imran Dalvi
 
Got Problems? Let's Do a Health Check
Luis Guirigay
 
BP103 - Got Problems? Let's Do a Health Check
Luis Guirigay
 
Run Book Automation with PlateSpin Orchestrate
Novell
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Novell
 
Lecture 4 client workstations
Wiliam Ferraciolli
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds
 

Similar to Lecture 11 managing the network (20)

PDF
Presentation gggffggggg.pdf
MulunehBardadeYegeta
 
PPTX
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Sangeetha Rangarajan
 
PPTX
Securing Windows with Group Policy
Josh Rickard
 
PPT
Ch07 Access Control Fundamentals
Information Technology
 
PPTX
Lecture 7 naming and structuring objects
Wiliam Ferraciolli
 
PPTX
Best Practices for Securing Active Directory v2.0
Danny Wong
 
PPTX
Domain wide organisation policy
Emmanuel Oshogwe Akpeokhai
 
PPT
Ad group policy1
denogx
 
PPTX
Security Management | System Administration
Lisa Dowdell, MSISTM
 
PPT
Active directory - an introduction
pepoluan
 
PPT
User account policy
Muuluu
 
DOCX
M05-Protect Application or System software.docx
endeshman
 
PDF
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
PDF
Pazu Netflix Video Downloader Download
blouch53kp
 
PDF
Internet Download Manager (IDM) Free key
alihamzakpa039
 
PDF
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
PDF
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
PDF
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
PDF
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
PPTX
Group Policy Preferences, Templates, And Scripting
Microsoft TechNet
 
Presentation gggffggggg.pdf
MulunehBardadeYegeta
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Sangeetha Rangarajan
 
Securing Windows with Group Policy
Josh Rickard
 
Ch07 Access Control Fundamentals
Information Technology
 
Lecture 7 naming and structuring objects
Wiliam Ferraciolli
 
Best Practices for Securing Active Directory v2.0
Danny Wong
 
Domain wide organisation policy
Emmanuel Oshogwe Akpeokhai
 
Ad group policy1
denogx
 
Security Management | System Administration
Lisa Dowdell, MSISTM
 
Active directory - an introduction
pepoluan
 
User account policy
Muuluu
 
M05-Protect Application or System software.docx
endeshman
 
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
Pazu Netflix Video Downloader Download
blouch53kp
 
Internet Download Manager (IDM) Free key
alihamzakpa039
 
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
Group Policy Preferences, Templates, And Scripting
Microsoft TechNet
 
Ad

More from Wiliam Ferraciolli (20)

PPTX
Lecture 10 the user experience
Wiliam Ferraciolli
 
PPTX
Lecture 10 the user experience (1)
Wiliam Ferraciolli
 
PPTX
Lecture 8 permissions
Wiliam Ferraciolli
 
PPTX
Lecture 5&6 corporate architecture
Wiliam Ferraciolli
 
PPTX
Lecture 2 servers and services
Wiliam Ferraciolli
 
PPTX
Lecture 1 introduction
Wiliam Ferraciolli
 
PPTX
Lecture 13, 14 & 15 c# cmd let programming and scripting
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 14
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 12
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 11
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 10
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 09
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 08
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 07
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 06
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 05
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 04
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 03
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 02
Wiliam Ferraciolli
 
PPT
Isys20261 lecture 01
Wiliam Ferraciolli
 
Lecture 10 the user experience
Wiliam Ferraciolli
 
Lecture 10 the user experience (1)
Wiliam Ferraciolli
 
Lecture 8 permissions
Wiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Wiliam Ferraciolli
 
Lecture 2 servers and services
Wiliam Ferraciolli
 
Lecture 1 introduction
Wiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Wiliam Ferraciolli
 
