Securing Windows with Group Policy

and those

- just tell me perfect I feel like for these fears alright so first I would before sir I actually want to thank all the sponsors would not have which is awesome to see so many cool - really but to see all that come in here and actually you know health and sponsoring actually provide kind of support as well as they get the benefit of us talking to you about new products so let's talk about curing good news with your policy

so security windows with your policy is anyone here familiar with policy we use it on a daily basis weekly basis nearly four diamond that is that it's actually don't ask me what I do and my name is Jess record at work 70 years in Mt Polly so I have some surgeons who ever wronged my main focus though is with a security digital forensics and record show I should have as well so slowly get into you know although the nitty-gritty you would T and you I want to have the truth understood how good policy actually works in German and one of the big concepts is how in actually applause since we won't ever heard of this

Packard tell us

LSD ODU is just a way that your boast applause solutions Elvis and you have a base for policy and they've got a domain basically policy and then importance attributes on reasoner's you kind of think of these different Lakers look look it's just like chain just jewnicorns of die and pterodactyls are it's just fun me it's not fun you can use local bird policies but just like with every other user or group there's contingencies but it's user issues so depending on where you're applying their policies whatever is ever needs it is going to affect so have a top of you structure or yourself just if your one wish policy it will only apply to machines there's some

education but this is free throw with a local proposal do is go into your Windows machine and just change settings into everyone yeah they are do you want to go over like every single workstation or decision make sure the checklist with us so it's unmanage the next is the cycle we can take sites as individual countries with beaches of the policies but we'll look at coffee here we go to the States Canada Russia whatever it is each one of those have a son and it's usually based along much easier vocation or based on their network topology Soros on there there's other education specifically Omega C so in this example you could actually see stakes in is

ecology integer others but it's always under network that's or a network that's whatever it is so site based policies I think you talk about a crossing very much unless you really really I what Microsoft has a ton of documentation about it I think they need Microsoft usually the next level so we're going to call domains so I don't happen to become of the entire United States is one excitement and you turn it into a state here's the main California New York and desert let's let's just what it is really is a saying oh so bad - we have a site and then the entire site is the United States and at that site though what we actually have

federal loans you can't kill someone you have to pay taxes right to bear arms whatever River those laws are but they impact impact everything might either so all of the inmates but each individual domain has its own laws and statements right and state Missouri has different tax rate and you have to pay taxes miseration you have to pay property taxes so it's go for it so each River grad basically relocation will actually had to her laws or clauses that they have to

let's get down to or as issuing needs so we have our sights did you get a federal loans we are bold or state domain laws and then you can actually break it down even further so I live in Columbia Missouri and so it's a brief County and Lieutenant has certain laws for tax rate if you shop there that's like seven completely person you know on sale set or you know event different laws where you know we have to we're gonna pass this initiative to provide parks or some sort of benefit to the community they don't think that impacts us at this level and everything underneath it so if you want a house there that you can pass your strength or

organize so to be here owns or on tell us that has a homeowner's association you know somebody you know probably yeah depending on what your homeowners association is I don't bought one of my neighbors weird it's a weird layout of my chambers do and you know Dan time I start walking into this it is you like your hedges can't be able six foot you can't have tires on their front lawn and you know your grass so hot whatever whatever those laws are they impact or location or where ground so whether it's a machine that's just or something internet or a user me or my family if I applied policy at the street level of this organization these walls

organization is concerning you go as far as to go to your house you have individual policy through balls company events meaning I don't have each other but if I wanted to say you can't lose the Internet until after your homeworks done and later than 10:00 p.m. I can fly the ball it's it's governance doesn't impact you it doesn't impact anything else you know love me it stops tape normal its position hello again use issue and it's all the way down to individual crews right you can't watch TV past a certain time we worked as laws or policies you keep you connect you can even go all the way to have your refrigerators yeah if you're

in college you know what guys are sitting it up there they walk

Jamaica's so again the federal walls which are site based through policy we have terminating this rigidity of the state defaulting policy that will receive it impacts everything underneath that domain as well as virtually zero yeah that's headed to the juices managing users it's fun test yeah but there's a lot of things you could do with your policy [Music] anyone recognize these groups or the music these types or names and schema admins

operator president whatever it is these are highly protective weeks you want to protect these at all costs if someone gets totally understand well then let's go take a look oh just a vinegar camera operators that means is there any kind of operator actually go in sir creative accountant okay if someone gets to be in evidence you're not going to I mean there but there's ways we can kind of just add protection or layers of Defense there's not one stuff get there's tax liabilities everything they might actually prevent this or try to get access to use it as accounts but you try to meet as far as possible forward direct one of the things is called

