GPOs

Bl8ckr0uter

So my boss wants me to update our GPO policies (since they are based on 2000 and they break Windows Vista and Win 7 machines when we try to put on the network). What does one need to take into consideration when updating GPOs. Also I guess this would go hand and hand with designing a base image for a client OS.

Any suggestions (books or advise).

Paul Boz

You should build out new GPOs for the Windows 7 environment, separate from the Windows XP GPOs. I would recommend downloading MSCM (Microsoft Security Compliance Manager) and checking out their secure baselines. You can import your Windows XP GPOs and do a differential to see just how many GPOs are different. I would take the standard workstation configuration for Windows Vista/7 and manually update the relevent GPOs that can be ported over from XP, then evaluate each of the new/changed ones. You can also do this whole process manually by downloading the CIS Windows Vista/7 baselines. The MSCM tool is based on these baslines so you can do one or the other. Both aren't necessary.

Bl8ckr0uter

I am not going to lie. I am happy you answered because I read another post you made about building an image and I am in a similar situation (don't have much enterprise system adin experience). Thanks for the suggestion. what did you use for reading up on GPOs as a whole or did you just pull from your security experience?

Devilsbane

Just test them out a bunch.

I am certainly not a GPO expert, but just poke around and see what is there. Since you already have the 2000 GPO's, you can use them to work off of.

Bl8ckr0uter

Devilsbane wrote: »

Just test them out a bunch.

I am certainly not a GPO expert, but just poke around and see what is there. Since you already have the 2000 GPO's, you can use them to work off of.

I know I will hit up the center for internet security and look at a few NSA guidelines. I am just looking for any other advise.

NinjaBoy

If you're happy with the existing GPO's, but just need GPO's to work with Vista/Win7. Just create the GPO's for Vista/Windows 7, then use WMI filters (on both the old and new GPO's) so that the correct GPO's will apply to the correct OS.

We've had a couple of problems of trying to create only one set of GPO's for all operating systems.

-ken

Bl8ckr0uter

NinjaBoy wrote: »

If you're happy with the existing GPO's, but just need GPO's to work with Vista/Win7. Just create the GPO's for Vista/Windows 7, then use WMI filters (on both the old and new GPO's) so that the correct GPO's will apply to the correct OS.

We've had a couple of problems of trying to create only one set of GPO's for all operating systems.

-ken

Well apparently we aren't happy with the gpos (a previous admin built them and did some things you aren't suppose to do, edit the default GPO among other things). More than likely this project will start with building a policy for windows 7 and then turn into me redoing all of the GPOs for the company.

Paul Boz

I've relied on general security experience as well as the CIS benchmarks. The MSCM tool is also exceedingly helpful with regards to documentation. If you click on a specific GPO you can actually visit a "description" tab and it will give you a writeup of what the GPO does, what the risks are, and why they recommend the settings. You should also reference the GPO in the CIS guide for their recommendations and justifications.

As Devilsbane said, you should definitely test the **** out of these GPOs before you put them into production. If you don't already, I'd recommend setting up a mirrored domain environment in a lab (either physical or virtual) and pushing your GPOs to test Windows 7 machines. You should definitely install all of your business apps on the Windows 7 machines prior to testing to ensure that your users don't get broken. The last thing you want to do is roll out Windows 7 and cause a huge impact to the business.

Bl8ckr0uter

Paul Boz wrote: »

I've relied on general security experience as well as the CIS benchmarks. The MSCM tool is also exceedingly helpful with regards to documentation. If you click on a specific GPO you can actually visit a "description" tab and it will give you a writeup of what the GPO does, what the risks are, and why they recommend the settings. You should also reference the GPO in the CIS guide for their recommendations and justifications.

As Devilsbane said, you should definitely test the **** out of these GPOs before you put them into production. If you don't already, I'd recommend setting up a mirrored domain environment in a lab (either physical or virtual) and pushing your GPOs to test Windows 7 machines. You should definitely install all of your business apps on the Windows 7 machines prior to testing to ensure that your users don't get broken. The last thing you want to do is roll out Windows 7 and cause a huge impact to the business.

I need to set up a testing environment. I might do it tomorrow. I have an ESXI box at work. I could set up a domain tomorrow to test the gpos among other things.

Paul Boz

What DC are you using? 2k3 or 2k8? If you're using 2k3 are you planning on upgrading your DC to 2k8? If so, I'd recommend doing that before tackling Windows 7.

Either way, I'd take your existing DC and literally image it to your lab so that your lab environment as closely mirrors production as possible. I would definitely avoid allowing the test environment to interact with the prod network though.