Isys20261 lecture 14
Wiliam Ferraciolli
 
Isys20261 lecture 12
Wiliam Ferraciolli
 
Isys20261 lecture 11
Wiliam Ferraciolli
 
Isys20261 lecture 10
Wiliam Ferraciolli
 
Isys20261 lecture 09
Wiliam Ferraciolli
 
Isys20261 lecture 08
Wiliam Ferraciolli
 
Isys20261 lecture 07
Wiliam Ferraciolli
 
Isys20261 lecture 06
Wiliam Ferraciolli
 
Isys20261 lecture 05
Wiliam Ferraciolli
 
Isys20261 lecture 04
Wiliam Ferraciolli
 
Isys20261 lecture 03
Wiliam Ferraciolli
 
Isys20261 lecture 02
Wiliam Ferraciolli
 
Isys20261 lecture 01
Wiliam Ferraciolli
 
Ad

Lecture 11 managing the network

  • 2. Group Policy Objects (GPO) [11] • A GPO applies rights or limitations to all the AD objects in a container (or set of containers) • A container may be a site, domain or organisation unit (OU) – GPO’s are not directly applicable to groups! • Aim of GPO’s is to simplify management of network with reference to rules that apply to multiple users and/or machines Network Design & Administration 2
  • 3. GPO Applicability[1] • GPO’s can control settings for software configuration, registry, security configuration, software installation and lots more! • Hierarchy of GPO’s: higher levels overrule lower Network Design & Administration • Filtering (& delegation) can be applied to limit scope/customise • Some cases where GPO’s fail to apply – can be tricky to debug 3
  • 4. Who is allowed to set them? • The relevant predefined Active Directory GLOBAL groups are: • Domain Admins • Enterprise Admins (only appear in Forest root Network Design & Administration domain) • Group Policy Creator Owners (by default, domain admin acct is member of this group) • However, by default, predefined AD groups only get rights/permissions when added to domain local groups 4
  • 5. Who is allowed to set them? • Every AD domain has a builtin container, where it creates security groups with domain local scope. • These have the relevant rights and permissions • Most important group here is Administrators – Network Design & Administration by default, the global Enterprise and Domain Admin groups are added to this • Admin have large set of RIGHTS by default, though these may be delegated to others 5
  • 6. Group Policy Management • There can be lots of GPO’s within a domain! • The Group Policy Management console provides you with a way to manage these GPO’s. • Provides access to the Group Policy Editor where Network Design & Administration individual policy objects can be created and edited. • Provides access to Administrative templates (.adm) which describe where registry-based group policy settings are stored, and are used to 6 change settings on GPO’s
  • 7. Group Policy Management Console Network Design & Administration This is for checking Cannot edit from effects here. Just right click selected 7 policy, and GP editor comes up
  • 8. Administrative Templates • There are a number of built-in administrative templates: • system.adm • inetres.adm • wmplayer.adm Network Design & Administration • conf.adm • wuau.adm • Each of these files contains many individual policy descriptions, and where they are stored in Registry • If an admin wants to add NEW policies, Microsoft recommend to create custom .adm files rather than 8 modify these
  • 9. Example Policies in .adm Enable disk quotas System.adm Enforce disk quota limit Default quota limit and warning level Log event when quota limit exceeded Log event when quota warning level exceeded inetres.adm Scripting of Java applets Network Design & Administration Logon options Run .NET Framework-reliant components signed with Authenticode Run .NET Framework-reliant components not signed with Authenticode Download signed ActiveX controls Download unsigned ActiveX controls Configure Automatic Updates wuau.adm Specify intranet Microsoft update service location Enable client-side targeting Reschedule Automatic Updates scheduled installations 9 No auto-restart for scheduled Automatic Updates installations
  • 10. Security Policies (secpol.msc) Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirement Store passwords using reversible encryption for all users in the domain !! Account lockout duration Network Design & Administration Account lockout threshold Reset lockout counter after Maximum lifetime for service ticket Password policy Maximum lifetime for user ticket Kerberos policy Maximum lifetime for user ticket renewal Audit policy Security options Audit account logon events Audit account management Audit logon events 10 Interactive logon: Require smart card Audit policy change Interactive logon: Smart card removal behavior Audit system events
  • 11. Effect of not using GPO for accounts[4],[5],[6] • In January 2009, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. Network Design & Administration • Miley Cyrus had her Twitter account suspended temporarily after it was hacked into and offensive messages posted. "It appears that Miley didn't learn the lesson last year and hasn't been taking enough care over her password security to avoid the same fate, other users should make sure they choose strong passwords that can't be easily cracked, and Twitter itself should play a key part in enforcing this." In the case of the hacked Twitter employee, the combination of a weak password, "happiness," and Twitter's lax security regarding repeated login attempts made it fairly simple for the 11 hacker to gain entry. Twitter has not indicated that it has fixed this vulnerability by limiting the number of password attempts.