restricted groups never imagined them compass gonna throw the situation you are like you through and user called a user comes over to you and says hey just fun

that's over walks into the machine and off to the races because he has so many ways as an independent worker what'd she tell you mrs. if you have separated accounts with regular you cannot do it yeah at my TV account wherever it is he now encoded total logins revelation and as soon as you log in use your security system you know that or use your privilege it is to actually go and create an account clearly demands for someone because he has rights so you're using his four digits 50 things and he doesn't tell it but you just created a Account Manager very easy tax on rock songs who download it's all built-in tutorial Department and access library assistant so in that

situation you become Alice you just like bro but just like at home you don't you have a lot of fun it's like you just let [Music] but you know you should you secure that when I think becomes I guess I don't pregnancy don't put your correct Amaya use this other sector you're protected at least you know maybe ask me content filter kids or whatever it is you can just try to protect it as best as possible you know just like let it make you do but you should but you know I understand what you need to do you know on the imagery users and not just like except [Music] whenever you receive a request [Music]

yeah if we're doing it under network who's going to play so restricted groups is one way to attach to do these I you can do this for every single group or every single account on your network but tubular means proscription but these for your very very high revolution hands like come in and its inner president schematics wherever you want to actually use this restricted groups so with Dallas's in this location which is under policies with this sentence 30 savings mr. two groups and you can actually add what group you want to be restraint so here also

I'll count and then another user and goodness is a testimony so I added that those members to that Miss America pageant malicious user is how they're created every time you sing along whatever injected themselves in a building and it's cleared up every once and put it in their own user so you have this users with restricted pierced and hello England's merely through policy restructure or how ugly presence so if a default that's like every 90 minutes the policy which could change them but by default it's every ten minutes and because these growth these global burger every long while immediately they want to update every single time through policy for freshers so have to take that

average across all aversion to save at ten thousands and it's quite a bit so if if someone does the general reading hands off some initiative today because I worry specified by whatever policy universe your groups directly with these users anyone elses is replace accurate we'd be a lot of marriages temporary again this last octet but it does really really difficult to keep a highly religion ties you can restrict permissions on this this policy says work but using the street is very special

I assume mr. Rex so we talked about the introducers we understand you have policy applies that still applies to across all of our different temperatures were talking about an inflator managing user rights is probably one of the most important things so here on their machines has users that run as an image wherever those regular voters really - well I chopped because I can't pretty proud yeah unless you know the strict policies usually a user or administrator can't run as administrator so let's use our rice just like when you buy anything that you do when you buy a house first thing I can reserve has put a violin on Tuesdays what like buy a new my learner's this

locks okay we're just like the old people that you saw over there to come I'm just digging through my stuff just like maybe the small windows everyone assumed secured ready to go right out the box you can imagine all this stuff as where the matter that there's so many different levels of privileges that are allowed by default you restricted management paradigm Oh give people winters regrets so random things I told one of my guys it worked for me can be open just like put these minutes and this goes keep it so so chat so first it is these are some height so you can see the list in the background rate I believe just kind of threes we

talking about some of the ones that are high level these are highly privileged user rights of privileges that we can restrict to to help protect our organization active part of the honors anybody knew what they need so as a user you can act as you are the organism did I like you as a user can act as the operating system why would you better act as part of the autonomous they let they operate you as your user account she never delegated or be able to access by the boundaries of course there's might be some legacy software maybe this it's a testing case all this tested you know whatever but a lot of cases you're going to this bridge create a token they

be my token is actually a security access but as a user even if they're not to user or a developer or whatever you may need to teach both Rovers it has to get assistance at all you don't have to have that you can remove these rights from built-in groups within your operatives a person a actor person a decline after elimination load another device character restore files just appreciate these are very suspicious what by default we did see talk about this but all these dirty clothes that they'll tell you in actually he tell us what administrators local service network service service all has a purpose and administered excessively disease so impersonating a client privilege when we

think of how a group of you notice segments you can test this out she's minutes maybe you have certain parts that maybe this privilege something don't so as long as you apply those policies that whatever level they need to secure a lot of these processes so I'll point out on the slide is in the very bottom is a university privileges for this privilege the power so basically it's pretty pretty absurd security access degrees what you do with a security access to break this man you can't really use your authentication that's why you're the minister you're the man I can say let's let me impersonating whoever that set of permissions are for this process I can

