Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions Technical Brief written by Darren Mar-Elia Chief Technology Officer Windows Management Quest Software, Inc.
Copyright Quest Software, Inc. 2005. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way IAliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com U.S. and Canada: 949.754.8000 Please refer to our Web site for regional and international office information. Updated August 30, 2005
CONTENTS ABOUT QUEST INFRASTRUCTURE MANAGEMENT... III ABOUT QUEST SOFTWARE, INC.... III CONTACTING QUEST SOFTWARE... III CONTACTING CUSTOMER SUPPORT... IV INTRODUCTION...5 THE DOWNSIDE OF POWER COMPLEXITY...6 GROUP POLICY PROCESSING PRECEDENCE... 6 ACQUIRE MAINTAINING SECURITY USING GROUP POLICY... 7 MANAGE THE USER EXPERIENCE WITH GROUP POLICY... 9 ADDRESS CROSS-PLATFORM POLICY MANAGEMENT... 9 QUEST GROUP POLICY SOLUTIONS FOR GREATER SECURITY AND CONTROL...10 QUEST GROUP POLICY MANAGER... 10 QUEST GROUP POLICY EXTENSIONS... 12 VINTELA AUTHENTICATION SERVICES... 13 SUMMARY...15 CALL TO ACTION...16 ABOUT THE AUTHOR...17 i
ABOUT QUEST INFRASTRUCTURE MANAGEMENT Quest Software, Microsoft s 2004 Global Independent Software Vendor Partner of the Year, provides solutions that simplify, automate, and secure Active Directory, Exchange, and Windows, as well as integrate Linux and Unix into the managed environment. Quest s Infrastructure Management products deliver comprehensive capabilities for secure management, migration, and integration of the heterogeneous enterprise. ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: Email: Mail: Web site 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. iii
Contacting Customer Support Quest Software s world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink Email at www.quest.com/support support@quest.com. You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches iv
INTRODUCTION What is the one piece of management technology within Windows that allows you to centrally manage such diverse elements as security configuration, desktop lockdown, and software deployment? Active Directory-based Group Policy is that technology. Group Policy gives you powerful centralized control over these and many other aspects of your Windows server and desktop configurations. However, Group Policy on its own is complex, providing literally thousands of settings that you need to manage. Add to that, the inherent need to be able to support different policies for different groups of your desktops and servers and you have a real challenge on your hands. In this technical brief, I will discuss some of the pitfalls of poor Group Policy management and the inherent risks that this introduces. I ll then talk about some best practices for managing Group Policy in your environment, including how Quest s tools for Group Policy can help you gain and keep control of your Windows (and non-windows) infrastructures. 5
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions THE DOWNSIDE OF POWER COMPLEXITY Managing your Windows systems using Group Policy is an exercise in trading off power versus complexity. Group Policy provides the power to centrally manage literally thousands of settings on a typical Windows server or desktop. However, the challenge of managing those settings in any reasonably sized environment, and ensuring that the right users and servers get the right settings must not to be underestimated. If we take a brief minute to discuss how Group Policy is applied, you will quickly see how complex the management of Group Policy application can become. Group Policy Processing Precedence In an Active Directory (AD) environment, Group Policy Objects (GPOs) can be linked to AD containers, specifically: sites, domains, or organizational units (OUs). Additionally, each computer contains a local GPO that can contain settings regardless of whether the machine is a member of an AD domain or not. A given user or computer can process Group Policy in the order of: 6 1. Local GPO 2. Site-linked GPOs 3. Domain-linked GPOs 4. OU-linked GPOs At each of these three levels, you can have multiple GPOs linked, and the order of processing is determined by the order in which they are linked. In addition, you can affect GPO processing by using security group filters or Windows Management Instrumentation (WMI) Filters, which each serve to grant or deny access to the GPO based on security or system configuration criteria. If you wish to change the default processing order that a given computer or user follows when processing Group Policy, you can use options such as Block Inheritance, Enforced, and Loopback, which are described below: Block Inheritance: A flag that is placed on an OU or domain that indicates if any GPOs linked higher up in the processing order are ignored. For example, if you set Block Inheritance on a domain container, all sitelinked GPOs are ignored by users or computers in that domain. Enforced: A flag that is placed on a GPO itself, which ensures all downstream users and computers, processes that GPO even if a downstream container is using Block Inheritance. Enforced overrides the Block Inheritance flag. Loopback: Loopback is a special processing mode that can be enabled on a computer where all users that logon to that computer receive policy from the computer GPO, rather than the user GPO. This mode is mostly used on kiosk type machines, but its usage changes the way Group Policy is processed.
