Active Directory domain infrastructure configuration 2

Subsequent articlesActive Directory domainAfter infrastructure configuration 1, the Active Directory domain infrastructure configuration in this article is described as follows:

Support Security ManagementGPO Design

Use GPO to ensure that specific settings, user permissions, and actions are applied to all workstations or users in the OU. UseGroup PolicyInstead of using manual steps), you can easily update a large number of workstations or users that need additional changes in the future. An alternative to using GPO to apply these settings is to send a technician to manually configure these settings on each client.

　

Figure 2.2 GPO application sequence

Displays the order in which GPO is applied to computers that are sub-OU members. First, apply the Group Policy from the local policy of each Windows XP workstation. After applying the local policy, apply any GPO at the site level and domain level in sequence.

For several Windows XP clients nested in the OU layer, apply GPO in the hierarchy in sequence from the highest OU level to the lowest level. Apply the final GPO from the OU that contains the client computer. This GPO processes sequential local policies, sites, domains, parent OU, and sub-OU), because later GPO will replace the GPO of the previous application. The application method of GPO is the same. The only difference is that the user account does not have a Local Security Policy.

Note the following when designing a group policy.

The Administrator must set the order in which multiple GPO entries are linked to one OU. Otherwise, policies are applied in the order previously linked to this OU by default. If the same sequence is specified in multiple policies, the highest policy in the Policy List of the container has the highest priority.

You can use the "prohibit substitution" option to configure GPO. After this option is selected, other GPO cannot replace the settings configured for this policy.

You can use the block policy inheritance option to configure Active Directory, site, domain, or OU. This option blocks GPO settings from higher GPO in the Active Directory hierarchy, unless they have selected the "prohibit substitution" option.

Group Policy settings are applied to users and computers based on the location of users or computer objects in Active Directory. In some cases, you may need to apply a policy to a user object based on the location of the computer object rather than the location of the user object. The Group Policy loopback function allows administrators to set user group policies based on the computer applications on which users log on. For more information, see the Group Policy whitepaper in the "Other Information" section of this module.

Expand the basic OU structure to show how to apply GPO to clients running Windows XP that are a portable computer OU and a desktop computer OU.

　

Figure 2.3 expanded OU structure, including secure GPO for desktop and portable computers running Windows XP

In the preceding example, a portable computer is a member of the portable computer OU. The first policy of the application is the Local Security Policy on the portable computer running Windows XP. Because there is only one site in this example, GPO is not applied at the site level, and the domain GPO is used as the next policy to be applied. Finally, the application of portable computer GPO.

Note: The desktop computer policy is not applied to any portable computer because it is not linked to any OU in the hierarchy containing the portable computer OU. In addition, the secure XP user OU does not have the corresponding security module. inf file), because it only includes settings from the management module.

As an example of how the priority between GPO instances works, assume that the Windows xp ou policy setting "Allow logon through Terminal Services" is set to the "Administrators" group. The GPO settings of the portable computer that allows logon through terminal services are set to the "Power Users" and "Administrators" groups. In this case, Users in the "Power Users" group can log on to the portable computer using Terminal Services. This is because the portable computer OU is a child of Windows xp ou. If the "prohibit substitution" policy option is enabled in Windows xp gpo, only users in the "Administrators" group of accounts are allowed to log on to the client using Terminal Services.

Security Template

A Group Policy template is a text-based file. You can use the security template management unit of MMC or use a text editor such as NotePad to change these files. Some sections of the template file contain specific access control lists (ACLs) defined by the Security Descriptor Definition Language (SDDL ). For more information about editing Security templates and SDDL, see "Additional Information" in this module.

Security template Management

It is important to store the Security templates used in the production environment in the security location of the infrastructure. The access to the security template should only be granted to the administrator responsible for implementing the Group Policy. By default, security templates are stored in the % SystemRoot % \ security \ templates folder of all computers running Windows XP and Windows Server 2003.

This folder is not copied across multiple domain controllers. Therefore, you need to select a domain controller to save the master copy of the security template to avoid template-related version control problems. This best operation ensures that you always modify the same copy of the template.

Import Security templates

Use the following procedure to import a security template.

Import the security template to GPO:

1. navigate to the "Windows Settings" folder in the Group Policy object editor.

