mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-29 13:47:23 +00:00
Update security-policy-settings.md
Corrected markdown for Notes. General tidying up. Updated all lists to standard format (all 1.).
This commit is contained in:
Baard Hermansen
GitHub
parent
5d664f00d1
commit
30c91dc3bf
@ -20,6 +20,7 @@ ms.date: 04/19/2017
|
||||
# Security policy settings
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
|
||||
This reference topic describes the common scenarios, architecture, and processes for security settings.
|
||||
@ -30,7 +31,7 @@ Security settings can control:
|
||||
|
||||
- User authentication to a network or device.
|
||||
- The resources that users are permitted to access.
|
||||
- Whether to record a user’s or group’s actions in the event log.
|
||||
- Whether to record a user's or group's actions in the event log.
|
||||
- Membership in a group.
|
||||
|
||||
To manage security configurations for multiple devices, you can use one of the following options:
|
||||
@ -52,7 +53,8 @@ The Security Settings extension of the Local Group Policy Editor includes the fo
|
||||
|
||||
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
|
||||
|
||||
>**Note:** For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
|
||||
> [!NOTE]
|
||||
> For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
|
||||
|
||||
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
|
||||
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
|
||||
@ -63,8 +65,7 @@ The Security Settings extension of the Local Group Policy Editor includes the fo
|
||||
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
|
||||
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
|
||||
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
|
||||
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under
|
||||
Local Policies.
|
||||
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
|
||||
|
||||
## Policy-based security settings management
|
||||
|
||||
@ -80,10 +81,10 @@ As part of your security strategy, you can create GPOs with security settings po
|
||||
|
||||
You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
|
||||
|
||||
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random
|
||||
offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
|
||||
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template's security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
|
||||
|
||||
>**Note:** These refresh settings vary between versions of the operating system and can be configured.
|
||||
> [!NOTE]
|
||||
> These refresh settings vary between versions of the operating system and can be configured.
|
||||
|
||||
By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
|
||||
|
||||
@ -153,7 +154,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the
|
||||
|
||||
The following diagram shows Security Settings and related features.
|
||||
|
||||
**Security Settings Policies and Related Features**
|
||||
#### Security Settings Policies and Related Features
|
||||
|
||||
|
||||
|
||||
@ -234,8 +235,7 @@ The following list describes these primary features of the security configuratio
|
||||
|
||||
- **.Inf Templates**
|
||||
|
||||
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into
|
||||
the system database during policy propagation.
|
||||
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
|
||||
|
||||
## <a href="" id="w2k3tr-gpssp-how-hjxe"></a>Security settings policy processes and interactions
|
||||
|
||||
@ -246,26 +246,26 @@ For a domain-joined device, where Group Policy is administered, security setting
|
||||
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
|
||||
|
||||
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
|
||||
2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
|
||||
1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
|
||||
|
||||
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
|
||||
- The location of the device in Active Directory.
|
||||
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
|
||||
|
||||
3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
|
||||
4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
|
||||
5. The user presses CTRL+ALT+DEL to log on.
|
||||
6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
|
||||
7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
|
||||
1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
|
||||
1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
|
||||
1. The user presses CTRL+ALT+DEL to log on.
|
||||
1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
|
||||
1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
|
||||
|
||||
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
|
||||
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
|
||||
- The location of the user in Active Directory.
|
||||
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
|
||||
|
||||
8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
|
||||
9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
|
||||
10. The operating system user interface that is prescribed by Group Policy appears.
|
||||
1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
|
||||
1. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
|
||||
1. The operating system user interface that is prescribed by Group Policy appears.
|
||||
|
||||
### Group Policy Objects storage
|
||||
|
||||
@ -275,9 +275,9 @@ A Group Policy Object (GPO) is a virtual object that is identified by a Globally
|
||||
|
||||
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
|
||||
|
||||
- **Group Policy templates in a domain’s system volume folder (SYSVOL).**
|
||||
- **Group Policy templates in a domain's system volume folder (SYSVOL).**
|
||||
|
||||
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
|
||||
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the \<domain\>\\Policies subfolder.
|
||||
|
||||
The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
|
||||
|
||||
@ -289,15 +289,15 @@ Group Policy settings are processed in the following order:
|
||||
|
||||
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
|
||||
|
||||
2. **Site.**
|
||||
1. **Site.**
|
||||
|
||||
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
|
||||
|
||||
3. **Domain.**
|
||||
1. **Domain.**
|
||||
|
||||
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
|
||||
|
||||
4. **Organizational units.**
|
||||
1. **Organizational units.**
|
||||
|
||||
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
|
||||
|
||||
@ -312,9 +312,9 @@ This is the default processing order and administrators can specify exceptions t
|
||||
In the context of Group Policy processing, security settings policy is processed in the following order.
|
||||
|
||||
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
|
||||
2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
|
||||
3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
|
||||
4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
|
||||
1. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
|
||||
1. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
|
||||
1. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the "Group Policy processing order" section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
|
||||
|
||||
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
|
||||
|
||||
@ -322,13 +322,13 @@ In the context of Group Policy processing, security settings policy is processed
|
||||
|
||||
|
||||
|
||||
5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
|
||||
6. The security settings policies are applied to devices.
|
||||
1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
|
||||
1. The security settings policies are applied to devices.
|
||||
The following figure illustrates the security settings policy processing.
|
||||
|
||||
**Security Settings Policy Processing**
|
||||
|
||||
|
||||
|
||||
|
||||
### Merging of security policies on domain controllers
|
||||
|
||||
@ -365,7 +365,7 @@ Security settings might persist in the following cases:
|
||||
- The settings are for a file system security object.
|
||||
|
||||
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
|
||||
This behavior is sometimes referred to as “tattooing.”
|
||||
This behavior is sometimes referred to as "tattooing".
|
||||
|
||||
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
|
||||
|
||||
@ -377,7 +377,8 @@ Both Apply Group Policy and Read permissions are required to have the settings f
|
||||
|
||||
By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
|
||||
|
||||
**Note:** Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
|
||||
> [!NOTE]
|
||||
> Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
|
||||
|
||||
### Migration of GPOs containing security settings
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user