Week 6: October 15 Exam 1: 10/22 or 10/29?? Offline Folders brief description Boot.ini contents editing with msconfig editing any other way ============================================== ============================================== Approaches: file permissions Disk reset systems software restriction policies Disk-reset systems: keep system safe at beginning of each reboot Software Restriction Policies: keep systems safe(r) after reboot for how long?? "safe" means "without modifications undesired by the administration" Disk-reset systems also enforce CONSISTENT USER VIEW, at least if system is rebooted. User program writing: *maybe* no problem if machine code isn't involved: One can allow Python scripts but not .exe files How do disk-reset systems protect more than careful denial of write access? * allows software to MAKE modifications read-only status sometimes breaks applications * easier to implement * simpler to audit ======================================== Software-trust problem What java applets do to address this problem Run in a sandbox What microsoft controls do to address this problem: * control must be "signed". ======================================== Future goals (for MS): * clearer notion of what is an executable * back off from "embedded" executables in doc files, excel, images, etc * intermediate strategies between allow & deny (eg notification) * sandboxes ================================================================================== Windows Server 200x Group Policy: Active Directory: a database of users and machines. Can have additional attributes; can be organized into groups Entries: user accounts computer accounts Organizational Units security groups group policy objects (GPOs) = set of settings for USERs and COMPUTERs Organizational Unit: a container in the Active Directory for grouping similar accounts/machines/groups. Smallest unit that can be assigned a Group Policy or delegate authority Hierarchical. Sometimes used to reduce the number of DOMAINS (eg to 1) You can delegate authority over a (single) OU to a user/group. Tree: a group of Domains with mutual trust (mutual authentication) and DNS contiguousness: it.luc.edu, cs.luc.edu but NOT it.luc.edu, ramblers.com Forest: bunch of trees Organizational Units: very important Icon: folder with little tablet in them Policies are best implemented by creating an OU to contain them, rather than by editing the domain policy. Group Policy Object: little scroll Link to a GPO: scroll with a link arrow in lower left corner Several GPOs can be applied to a given OU. The application order is spelled out. GPOs contain a bunch of system policy settings. They do NOT contain file permissions, or disk-reset options, or IPsec options, or even User Profile Location Definitely not non-MS software settings, either (I'm not sure where IE or Office settings go....) =========================================================== Browsing the Active Directory: To browse the directory 1. Double-click My Network Places on the desktop. 2. Double-click Entire Network, and then click Entire contents of the network. 3. Double-click the Directory. 4. Double-click the domain name, Reskit, and then double-click Engineering. 5. To view the files in the volume, either right-click the Engineering Specs volume, and click Open, or double-click Engineering Specs. User Profile Location *can* be set with Users&Computers MMC OUs v Groups: OUs are strictly hierarchical Groups are NOT: can be overlapping ================================================================================ ================================================================================ Demo with winserver1 Examples 1. "Default Domain Policy". look at details where is it actually enabled for the domain? link (just below domain) versus original (in GPO folder) Look at settings Look at GPO Report Try to figure out how to save it!?! NOTE: password policies are DOMAIN-WIDE. You CANNOT have different password policies for different OUs. This is because login is always through your domain controller. 2. Try adding a machine to our domain note lab001 is already in! 3. Demo: reset password (eg to "") then change security settings to require password min length then reset password again to something too short 3a. Try adding users, .... 3b. creating users in wrong place and then moving them 4. linking a user to a GPO link GPO to OU add user to OU 5. Publishing a shared folder under AD loopback policy: USER policy depends on which computer they're logged into. defer 6. Delegation of control * for everything to LabAdmins group * for password resets to LabTutors group =================================================== Microsoft __Common Scenarios__ document. first look ========================================================= Demo on machine 4 Configuring DNS: turn it on files in d:\winser2003\i386 (or e:) static IP: 10.20.0.2N, N=1...7 root hints only local AD: new forest new domain domain name; csedN.cs.luc.edu WINS/netbios name database folder SYSVOL "I will correct the problem later by configuring DNS manually. Go away." ===================================================== Lab: 1. Boot as XP, connect to the server 2. Boot as Windows 2003 Standard Edition. Install DNS Install Active Directory Start "Active Directory Users and Computers", DiNicolo 3-1, p 57 Create an OU or two DiNicolo 3-2, p 61 Create some users Put users into an OU Create some Computer objects (accounts), DiNicolo 3-5, p 68 Create some Group objects, DiNicolo 3-7, p 72 DiNicolo 3-12: NTFS permissions. Be familiar with this in theory. DiNicolo 3-13: AD object permissions, p 81 Install the Group Policy MMC, if necessary ========================================================================== ==========================================================================