LAB7 - UAC and Group Policy ANSWER KEY.pdf

Full Transcript

# LAB7 - UAC and Group Policy This lab will guide you through the following tasks: - Microsoft Management Console (MMC) - User Account Control (UAC) - RunAs - Group Policy ## Microsoft Management Console (MMC) A Microsoft Management Console is a “toolkit” that gives us access to existing manageme...

# LAB7 - UAC and Group Policy This lab will guide you through the following tasks: - Microsoft Management Console (MMC) - User Account Control (UAC) - RunAs - Group Policy ## Microsoft Management Console (MMC) A Microsoft Management Console is a “toolkit” that gives us access to existing management tools for hardware, event logs, users etc. We can call the tool directly from command line, open an MMC or create our own MMC with our most used tools. Open some management tools using command line and MMC to fill out the table. | COMMAND LINE | MMC (Right click start button) | ARE THEY THE SAME? | |---|---|---| | Services.msc | Computer Management → Services | YES | | Perfmon.msc | Computer Management → Performance | YES | | Diskmgmt.msc | Disk Management | YES | You will notice that the Computer Management MMC contains several tools like Device Manager, Event Viewer and Disk Management. This is a custom MMC that Microsoft has created for you. Make your own MMC with the tools required to complete this lab! - Type MMC.EXE into your Search window on the Taskbar - File → Add/Remove Snap-in - Add the following Snap-ins - Group Policy Object Editor - Hyper-V Manager - Local Users and Groups - Save the custom MMC to your desktop and name it LAB7 TOOLS We can also use this to manage other computers, but this will only work if we are on a Domain network. ## USER ACCOUNT CONTROL (UAC) UAC allows us to set how much prompting we get from Windows when changes are made to the system. We can even have separate rules for Administrators and Standard Users. Open UAC and verify the setting is at the Default setting of: - Notify me only when apps try to make changes to my computer - Don't notify me when I make changes to Windows settings Open Gpedit.msc or use your custom MMC and navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options. Write the Security Setting for each Policy down on the table. | POLICY (DEFAULT SETTINGS) | SECURITY SETTING | |---|---| | Admin Approval Mode for the Built-In Administrator account | NOT DEFINED | | Behavior of the elevation prompt for administrators in Admin Approval | PROMPT FOR CONSENT | | Behavior of the elevation prompt for standard users | PROMPT FOR CREDENTIALS | | Detect application installations and prompt for elevation | ENABLED | | Run all administrators in Admin Approval Mode | ENABLED | | Switch to the secure desktop when prompting for elevation | ENABLED | | Virtualize file and registry write failures to per-user locations | ENABLED | Open UAC and change the setting to the least secure Never Notify and go back into Group Policy to see if any changes are made. | POLICY (NEVER NOTIFY) | SECURITY SETTING | |---|---| | Admin Approval Mode for the Built-In Administrator account | NOT DEFINED | | Behavior of the elevation prompt for administrators in Admin Approval | ELEVATE WITHOUT PROMPTING | | Behavior of the elevation prompt for standard users | PROMPT FOR CREDENTIALS | | Detect application installations and prompt for elevation | ENABLED | | Run all administrators in Admin Approval Mode | ENABLED | | Switch to the secure desktop when prompting for elevation | DISABLED | | Virtualize file and registry write failures to per-user locations | ENABLED | This is proof that any changes made to the Windows GUI are reflected in the Group Policy. Any changes made in Group Policy will affect the Windows GUI! Leaving your UAC settings at the NEVER NOTIFY setting, use Group Policy to make changes so that your Student (Administrator Account) must enter credentials every time the UAC is presented. What changes in Group Policy did you have to make? | POLICY | SECURITY SETTING | |---|---| | BEHAVIOR OF ELEVATION PROMPT FOR ADMINISTRATORS | PROMPT FOR CREDENTIALS | Change your UAC settings back to your preference ## RUNAS Sometimes as an Administrator, we must test if a Standard User