Technical Brief There are several complexities around Group Policy processing and it is important to ensure proper security configuration. Therefore, having a concrete process around managing change to policy is critical for a secure environment. Let s look at some of the challenges around managing a secure environment using Group Policy. Acquire Maintaining Security using Group Policy Group Policy is used for distributing security configurations to your Windows environment. In fact, it is the primary mechanism for managing security configuration in most Windows-based organizations. Security settings such as domain or local computer password policy, group membership (using the Restricted Groups feature), and settings that affect the vulnerability of Windows to attack, all fall under the bailiwick of Group Policy-based control. For example, within the Group Policy security settings, there are a set of Security Options that control vulnerability settings such as anonymous access to the SAM, whether to use Server Message Block (SMB) signing on network traffic between systems, which level of Windows NT LAN Manager (NTLM) authentication a system will support, and whether the administrator account is renamed (see Figure 1). Figure 1: Viewing Security Options in Group Policy related to Vulnerability 7
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions The ability to reliably set and deliver these security-related policies to your entire Windows infrastructure is critical to the protection of your systems. Similarly, Windows Firewall policy is centrally controlled on Windows XP, Service Pack 2 (SP2), Server 2003, and Service Pack 1 (SP1) using Group Policy. It is easy to see how an errant firewall policy, delivered to hundreds or thousands of workstations, can easily open an organization to widespread attack in the event that a worm infiltrated the organization s network. Conversely, Group Policy s ability to quickly deliver a centrally specified security configuration change, to thousands of machines, provides a powerful mechanism for minimized impact of attacks that are either in process or imminent. Since Group Policy is critical in the context of security and vulnerability, it is easy to see why allowing unplanned changes, or not tightly controlling who can make those changes within Group Policy, could result in risk to your business and corporate assets. The challenge arises by virtue of the complexity of Group Policy. As we discussed earlier, Group Policy can be linked to multiple levels within an AD hierarchy and can have a number of filters or flags that affect its ultimate delivery to a given user or computer. Ensuring that the right GPOs are linked, filtered, and flagged appropriately is an integral part of Group Policy management. In addition, whenever an administrator opens the Group Policy editor and makes a change to a GPO, that change is immediately committed and available for processing to all computers and users in the environment. You can quickly see that having a good process and delegation of Group Policy management is critical. One uncontrolled or unapproved change to a key Group Policy setting can have a wide-scale, sweeping impact on an environment. Unfortunately, security isn t the only area that can be impacted by poorly managed Group Policy. Given its role in desktop lockdown, your end-user s experiences, while using their Windows PC, are greatly dependent upon the health and well-being of your Group Policy infrastructure. 8
Technical Brief Manage the User Experience with Group Policy Typically, you only hear from your end-users when something goes wrong. In the case of Group Policy, there are a myriad of ways for something to go wrong when managing the end-user s desktop configuration. From desktop lockdown using Administrative Template policy, to mapping drives using batch files or Windows Script Host (WSH) scripts, to Folder Redirection of a user s profile folders, there is a lot of ways that can directly impact the end-user s ability to do their job. Scripts can be especially problematic when delivered to hundreds or thousands of users and computers, using different security contexts and having different configurations on their machines. The best solution becomes one of simplification. By simplifying the process of desktop lockdown to a few supportable scenarios, and minimizing the amount of custom scripting that is required to configure the environment, you can reduce the chances of uncontrolled changes having mass impact on your users. Unfortunately, such simplicity does not always meet the needs of the business. In this case, the need to have rigid processes for change and better tools for managing the myriad of configuration options is the best approach to ensure high availability for your end-users. Address Cross-platform Policy Management Group Policy provides unprecedented configuration management power to your Windows environment, but what tools will you use in the non-windows environment? What will you use to manage configurations on your Unix and Linux systems? Wouldn t it be a big operational benefit to be able to use the same processes and tools that you use for Windows on these non-windows platforms? After all, why build two configuration management systems and two sets of processes and controls for what is essentially the same task, with different context across all of your distributed systems? Of course, the key is that Unix and Linux does not natively support the Group Policy infrastructure of AD, but there is no reason why GPOs cannot be extended to reach these other environments. In fact, that is exactly what Quest has done with the Vintela technology for Group Policy. In the next section, we ll look at how this technology, as well as the rest of the Quest solutions for Group Policy management, help solve some of these basic problems of control and complexity, and help you get the most from Group Policy in your environment. 9