okay let's run calculator is the main enemy but those were many hits it's you can impersonate that curvature and she is mostly related to diversity networks yeah I think John Fox another class well this is where the security access code looks like so imagine you have a processor and inside a given access to every security access code and it's really notice it is like that your users head what groups you belong to president nation as well as other access information which we get into through security and access control is access risk analysis process clearances it's filed to you whatever these specific babies so with that a person a person you can actually say I want to attach this

object review this thing never education whatever it is I can use that as vacations capture one as a just capture one across the network or our box then now way to act I think doesn't matter works just really quick example it's a gift Jeff can come either in exceed this is just a utility I just did this last one what you could have no this relent agrees with us and you just tell them it's in canoe here but yeah I see the commandments wish this protective immunity history and here are all the user to the quarter lines of these seven security access services that could be delegated be used against me that consumers must must parable poultice

debug programmers again SCEP boat through what's up next but highly highly [Music] I'm just going to be that's like Sarah it says grants a read/write access to do sir colonel so as a user I can access this with this move that's how you keep books all yes maybe yes you may need it doesn't get teased what a traditional user doesn't matter to you to actually access them just what the process to discuss maybe the exact problem you know x1 is an intermediate hashes that remember whatever it is again a lot of us innovation compassion action attacks the attract India counselor Hugh poor in or Argentine anybody familiar with the difference between interacting - authentication all right so this was

really playing with foot oh so they're active up in the kitchen it's like our new key remote desktop injury gear as an interactive logon authentication if you are walking in as even-even punishment of what actually interactive talking with all of us but just just and not interact

like SSH it's the other and there's PS session everybody kisser

so it's there's two different types of well in addition and you don't want because there are attachments all in your computer through remote desktop or even locally in that city you have an interactive session and it stores them and your sip user said all the information basically they're secure access to what you were to do or access to is all right there so if they just compromised one issue that don't think is this some conservative party

so non-implementation doesn't it doesn't store them it's only tension you were [Music] always this big so that you this is actually my comment but they what they start with you piece about what about is a lot of memory uses these burglars as you keep on pretty it's the first and they they checked us begin because they have do they have permission to share packaging can they restart sis you're out that provision to the Hamilton right to vote do they have the right to take [ __ ] process and act as part of the UH produces all right once we have those little pieces we're gonna infect you raised me to be done using these bulletins process almost I

don't have your cats but uses these two religions so bad and if you can actually do these further is probably initiator things so if something to tell us as a user context go check these and then exit or logic other privileges book it gets harder to market romantic activity this is just using this is all fair so by moving these we can actually protect our quite a bit of interest think about what like a video is not too there is no I have worse that's just like every other cell phone view so let's just say Outlook 2016 you can install it just you know preaching they before to make sure you immediately move apart is how it is it's just a little of

all governments so the logins with with users you can actually add you know protect what they can have access to love it yourself I recommend with policies eventually deny your Exodus if it's a server do they need a lot on the local industry you ever go to the box for some cases but Musburger just didn't ever do they also have services or lat it specifically don't just like the business people it's again here's an example dig there's a lot of useful rates again in here other computer policies as usual it stung treng a father took on these calories so there's a lot of them did their don't need to be asked but that's what it's all about

they usually a pretty good detail with their language so organization very entertaining another thing is with local users of groups there's a bunch of built-in ones by default in your local a camera or not they have a lot of needs to prove users dead ball readers can navigate to wherever it is you can actually live your policy or placers so the default is like administrator and no test users oh all these different type of local I can't have access to this type repairs what we do is from signals from testers just and replaced it with just going to you whoever it is and automatically resulting this group on these relations

one example is that you probably don't I don't movies rooster and know what the among these so you know that's just an example you can replace your visitors to only have like they missed her across from a manager that can do that job that has had sex a lot do you think so yeah replacement test yeah [Music] you know just like with everything else you have to repeat the test never repeat it sucks just like what you do by home automation right and my helmet issues I had you know internal temperature you know or turn eternity at night or whoever it is that's just like skill advancement you can actually go in and create these repeatable tasks are always

welcome one of the most secure is that you can actually run your code or utilities remotely by the empties so here's a list released at the top to the most privileged accounts or services to use the organization we were running skinny backside local service is great and use that again but if you need Pyrus victory Ashley whatever it is you may have to use the every network service it still doesn't give your system level access to that running processor just for just great u-boat service still hasn't leaked you're not going to go anywhere the sensation network service your utilities more work stuff wear this jacket it remains hence he's only getting it on that machine that works too but there's even