Account permissions to an application or we need to make a change for a Standard User Account, but we require Administrator permissions. **SETUP** - Create a user account (standard user) named: USER215 - Create the folder path C:\SECURE APP - Copy C:\Windows\System32\Calc.exe to C:\SECURE APP - On the C:\SECURE APP\calc.exe file - Right click → Properties → Security - Tab Edit → Add User215 to be denied ALL PERMISSIONS - APPLY - This will DENY User215 from accessing the C:\SECRE APP\calc.exe file **TEST** - Logon to the computer with the User215 user account - Try to access the C:\SECURE APP\calc.exe file (It should FAIL as they don't have permission) - Try accessing the C:\SECURE APP\calc.exe from the command line (It should FAIL) **SOLUTION** While logged on as User215 in the command line, use the RUNAS command and figure out how to get the calc.exe app to run with Student User Account permissions. Write your working command below. ``` RUNAS /? RUNAS / USER: PLOY STUDENT CALC.EXE ``` ## GROUP POLICY Group Policy can be used to manage the computers (stand alone or Domain) and its users. There are certain policies that never move and are integral to setting up and managing a secure network. Other policies are just for automation of settings, user experience and supporting features or applications running on the network. Remember to use GPUPDATE /FORCE to speed up the application of policies. **SOFTWARE SETTINGS** - Used to deploy software installations and removal - Target Computers or Users - Not searchable **WINDOWS SETTINGS** - Used to control security settings - Target Computers or Users (Users settings does not contain much other than Scripts) - Not searchable Under Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options make the following changes 1 at a time and test your polices to answer any questions 1. Interactive Logon: Message title for users attempting to log on = ROOM 215 ACCEPTABLE INTERNET USAGE 2. Interactive Logon: Message test for users attempting to log on = By logging on to this computer, you have read ACC ACCEPTABLE TECHNOLOGY USAGE POLICY A-234 and agree to all terms and conditions. Noncompliance will result in your termination from using company computers and having your user account disabled. Why is this same setting not in Users Configuration? IT IS A COMPUTER POLICY THAT APPLIES TO ALL USERS What is the importance of this message? LEGAL BINDING THAT USER AGREES TO BY LOGGING IN What did you have to do to make this policy apply? GPUPDATE /FORCE + LOG OFF LAST 3. Interactive Logon: Don't display username at sign-in = ENABLED What is the importance of this policy? SECURITY - CANT SEE USERNAME OF USER WHO USED COMPUTER LAST Under Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment make the following changes 1 at a time and test your policies to answer any questions. 1. Shut down the system Who is allowed to Shut down the system according to this policy? ADMINSTRATORS, BACKUP OPERATORS, USERS Remove USERS from this policy, what did you have to do to make this policy apply? GPUPDATE/FORCE + LOG OFF What changes for Standard User Accounts? “SHUT DOWN” IS NO LONGER AN OPTION (ONLY SIGN OUT) ## ADMINISTRATIVE TEMPLATES - Used to control all other settings that may change with version, new features or be manually imported into Group Policy - Target Computers or Users (Computer settings are for computer, Users settings are for users) - Searchable Under Administrative Templates → System → Logon make the following changes 1 at a time and test your polices to answer any questions 1. Show first sign-in animation = Disabled What does this policy do, and did it work? NEW USERS DONT SEE “NEW USER SIGN IN ANIMATION” SPEED UP NEW LOGINS? We will use the Filtering Tools learn how to search in the Administrative Templates because there are so many settings. The Filtering works the same way as a google search does. Be specific and if you get to many options, be more specific. If you do not get what you are looking for, be broader or less specific. | SETTING | OPTIONS | FILTER | |---|---|---| | Managed | Yes, No, Any | Setting is removed, Setting is not removed | | Configured | Yes, No, Any | Policy is enabled or disabled, not configured | | Commented | Yes, No, Any | Administrator comments, no comments | | Filter for word(s)| Any, All, Exact | Target specific technologies | | Enable Requirements Filters | | | ## Search for and apply settings for each scenario. Document the path to the policy you set for each scenario. 