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions QUEST GROUP POLICY SOLUTIONS FOR GREATER SECURITY AND CONTROL Quest s solutions for Group Policy management seek to resolve many of the inherent challenges with the technology. Our goal is to provide a way of getting the power of Group Policy without the complexity. Quest provides three unique solutions for addressing the issues discussed above. Quest Group Policy Manager provides change and version control of Group Policies within your environment. Quest Group Policy Extensions extends the capabilities of native Group Policy to provided added support for user control and for better security function on Windows servers and workstations. Group Policy features in Vintela Authentication Services allows Unix and Linux systems to participate in AD and thus extend the use of Group Policy to those environments. Let s look at each of these solutions in more detail to understand how they solve the key challenges around Group Policy. Quest Group Policy Manager Quest Group Policy Manager provides a system for putting structure around uncontrolled or unplanned changes to Group Policy. The product addresses some of the key issues we discussed above, including: Provides a change management system for checking out and checking in Group Policy changes prior to the deployment to production. Provides a set of delegated administrative roles to separate the job of editing Group Policy from the deployment process. Gives you the ability to compare GPOs stored in the version control system to those found in production and to ensure that Group Policy has not been tampered with outside of the system. Allows you to create offline templates of Group Policy that can be applied against live GPOs, and lets you report when templates conflict with each other. Provides reports to show change history and use of the version control system. 10
Technical Brief Quest Group Policy Manager (see Figure 2) provides the change control you need to prevent unapproved, un-audited changes to Group Policy that could affect your Windows infrastructure s security configuration. Group Policy Manager provides a repository (the repository can be SQL Server, ADAM, or AD itself) that let s you apply good change management processes to the back up, editing, and deployment of Group Policy. This can occur within your production AD environment or from a test environment. Group Policy Manager lets you manage all aspects of Group Policy change, including the ability to manage linking of GPOs to containers. Figure 2: Viewing the Quest Group Policy Manager Interface The Templates feature with Group Policy Manager is a powerful way of creating offline, standardized templates of Group Policy settings that can be re-used across GPOs, within and across domains. The most obvious benefit of this capability in the area of security configuration control is the ability to create a standard template for the Security Options section of Group Policy, which as discussed above, controls settings related to the vulnerability of Windows systems to attack. You can then link this template to multiple GPOs within your AD forest and whenever a change needs to be made to security policy, that change can be made on the template and automatically deployed to all production GPOs, using the version control system to stage the change. This provides you with consistent, absolute control across your entire forest for critical changes, such as security configuration. 11
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions Quest Group Policy Extensions In addition to providing change and version control using Quest Group Policy Manager, getting true control over your Windows environment means going beyond what the platform provides out-of-the-box for configuration control. Fortunately, Group Policy provides an extensible framework for vendors such as Quest, to provide such extensions to native features. Quest s Group Policy Extensions product does just that by adding new security, administrative, and end-user management features that enhance native Group Policy to give you even more control over your Windows systems. It integrates into Group Policy Manager to allow for the same change and version control capability for GPOs. In addition, Group Policy Extensions integrates naturally into the Microsoft Group Policy Editor tool to ensure no change to your existing processes and procedures around Group Policy management (see Figure 3). Figure 3: Quest Group Policy Extensions integrates seamlessly into the Microsoft Group Policy Editor 12