2. Expand the "Windows Settings" folder and select "Security Settings ".

3. Right-click the "Security Settings" folder and click "Import Policy ...".

4. Select the security template to be imported and click open ". The settings in the file will be imported to GPO.

Manage templates

In a Unicode-based file called a management template, you can obtain other security settings. A management template is a file that affects the registry settings of Windows XP, its components, and other applications such as Microsoft Office XP. Management Templates can include computer settings and user settings. The computer settings are stored in the HKEY_LOCAL_MACHINE registry Configuration unit. User settings are stored in the HKEY_CURRENT_USER registry Configuration unit.

Manage templates

Like the best operation for storing Security templates above, it is very important to store the management templates used in the production environment in the security location of the infrastructure. Only the administrator responsible for implementing the Group Policy can have access to this location. The Management Templates attached to Windows XP and Windows 2003 Server are stored in the % systemroot % \ inf directory. "Office XP Resource Kit" comes with Other templates for Office XP. These templates are changed when the Service Pack is released, so they cannot be edited.

Add a management template to a policy

In addition to the Management Templates attached to Windows XP, you also need to apply the Office XP template to the GPO in which you want to configure the Office XP settings. Use the following procedure to add other templates to GPO.

Add a management template to GPO:

1. navigate to the "manage templates" folder in the Group Policy object editor.

2. Right-click the "manage templates" folder and click "Add/delete template ".

3. In the "Add/delete template" dialog box, click "add ".

4. navigate to the folder that contains the management template file.

5. Select the template to be added, click open, and then click Close ".

Domain-Level Group Policy

Domain-level group policies include settings for all computers and user applications in the domain. Located in http://go.microsoft.com/fwlink? LinkId = 14845 in "Windows Server 2003 Security Guide" module 2 "locking the Domain Infrastructure" (English.

Frequently changed complex passwords reduce the possibility of successful password attacks. Password Policy setting controls the complexity and validity of passwords. This section describes how to set password policies for enterprise clients and high security environments.

Configure the following values in the domain group policy at the following position in the Group Policy object Editor:

Computer Configuration \ Windows Settings \ Security Settings \ Account Policy \ Password Policy

The following table describes the recommended password policies for the two security environments defined in this Guide.

Force password history

Table 2.2: settings

　

The "force password history" setting determines the number of unique new passwords that must be associated with the user account before the old password is reused. The value must be between 0 and 24 remembered passwords. The default value of Windows XP is 0, but the default value of the domain is 24. To maintain the validity of the password history, use the "minimum password life" setting to prevent users from constantly changing the password to avoid the "force password history" setting.

For the two security environments defined in this Guide, set "force password history" to "24 remembered passwords ". By ensuring that the user cannot easily reuse the password, whether accidentally or intentionally), the maximum setting value enhances the security of the password. It can also help to ensure that the password stolen by attackers fails before it can be used to unbind the user account. Setting this value to the maximum number does not cause known issues.

Maximum Password Validity Period

Table 2.3: settings

　

The value range of this setting is 1 to 999 days. To specify a password that never expires, you can set this value to 0. This setting defines the period for an attacker to use the password to access a computer on the network before the password expires. The default value is 42 days.

For the two security environments defined in this Guide, set "Maximum Password Use Period" to "42 days ". Most passwords can be unlocked. Therefore, the more frequently the password is changed, the less chance the attacker will be able to unlock the password. However, the lower the value, the more likely the number of calls supported by the help station increases. Setting the "Maximum Password Validity Period" to a value of 42 can ensure the periodic cycle of the password, thus increasing the password security.

Minimum Password Validity Period

Table 2.4: settings

　

The "Minimum Password Use Period" setting determines the number of days before a user can change the password. The value range of this setting is 1 to 998 days. You can also set the value to 0 to allow immediate password change. The default value is 0 days.

The value set for "Minimum Password Use Period" must be less than the value set for "Maximum Password Use Period, unless the value set to "Maximum Password life" is 0, the password will never expire ). If the value of "Maximum Password life" is set to 0, the value of "Minimum Password life" can be set to any value ranging from 0 to 999.

For more information, click Active Directory domain infrastructure configuration 3.