Bl8ckr0uter

Paul Boz wrote: »

What DC are you using? 2k3 or 2k8? If you're using 2k3 are you planning on upgrading your DC to 2k8? If so, I'd recommend doing that before tackling Windows 7.

Either way, I'd take your existing DC and literally image it to your lab so that your lab environment as closely mirrors production as possible. I would definitely avoid allowing the test environment to interact with the prod network though.

We are using 2003 DCs and they will probably stay that way for quite some time. Finding time to clone our PDC is going to be tough since things get wacky when its down. I could get the other guy here to do it but I'd rather not involve him since he took it upon himself to tell me that he was going to redo the gpos (only to have my boss tell me today to fix it). I don't know if they have talked (probably not) so I'd rather not say anything to him about it at all.

Why would you suggesting upgrading the DC's first?

dynamik

You can do p2v while it's running.

How complex is your domain/OU structure? How many GPOs are you dealing with? The first step is to going to be documenting everything you currently have.

Good advice on the WMI filtering.

Bl8ckr0uter

dynamik wrote: »

You can do p2v while it's running.

How complex is your domain/OU structure? How many GPOs are you dealing with? The first step is to going to be documenting everything you currently have.

Good advice on the WMI filtering.

But I can't P2V it while it is running without anyone noticing lol

Apparently a few hundred or so.

dynamik

Bl8ckr0uter wrote: »

But I can't P2V it while it is running without anyone noticing lol.

I'm not following you. Are you trying to do this without other admins noticing, or are you worried about performance issues?

Bl8ckr0uter wrote: »

Apparently a few hundred or so.

I don't envy you at all. How many users and systems do you have?

Bl8ckr0uter

dynamik wrote: »

I'm not following you. Are you trying to do this without other admins noticing, or are you worried about performance issues?

Basically I don't want the other admin to know I started working on this because this is suppose to be his domain but the boss came to me and told me to start working on this. I know if I mention this he is going to railroad me and start telling me how he has been doing GPOs for years and he is going to take care of it. Sigh...

dynamik wrote: »

I don't envy you at all. How many users and systems do you have?

Like 15-20 servers and 77ish desktops/laptops. I kind of want to keep the existing GPOs at first and then build some specifically for WinVista (ha!) and 7. Then redo the gpos for the desktops. Then the servers It takes our machines so long to boot because it tries to load all of this GPO $h1t for stuff that doesn't even apply to it. I have wanted to fix it for awhile because this issue is the reason why I have to use a Windows XP VM on my ubuntu box (because my work laptop came with 7 and there were no WinXP drivers for it). I tried to join it to the domain and it bluescreen my box I don't know much about GPOs but I'm willing to learn quickly.

t3ch_guru

I normally use disk2vhd for virtualizing a production server. If your don't want him to find out why not run it after hours or something and redirect it to your box. Is your shop 24/7 or something?

Bl8ckr0uter

t3ch_guru wrote: »

I normally use disk2vhd for virtualizing a production server. If your don't want him to find out why not run it after hours or something and redirect it to your box. Is your shop 24/7 or something?

Wouldn't I need to sid scramble and all sorts of stuff. That seems to be much more difficult than building a new box and starting fresh.

t3ch_guru

No, it should pick up all the proper drivers. Wouldn't be a bad idea to rename the test server though.

dynamik

Bl8ckr0uter wrote: »

Wouldn't I need to sid scramble and all sorts of stuff. That seems to be much more difficult than building a new box and starting fresh.

Your test network should be completely isolated from your production network, so that should never be an issue. You might want to review your licensing agreements though.

Bl8ckr0uter

dynamik wrote: »

Your test network should be completely isolated from your production network, so that should never be an issue. You might want to review your licensing agreements though.

Here is a dumb question:

When the server is cloned, does it copy the network configuration as well? So would it copy my ipconfig settings and mac address or does it strip that out since the macs should change (to the virtual mac of the virtual nic)?

mikedisd2

Bl8ckr0uter wrote: »

Basically I don't want the other admin to know I started working on this because this is suppose to be his domain but the boss came to me and told me to start working on this. I know if I mention this he is going to railroad me and start telling me how he has been doing GPOs for years and he is going to take care of it. Sigh...

It's an obvious suggestion, but can't you state it's what the boss has ordered and any power struggle issues are to be taken up with him/her. Nobody needs these kind of office politics...

rwmidl

Take a look at the DISA STIG's. They have the STIG in place for Win 7. 2008 is out but not 2008 R2 (you can use the 2008 STIG as a good starting point - they are saying 2008R2 will be out sometime in FY'11).

