Group Policy is a characteristic of the Microsoft Windows environment. It is responsible for controlling the working conditions of user accounts and machine accounts. Group Policy gives centralized administration and configuration of operating systems, apps, and users' environments in an Active Directory environment. With the help of Group policy, system administrators can use software, patches, and other important updates. It also makes sure that users are following critical company files on a centralized and controlled storage system.
If you wish to work as a System administrator, then you need to understand group policies because Group policy is a peculiarity of Microsoft Windows Active Directory that gives extra controls to user and computer accounts. It also provides systems configurations of the user's computing ecosystems and helps system administrators to defend user's computers from infiltration and data breaches. In this hands-on virtual lab, as a Windows system administrator you will learn how to configure security settings using various Microsoft group policies. Other Challenges in this series are "Configure Linux Firewall ACL Rules" and "Can You Secure Network Access?"
Understand the Scenario
In this challenge, you are a system administrator for a company that uses Microsoft Active Directory. To ensure that domain-joined computers adhere to organizational security policies, you need to configure a variety of security settings in Group Policy. First, you will configure computer and user settings in the Default Domain Policy Group Policy Object (GPO), and then you will refresh Group Policy to ensure that the settings are valid. To accomplish this task, learners will use a virtual machine named DC1-CA that runs Microsoft Windows Server 2016. DC1-CA is configured as a domain controller for an Active Directory domain named Contoso. You will connect to the virtual machine console directly in the lab environment.
Configure account policy settings
All account policy settings implemented by utilizing Group Policy are applied at the domain level. For example, the Default values are already in the built-in default domain controller policy. These default values are for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. Therefore it is necessary to configure the account policy settings first. In this section of the virtual lab, learners will use DC1-CA as an Administrator and use the Default Domain Policy to configure the Password Policy. They will learn how to expand Policies and use Windows Settings, Security Settings, Account Policies, and finally, Password Policy.
After this, they will learn how to configure the following values:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
- Store passwords using reversible encryption
Password policy settings must be configured in a domain-level GPO. In other words, a GPO linked to an Active Directory Organizational Unit (OU) will allow you to set password policy settings. Still, the policy settings will not be valid for computers in and under that OU. Finally, you will confirm that you configured the password policy settings in the default domain policy.
Configure file system auditing settings
After configuring the account policy, the next crucial step is the configuration of the file system auditing settings. In this step, learners will use the default domain policy to configure the Audit File System option to audit Success and Failure events. For this, they will create a folder containing a .txt file. After this, they will learn how to configure the security properties for the .txt file to generate an audit event. Finally, they will learn how to use the Event Viewer to confirm that the Windows Event Viewer Security log contains an Audit Success event for a txt file. The Windows Event Viewer displays a log of apps and system information such as errors and warnings. It's a valuable tool for troubleshooting all sorts of various Windows problems.
Configure security option settings
After configuring the file system auditing settings, the final step is to configure the security options. In this last step, you will learn how to use the default domain policy to enable Interactive logon "Do not display last user name" and refresh the group policy. Group Policy is implicitly refreshed when you reboot the domain member.
Lab Summary Conclusion
After completing the "Configure Security Settings Using Microsoft Group Policy" virtual lab, you will have accomplished the following:
- Configured password policy settings.
- Configured file system auditing settings.
- Configured general security settings.
- Refreshed Group Policy to force the new settings to take effect.