better than me instead of attacks cero if you've never heard saying what network service what was her disco that actually be delicate for security access to can be government can be compromised use for other things but with the media is given tasks different I did yesterday so to actually do this you go to control panel settings kind of tasks okay I want to do that are immediate I'm going to run a local service this power trust river that's online file share whatever it is and our weather is reasonable in he and brothers high-res versions it's possible colors so you so know as long as it's over next I'm gonna get do not store defense words don't use

these very kinda like that and you know

what that system once and it could only at that time and can never be

as everything else my juices lose security access to his but if you are able to you know telling yourself and tell me I have not seen anyone bravest and it's secure total devastation everybody received anything else to do but just run he wants and the great thing that were you ready no just apply across all the sheets and next time they're good policy pretty nice televisions managed services

individual services live under machine to go to your services never did you see all the running services so that's this year on this [Music] these full services well I think it's like 60% of these were actually running on a review in December 2006 TV and the others were sitting there waiting to run the were very different but still huge waste but let's say here what windows are in is actually for a base general yes sir disable all the other ones but you don't they're not on a web server why is he trying to hide relation detector yes Polaroid you know you know you know so turn off turn that music internal isn't that just leaves you up to us play

sports and there is something I mean there's plenty you know this I'm fidelity which was but you know just limit your scope [Music] so

so this is how you actually do it there is repulsion they usually run a lot like you guys should go through with disabled and able be set up head of security what users turn on that service possibly coming to all the distances on their machine through post who a cluster of Windows servers are all over the sandy American TV same thing all in one container position restructuring and enchilada

something really cool process for the issue to do in this server 2016 functional analysis to anyone or identity awesome totally protected processing policy on machines coming in time this will be 10 degree but if you actually specify our division of state

assembly with process vacation you have a DSLR GIS data cases in the room so that other process can't put themselves into vanities you know see how this works and that's really a text what does I see you've started you always I know exactly what the replacement so we went in seventy are better when his tens great what this house is Prevage really that's never the same so you can it's much harder to turbulence Bridgette's but with that process predictions questions it's really rarity they have this process communication and you can actually specify deg C is a large region to the jewelry PASOK's so instead of applying it for commuters are computers that make great complaints some lazy ass

applications you can actually specify

this is more advanced but hogs and I'll show that way you actually specified along are 0 or warmer question rubrics material and disabled question is I hope that is really I have parted with your closet is huge and they were all walking in lodging that you see for tournament marvel of ActionScript 120 days for the tournament just timing right also you like doing guarantees which you can promote it to your he's partial remoting specified like wish I did 1911 you might actually specify just Allah protect us of digitally sign your scripts I say that with the lobby is that part of these commands that you see will be like - and a - see some

obvious dated like pirate attacks and what that means is that you digitally saw body in execution policy no profile how about a pass run is whatever execution method one straight what if you digitally sign then you set a standard in your organisation that anything that is using conventional your user history resolution a community because Hugh associativity song tell you we have really decided that they are [Music]

[Music]

[Music] to combine

I knew this or constrain language where's coke different language it's built into the powerstroke I'm kinda in the matter it doesn't mean like Spokane my sister's name is later what done versus short language they do have access so there's a greater and [Applause] [Music]

lifted strain language remember you can restrict almost completely there's no language you're not gonna be able to read any exactly if you want to do this is the group policy which we just wanted to go here machine and type in a mile over to underscore underscore PLC 74 and they perish for kidding to the community that's just something that stream but my abilities as well appo is that you've benefit is it restricted make sure that that ascetically

so it's not really that's here no one thinks it is understand it so if you're trying to accuse that [ __ ] easy sees anyone you know whatever just like I wanted you to application might just say

but with this eventually say okay only these the allow the CFC is forever in between but there's three conditions that you have to use a traditional patch [Music] management this is like every single file do you specify than a half if needed the extra so they ask does this fun - my little patch if it does then it's okay right it's not like that thing has never smoked a day you never do has a different activities so it's really a good condition this one's actually pretty good it but you can actually select an entire suite of products that c program files - it's where everyone and you can use one so you see the examples of users may be happy they said

honestly like if you know that I know that there's some programs in places that are happy

what do you can actually discuss this past semester just depends on group so either about this you say I need explorers have been attached to every single process

yeah

all right so there are some other things out there desertion of your policy there's a lot of video this is actually the security host place a song with you the CIO for the do to degrees this has a lot of these policies already hung when you actually apply these go to the templates for your policy to your tester she's an astronomer worse

[Applause]

oh yeah