Paul Boz

Dude screw your co worker. If he gives you **** tell him to take it up the chain.

Bl8ckr0uter

Paul Boz wrote: »

Dude screw your co worker. If he gives you **** tell him to take it up the chain.

Lol hell yea. It may have to come to that.


I am reading the STIGs now for Win7 (thanks rwmidl). I will document what out GPOs are now and what they are doing later today.

Devilsbane

Bl8ckr0uter wrote: »

Here is a dumb question:

When the server is cloned, does it copy the network configuration as well? So would it copy my ipconfig settings and mac address or does it strip that out since the macs should change (to the virtual mac of the virtual nic)?

If you had a static address, it will stay with the clone (so make sure your first boot is without network access so you can change that without having a duplicate ip on the network. The MAC will change (unless you are MAC spoofing and then it might stay, not sure)

If you have DHCP enabled, then the DHCP server will see the new MAC and assign a new IP.

Bl8ckr0uter

Devilsbane wrote: »

If you had a static address, it will stay with the clone (so make sure your first boot is without network access so you can change that without having a duplicate ip on the network. The MAC will change (unless you are MAC spoofing and then it might stay, not sure)

If you have DHCP enabled, then the DHCP server will see the new MAC and assign a new IP.

That's what I thought. So when it P2Vs it does clone the network configuration. Interesting.

rwmidl

Bl8ckr0uter wrote: »

Lol hell yea. It may have to come to that.


I am reading the STIGs now for Win7 (thanks rwmidl). I will document what out GPOs are now and what they are doing later today.

One suggestion, if you aren't doing it now, break out your GPO's to different "sections" ie account policies, file permissions, system services, system polices, etc. You end up with "more" GPO's but when you are implementing them you can manage them a bit better. If something breaks you can then turn off that one GPO while you troubleshoot which portion of it could be causing the problem.

Also check out the FDCC guidelines from NIST. I believe NIST has available vhd's of FDCC compliant systems - you could download one, throw it in a VM and then load any company specific applications and see if they still work or not.

RobertKaucher

Bl8ckr0uter wrote: »

That's what I thought. So when it P2Vs it does clone the network configuration. Interesting.

Actually it does, but since the card is no longer installed you don't see it. I have had this issue before wheere I take a server with a static IP do a P2V using some tool and then add a new network card and attempt to give it the old IP address and the sysstem complains that that address has been assigned to another card and could cause a conflict in the future. I clean it up and continue on. But it is not that the network configuration is not cloned, it's that you have essentially installed a new NIC as far as the DHCP server is concerned. Imagine if it did clone the MAC into the new NIC. It would cause hell on the LAN.

Bl8ckr0uter

rwmidl wrote: »

One suggestion, if you aren't doing it now, break out your GPO's to different "sections" ie account policies, file permissions, system services, system polices, etc. You end up with "more" GPO's but when you are implementing them you can manage them a bit better. If something breaks you can then turn off that one GPO while you troubleshoot which portion of it could be causing the problem.

Also check out the FDCC guidelines from NIST. I believe NIST has available vhd's of FDCC compliant systems - you could download one, throw it in a VM and then load any company specific applications and see if they still work or not.

Excellent advise and find! I'll have to take a look at this in a few.

RobertKaucher wrote: »

Actually it does, but since the card is no longer installed you don't see it. I have had this issue before wheere I take a server with a static IP do a P2V using some tool and then add a new network card and attempt to give it the old IP address and the sysstem complains that that address has been assigned to another card and could cause a conflict in the future. I clean it up and continue on. But it is not that the network configuration is not cloned, it's that you have essentially installed a new NIC as far as the DHCP server is concerned. Imagine if it did clone the MAC into the new NIC. It would cause hell on the LAN.

My main concern is that when I put the VM in my own ESXi server it will somehow interfere with the production network. The network isn't that stable as it is so I really don't want to screw with it. We have some DNS issues which the other guy is working on (I think).

Bl8ckr0uter

Here is the link to the VHDs:

The United States Government Configuration Baseline (USGCB) - Content

RobertKaucher

Bl8ckr0uter wrote: »

My main concern is that when I put the VM in my own ESXi server it will somehow interfere with the production network. The network isn't that stable as it is so I really don't want to screw with it. We have some DNS issues which the other guy is working on (I think).

Make sure you take Paul's advice. Your test network should be completely isolated. If I had cloned a PDC I would ensure it was not on the same network as my domain and there was no chance of a connection between the two.