Reading 14 - Part II

chatgpt insertions indicated by: 🤖

---

Statement Of Relevance:

• Group Policies are one of the most common and efficient ways for businesses using Windows OS on their networks to manage large groups of computers at once. Group Policy provides a centralized place to perform that management within Active Directory. Being used extensively in large corporate administrative environments, and even smaller businesses (I believe the POS computers at work have some sort of group policy implemented.), it is vital that we become familiar with Group Policy and how to use it properly in our future as cybersecurity professionals.

---

What role does Group Policy play in Windows Active Directory?

• Group Policy plays a security role through management of groups in Active Directory: the MMC group policy editor allows admins to tie Group Policy Objects (GPOs) to one or multiple sites, domains, groups or OUs within Active Directory. A GPO is a group of settings that define policies relating to how different parts of the OS can be used. Since windows is not inherently secure for use in business environments out of the box, Group Policies can be used to provide that security by deciding which users can have access to what parts of the OS (e.g. preventing employees from making certain changes to their computer for security), locking off certain unnecessary/insecure protocols, or even blocking access to specific websites/IPs/software. I remember when they had to push out a Group Policy on my school's computers to stop kids from playing minecraft during class; in a business environment, it would be used for similar purposes, but with security being the primary focus.
• 🤖: GPOs can also be associated with single or numerous Active Directory containers, including sites, domains, or organizational units (OUs). This flexibility allows administrators to apply specific policies to different parts of the organization as needed. 🤖: In your section "What role does Group Policy play in Windows Active Directory?", you mentioned that "A GPO is a group of settings that define policies relating to how different parts of the OS can be used." It would be more accurate to say: A GPO is a group of settings created using the Microsoft Management Console (MMC) Group Policy Editor. These settings can define registry-based policies, security options, software installation, and much more.

Name and describe different ways GPOs can benefit security.

• GPOs are extremely beneficial to the security of a business environment's infrastructure. Without Group Policy and Active Directory, each user or device would have to be configured manually by an admin. In addition to this being a job NOBODY would ever want to do, it would be extremely time consuming and largely be a sisyphean effort on the business's part, as the process is repeated with new hires and every update. GPO's allow you to tie the desired system configuration to an entire group of users: Mangement gets a certain policy, IT gets a different one, sales gets yet another different policy, and so on. This makes those kinds of configurations a snap, and prevents the errors and small differences that would be likely to occur when manually configuring these settings repeatedly. GPOs also provide the benefit of interacting directly with the system, being able to lock off or change the windows registry, lock off certain software or protocols, or prevent access to certain websites/settings pages within the PC (a sales employee most likely does not need to be doing any registry hacks, and an HR employee should not have direct access to client PII, and so on.). A GPO could even be used to lock off a certain vulnerability discovered in Windows before a patch has been offered by Microsoft. These factors and many others, primarily stemming from the centralized management that GP allows, make GPOs extremely beneficial for security.
• 🤖: GPOs can also be used to implement a policy of least privilege, where users only have the permissions they require to do their job. This can be achieved by disabling Local Administrator rights globally in your network and granting admin privileges to individuals or groups based on their roles.

How can the acronym “LSDOU” help you figure out which policies are in effect?

• LSDOU is an acronym that describes the order in which GPOs are processed. It is essentially the PEMDAS of Group Policy. This acronym stands for Local, Site, Domain, Organizational Unit. The local computer policy is the first to be processed, which is the policy set directly on the computer in question. If you're sitting at a computer and change a setting, you've made a change to the local policy. Next to be processed is the site level policy. In this context, a site refers to one or more IP subnets connected by a high speed link. The site level policy could apply to a specific location or campus, for example. The domain policy is the next on the list. This policy applies to the entire domain, and everything within it (e.g. the policy for corp.globexpower.com specifically, rather than all of globexpower.com). Lastly, the Organizational Unit policy is processed. This is the policy for an individual OU within a directory, containing users, groups, computers and other units. It is the smallest scope to which Group Policy settings can be assigned. When there are conflicting policy settings (e.g. sarah in HR doesn't like some settings on her pc, so she changes them, but the policy for the domain states that those settings must be the way they've been set.) the policy that is processed last wins out (preventing sarah's changes from taking effect.). By checking the policy settings at each level, you can determine the last one to be processed, and thus determine which policy is currently being used. As you ascend from local, to site, to domain to OU, look for the setting that you are having trouble changing (or whatever it is that is triggering this search), and the last one to have a setting for that specific thing is the policy that is being used.
• 🤖: It's important to note that GPOs in nested OUs work from the OU closest to the root first and outwards from there. This can add another layer of complexity when determining which policies are in effect.

---

Things I want to know more about

• It seems in the real world, there would be a greater degree of complexity when implementing group Policies: you would want them organized to provide the appropriate settings for each employee and device in your network, in the end. What are some common structures for policy orders seen in the industry?
• 🤖: The structure of policy orders can vary greatly depending on the specific needs and structure of the organization. However, a common approach is to have broad, organization-wide policies at the domain level, with more specific policies for each department or team at the OU level. This allows for a balance between consistency across the organization and flexibility for individual teams.
• What settings are most commonly disabled in the industry? What are some policies that typically NEED to be configured in order to provide secure infrastructure for a corporate environment.
• 🤖: Some of the most commonly disabled settings in Group Policy relate to user privileges and system security. For example, it's common to disable Local Administrator rights for regular users to prevent them from making potentially harmful changes to their systems. Other common settings include disabling outdated or insecure protocols, restricting internet connection options, and limiting the installation of unapproved software.
• What does linux/Mac use to implement Group Policies or similar types of centralized user management?
• 🤖: Linux and Mac systems do not have a direct equivalent to Group Policy, as they do not use Active Directory. However, they do have similar tools for centralized user management. For example, Linux has the PolicyKit tool, which allows administrators to define policies for system-wide privileges. Mac systems can be integrated with Active Directory using third-party tools, and they also have built-in tools like Managed Preferences (MCX) for managing user settings.