1. Users are always updating Display Settings. We want this to stop as it prevents some apps from running properly where and you can’t see all the data and boxes in the application. | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | USER → ADMIN TEMPLATES → CONTROL PANEL → DISPLAY | DISABLE THE DISPLAY CONTROL PANEL REBOOT COMPUTER | ENABLED | How did you get this policy to apply? What happens for a standard user? GREYED OUT What happens for an Administrator? GREYED OUT 2. Users have been going into the command line and running commands they find on the internet. For security, we need to put an end to this! Apply a policy that puts an end to this. | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | USER → ADMIN TEMPLATES → SYSTEM | PREVENT ACCESS TO THE COMMAND PROMPT | | How did you get this policy to apply? CHANGED RIGHT AWAY What happens for a standard user? COMMAND PROMPT HAS BEEN DISABLED What happens for an Administrator? COMMAND PROMPT HAS BEEN DISABLED It seems that any Group Policy targeted at users is applying to all users on the computer! In a Domain environment (NETWORKS 2), it is easy to target specific users. On a single workstation, it is tricky. We have to create a custom MMC with the Group Policy tool pointed at a single user and use that to apply policies to the single user. ### SINGLE USER POLICY 1. Create a user named KIOSK 2. Open MMC and add the Group Policy snap-in a. Browse → Users tab → Select KIOSK user 3. Save to your desktop and name your custom MMC “KIOSK USER ONLY” Scenario - Your company has a public use KIOSK connected to the network so that the public can use the computer to apply for company jobs, order products or browse inventory. You find that people are using the computer for other “tasks” and pose a security risk. Lock this computer down so that the KIOSK user is restricted. Start by testing that a user specific policy works. Using the KIOSK USER ONLY MMC, apply the following setting. 1. Prohibit access to the Control Panel and PC Settings | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | USER → ADMIN TEMPLATES → CONTROL PANEL | PROHIBIT ACCESS TO CONTROL PANEL + PC SETTING | ENABLED | What happens for a standard user? STILL ALLOWED What happens for KIOSK user? BLOCKED Why does this MMC only show USER CONFIGURATION? IT IS A MMC TARGETED AT A USER If the KIOSK user is the only user affected by this policy, apply the rest of the policies to the KIOSK user. 2. Run the Remote Desktop program at user logon | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | SYSTEM → LOGON | RUN THESE PROGRAMS AT USER LOGON | MSTSC.EXE | 3. Hide programs control panel so no new programs can be installed or removed. | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | CONTROL PANEL → PROGRAMS | HIDE THE PROGRAMS CONTROL PANEL | ENABLED | 4. Hide the C:\ Drive | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | WINDOWS COMPONENTS → FILE EXPLORER DRIVES IN MY COMPUTER | HIDE THESE SPECIFIED | RESTRICT C:\ ONLY | 5. Remove the ability to change the password | LOCATION OF SETTING | SETTING NAME | SETTING | |---|---|---| | SYSTEM → CTRL+ALT+DELETE OPTIONS | REMOVE CHANGE PASSWORD | ENABLED | You have successfully locked down the public KIOSK user account! ## PUT IT ALL TOGETHER AND CHECK YOUR UNDERSTANDING 6. Remove the ability for the KIOSK account to logon locally to the computer and document how you accomplished this. - DLOGON AS STUDENT → GPEDIT - COMP CONFIG → WINDOWS SETTINGS → LOCAL POLICIES → USER RIGHTS ASSIGNMENT - DENY LOGON LOCALLY, ADD KIOSK, APPLY What happens to the KIOSK user when you apply this policy? THE SIGN-IN METHOD YOU’RE TRYING TO USE ISN’T ALLOWED. FOR MORE INFO, CONTACT YOUR NETWORK ADMINISTRATOR ## BONUS QUESTION Disable the ability for any user to use a USB drive on your physical computer using Group Policy. Users should not be able to READ or WRITE to USB drives on your computer.

Use Quizgecko on...
Browser
Browser