Week 9: Mon, Nov 5

Exam issues:

Often you're still not thinking in terms of specific Windows features;
you're thinking generically in terms of "allow"/"deny".
Example: 3(a), allow downloads but don't allow execution of them.
Solution: make all writeable parts of the disk subject to a strict
Software Restriction Policy that doesn't allow any execution.

Problem 1(b)
problem 2


=============================================

Goals&Policies assignment

Goals should be general.
THey probably shouldn't mention windows at all;
certainly not specific features.

Not all goals may be implementable

	Goal 1: to ensure that no viruses or other malicious software
	is installed on a computer
	
	Goal 2: ensure that no unauthorized executables can be
	run on the computer (stricter than Goal 1)

=============

How to let taylor log on to the domain controller itself
(to let us try out domain user settings without adding a client machine).

1. create a group, DC LOGON, in folder "users" in AD Users and Computers
2. Edit local domain policy in Group Policy Management, 
		Computer Configuration
	=>	Windows Settings
	=>	Security Settings
	=> 	Local Policies
	=>	User Rights Assignment
	=> 	Allow log on locally
Add "Administrators" and "DC LOGON"

3. Make sure your prospective user is in group DC LOGON

Now you can log on to your server to do stuff

winserver01 account: taylor the teacher

========================

What's wrong with winserver02??

============================================================

Virus example
Malicious Software Removal kit

==========================================================

Folder shares

	how to create
	
	To view, use command
		NET SHARE
	shares ending in $ are not visible when browsing
	
	how to CONNECT
	
	
	Shares can be published in Active Directory.
		this means that you don't have to know the server name.
	
	
Share permissions v NTFS folder/file permissions

1.	On the CommonServer computer, create a folder called redirected.
2.	Share this folder as redirected$ (the full share name would therefore 
	be \\CommonServer\redirected$).
3.	Set share permissions for the redirected$ share to Full Control 
	for the Everyone group (security will be enforced by NTFS permissions 
	when the user profile folders are created).
	
4.	For both the Lightly Managed (User) and Highly Managed (User) GPOs, 
	carry out the following steps
a.	In GPMC, right-click the GPO, and then select Edit.
b.	Within the Group Policy Object Editor, navigate to 
	User Configuration/Windows Settings/Folder Redirection.
c.	Right-click the My Documents node and select Properties.
d.	In the Properties dialog box, change the Setting dropdown box to Basic *
	Redirect everyone’s folder to the same location.
e.	Leave the Target Folder Location dropdown box set to Create a folder 
	for each user under the root path.
f.	Set the Root Path field to \\CommonServer\redirected$, and then click OK. 
	Folder Redirection automatically appends %user name% to the path specified.
	
g.	Right-click the Desktop node and select Properties.
h.	In the Properties dialog box, change the Setting dropdown box to Basic *
	Redirect everyone’s folder to the same location.
i.	Leave the Target Folder Location dropdown box set to Create a folder
	for each user under the root path.
j.	Set the Root Path field to \\CommonServer\redirected$\, and then click OK. 
	Folder Redirection automatically appends %user name% to the path specified.
k.	Close the GPO.


Quote from MS explaining why users weren't getting redirected
folder until SECOND logon:

   With the fast logon enhancement in Windows XP when users change from 
   a local to a roaming profile, it will take two logons on each machine 
   for profile changes to be registered. This is because the user always 
   logs on with cached credentials; therefore it takes one logon for the 
   network to notice that the user has become roaming and the second logon 
   to apply these settings.
   
==========================================

gpresult: figures out effective gpo settings on client machine

pairs with gpupdate

=====================

Comment from Tom Ptacek, security expert:

MS *is* doing the right things re security.
Nobody else is, at least not commercially.


===============================================

Logging on to our accounts

Creating 


Setting specific sets of control panels

	Trying it on each machine as a local user
	

==========================================================


Profile folders:
Redirectable:
	Application Data
	Desktop
	My Documents
	Start Menu
NTUSER.DAT
Plus, lots of SETTINGS are stored in the registry, the "hive" for
which is NTUSER.DAT.
Also:
	Cookies
	Favorites
	Local Settings
		Temp
		Internet Cache
	
Classic profiles:
	Local
	Roaming: on server, PLUS cached copy on any local machine
		you use.
	Mandatory: can be changed, but resets on logoff
	
	Group Policy makes Mandatory profiles obsolete.
	
	Redirected folders: NOT autmatically cached on local machine.

==============================================