Technical Brief Some of the Group Policy Extensions key features that extend your ability to secure and configure your Windows systems include: The ability to create network drive and printer mappings using a wizard-driven method and without having to create complex batch or Windows Script Host (WSH) scripts. The ability to distribute environment variable changes, files, shortcuts, and registry entries to computers and users, again using an easy-to-follow wizard-driven method. The ability to deploy Scheduled Task jobs to servers or desktops from a centralized user interface. The ability to run specific applications at Group Policy refresh or when network state changes occur (i.e. VPN connection, dial-up modem connection, or resume from Hibernate). The ability to configure Outlook profiles automatically and centrally, reducing cumbersome profile scripts and desktop visits. From a security perspective, the ability to create, edit, and remove local users, and groups, and reset local user passwords via Group Policy. This finally gives you the ability to periodically reset local accounts such as administrative accounts from a central location, ensuring that local accounts aren t compromised as a result of stale passwords. With all of these capabilities, Group Policy Extensions extends the limited native filtering capability beyond just security group and WMI filters, to include a wide variety of additional software and hardware-based filters. As a result, you can more finely target Group Policy settings to the user and computer populations that need to be managed. Vintela Authentication Services The Group Policy features of Vintela Authentication Services extend the notion of Group Policy as a tool for security and configuration control to non-windows systems by providing support for Unix and Linux platforms. This innovative solution lets you use the same tools that you use for Group Policy management today, (i.e. Group Policy Editor or Microsoft Group Policy Management Console (GPMC)). It secures and configures a variety of aspects on your Unix and Linux systems, including: Configuration of cron jobs. Configuration of sudo access. Distribution of files and scripts. Configuration of syslog and access control parameters. 13
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions The ability to author Unix/Linux-specific policies right from the Windows Group Policy editor or directly from the Unix/Linux box itself. Additional out-of-the-box Unix/Linux-specific policies are also available. In addition, Vintela Authentication Services provides familiar Unix commandline interfaces for managing and reporting on Group Policy from the Unix/Linux system. Therefore, from a single Group Policy infrastructure based on AD, you can manage both Windows and Unix/Linux systems using the same controls and processes. In addition, Quest will soon be able to provide integration between the Group Policy features in Vintela Authentication Services and Quest Group Policy Manager, giving you the same change and version control capability for Unix/Linux Group Policies that you have for Windows. 14
Technical Brief SUMMARY Group Policy is a powerful technology for securing and configuring your Windows environment. Its use is growing as AD becomes more ubiquitous. However, with that growth in use comes complexity, which can threaten to undo its significant benefits. Quest s mission around Group Policy management is to provide you with the tools you need to get the most out of Group Policy without compromising your environment. From Group Policy Manager, which provides change and version control of GPOs in your environment, to Group Policy Extensions to extend what native Group Policy can do in the area of security and desktop configuration, to Vintela Authentication Services for extending Group Policy s power to Unix and Linux, Quest is committed to delivering Group Policy for your AD environment. 15
Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions CALL TO ACTION For more information on Quest Group Policy Manager, go to: http://wm.quest.com/products/grouppolicymanager/ For more information on Quest Group Policy Extensions for Desktops, go to: http://wm.quest.com/products/grouppolicyextensions/ For more information on the Quest s Vintela product solutions, go to: http://www.vintela.com/ 16
Technical Brief ABOUT THE AUTHOR Darren Mar-Elia is Quest Software s CTO for Infrastructure Management and a Microsoft MVP for Group Policy. Darren has more than 17 years of experience in systems and network administration design and architecture. His focus and expertise is on large-scale enterprise implementations of Windows infrastructures in distributed and data center environments. Prior to joining Quest, he worked as director of Windows architecture and planning for Charles Schwab & Co., Inc. In that capacity he was technical lead for the company s Windows NT & 2000 design and migration efforts. Darren has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to eleven different books on Windows including, most recently, the Windows Group Policy Guide, published by Microsoft Press in 2005 and The Definitive Guide to Windows 2000 Administration, The Definitive Guide to Windows 2000 Group Policy and The Tips & Tricks Guide to Group Policy, all published online by Realtimepublishers.com. Darren also speaks frequently at conferences on Windows infrastructure topics. 17