  • 12. And to follow on from this[7] “… I started wondering how vulnerable other sites might be to this type of attack. … I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts… And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a Network Design & Administration very large dictionary database:” Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") WinHttpReq.Open "POST", "http://www.domain.com/login", false WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded" WinHttpReq.Send("login=Chris&password=Pa$$w0rd") “I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to 12 Twitter, but why doesn’t this happen every day?”
  • 13. Example security issue helped by GPO[8] • A particular problem is the need to disable USB sticks and other removable media in secure installations • Can set up custom adm to include this, and apply Network Design & Administration via GPO to a group of workstations • Disables various drivers • A lot better than gluing up the USB ports! • Vista/7 includes extensions to GP to make this easier (Removable Storage Management) BUT 13 also includes approx. 800 other new policy settings
  • 14. Other Issues with GPO’s • For Server 2003 and XP, they run in winlogon and then update on irregular time basis • For Vista, they have their own “hardened” service which cannot be stopped Network Design & Administration • .adm files are added to sysvol every time a new GPO is created – this can lead to lots of copied files around the system, and replication traffic overhead • Some of the GPO’s have to be considered as merely obscuration rather than security, since users may be able to use other programs to get around them e.g. for editing Registry settings 14
  • 15. Managing Software on the Network[10],[11] • GPO’s allow admins to specify which .msi packages are to be assigned or published • Assignment can be user or computer associated, whereas publishing is necessarily linked only to users (a user has to do something to install it) Network Design & Administration • GPO can also define how upgrade/removal handled 15
  • 16. Assign vs. Publish • Published software is available in the Add/Remove Programs applet, but user has to decide whether to install • Assigned to User means icon for app is on Network Design & Administration desktop (“advertised”) - activation or opening associated document for 1st time will trigger install • Assigned to Computer means software already installed before user even logs on 16
  • 17. Why .msi? • Contains useful info about structure of program • So can “self heal” if files accidentally deleted • Installer creates system restore point before Network Design & Administration installing – so reverts automatically if install goes wrong • Has sophisticated options for various methods of installation (especially for big programs and slow links) to install only some bits of large packages (e.g. Office) immediately 17 • Can be constructed using Wix (Microsoft Installer Toolkit) – has a large learning curve
  • 18. How to setup and use[12] • Create Software Distribution Points (SDP) – shared network folders with NTFS Read/Execute permissions for the users • Create GPO for software deployment (and associate with chosen domain/site/OU) • Configure software deployment properties for the GPO – Network Design & Administration location of SDP, default handling of new packages etc. • Add the installation packages to the GPO (indicating whether to be published or assigned) • Configure each installation package properties – e.g. • Auto-Install This Application By File Extension Activation • Uninstall This Application When It Falls Out Of The Scope Of Management 18
  • 19. Some snags… • No licence control is performed – so Published software had better be on a site licence! • Need to plan carefully how to structure the software e.g. common packages to be assigned Network Design & Administration to computers, specific ones to be assigned to different user groups etc., otherwise might have too many GPOs to manage • If users need admin privilege to install, risky! Can configure installer to “always install elevated”, but this also poses a security risk. 19
  • 20. Microsoft Software Licensing • Needs care in Windows networks • Need to consider whether Per User or Per Device is most cost-effective way. • (Also might need to buy additional Client Access Licences Network Design & Administration for Remote Desktop Services if remote users log in to a server) • Each Server 2008 computer runs a Licence Logging service, which keeps track. • The information is replicated to a Site Licence Server • Can maintain licence information for file, print services, IIS, RDS , Exchange, SQL Server etc. 20
  • 21. Process to maintain licences • Identify Site Licence Server (normally first domain controller in a site) • Administer licences using Licensing in Administrative Tools Network Design & Administration • To add new licences, select New License, and specify number added • Alternatively, use 3rd party tool that can also handle other licences e.g. volume • Monitor licence status regularly 21
  • 22. Next time & References • Powershell Scripting References [1] http://technet.microsoft.com/en- us/windowsserver/grouppolicy/default.aspx [2] MOAC 70-290 Ch 7 Network Design & Administration [3] http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html [4] http://www.windowsecurity.com/articles/Social-Networking-Latest-Greatest-Business- Tool-Security-Nightmare.html [5] http://www.toptechnews.com/story.xhtml?story_id=030002OA8BWI [6] http://digital.asiaone.com/Digital/News/Story/A1Story20090218-122815.html [7] http://www.dscoduc.com/post/2009/01/08/Brute-Force-Password-Hacking.aspx [8] http://support.microsoft.com/kb/555324 [10] MOAC 70-270 Ch 9 [11] http://technet.microsoft.com/en-us/library/cc782152.aspx [12] http://www.tech-faq.com/deploying-software-through-group-policy.shtml 22