How To Use the GPOAccelerator.docx
- 文档编号:24621221
- 上传时间:2023-05-29
- 格式:DOCX
- 页数:107
- 大小:822.50KB
How To Use the GPOAccelerator.docx
《How To Use the GPOAccelerator.docx》由会员分享,可在线阅读,更多相关《How To Use the GPOAccelerator.docx(107页珍藏版)》请在冰豆网上搜索。
HowToUsetheGPOAccelerator
HowtoUsetheGPOAccelerator
SecurityComplianceManagementToolkit
Version4.0
Published:
November2007|Updated:
October2009
Forthelatestinformation,see
Copyright©2009MicrosoftCorporation.Allrightsreserved.Complyingwiththeapplicablecopyrightlawsisyourresponsibility.Byusingorprovidingfeedbackonthisdocumentation,youagreetothelicenseagreementbelow.
Ifyouareusingthisdocumentationsolelyfornon-commercialpurposesinternallywithinYOURcompanyororganization,thenthisdocumentationislicensedtoyouundertheCreativeCommonsAttribution-NonCommercialLicense.Toviewacopyofthislicense,visithttp:
//creativecommons.org/licenses/by-nc/2.5/orsendalettertoCreativeCommons,543HowardStreet,5thFloor,SanFrancisco,California,94105,USA.
Thisdocumentationisprovidedtoyouforinformationalpurposesonly,andisprovidedtoyouentirely"ASIS".YouruseofthedocumentationcannotbeunderstoodassubstitutingforcustomizedserviceandinformationthatmightbedevelopedbyMicrosoftCorporationforaparticularuserbaseduponthatuser’sparticularenvironment.Totheextentpermittedbylaw,MICROSOFTMAKESNOWARRANTYOFANYKIND,DISCLAIMSALLEXPRESS,IMPLIEDANDSTATUTORYWARRANTIES,ANDASSUMESNOLIABILITYTOYOUFORANYDAMAGESOFANYTYPEINCONNECTIONWITHTHESEMATERIALSORANYINTELLECTUALPROPERTYINTHEM.
Microsoftmayhavepatents,patentapplications,trademarks,orotherintellectualpropertyrightscoveringsubjectmatterwithinthisdocumentation.ExceptasprovidedinaseparateagreementfromMicrosoft,youruseofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarksorotherintellectualproperty.
Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,placesandeventsdepictedhereinarefictitious.
Microsoft,Access,Active Directory,ActiveX,Excel,InfoPath,InternetExplorer,Outlook,PowerPoint,VisualBasic,Windows,Windows Server2008,Windows Server2003,Windows 7,Windows Vista,andWindows XPareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
YouhavenoobligationtogiveMicrosoftanysuggestions,commentsorotherfeedback("Feedback")relatingtothedocumentation.However,ifyoudoprovideanyFeedbacktoMicrosoftthenyouprovidetoMicrosoft,withoutcharge,therighttouse,shareandcommercializeyourFeedbackinanywayandforanypurpose.Youalsogivetothirdparties,withoutcharge,anypatentrightsneededfortheirproducts,technologiesandservicestouseorinterfacewithanyspecificpartsofaMicrosoftsoftwareorservicethatincludestheFeedback.YouwillnotgiveFeedbackthatissubjecttoalicensethatrequiresMicrosofttolicenseitssoftwareordocumentationtothirdpartiesbecauseweincludeyourFeedbackinthem.
Contents
Overview
Thisguidewillhelpyoutestanddeploythesecuritysettingsthataredefinedinthefollowingsecurityguides:
∙WindowsServer2008SecurityGuide
∙WindowsServer2003SecurityGuide
∙Windows7SecurityGuide
∙WindowsVistaSecurityGuide
∙WindowsXPSecurityGuide
∙InternetExplorer8SecurityGuide
∙2007MicrosoftOfficeSecurityGuide
EachsecurityguideprovidesrecommendationsandamethodologytohelpsecurecomputersthatruntheseMicrosoftproducts.ThemethodologyinvolvestheuseofGroupPolicyinanenvironmentthatusesActiveDirectory®DomainServices(AD DS).GroupPolicyobjects(GPOs)arecollectionsofsettingsthatyoucanapplytocomputersandusers.
Thesecurityguidancealsodescribesrecommendedsettingsfordifferentsecurityenvironments.TheeasiestwaytodeploytheserecommendedsettingsisbyusingtheGPOAccelerator.ThisguideprovidesinstructionsforusingtheGPOAcceleratorthatyoucanusetotestanddeploytherecommendedsettingsinthereferencedsecurityguidance.ThesettingsyoudeploywiththeGPOAcceleratordependonwhichguideyouareusing.
ImportantItisimportantthatyoureadtheappropriatesecurityguidetodesignyoursecuritystrategybeforeyouusetheGPOAccelerator.
WhattheGPOAcceleratorDoes
TheGPOAcceleratorcreatesalltheGPOsthatyouneedtodeploytherecommendedsecuritysettingsforyourenvironment.Thisfunctionalitysavesmanyhoursofworkthatwouldotherwisebeneededtoconfigureanddeploysecuritysettingsmanually.
InstallingtheGPOAccelerator
TheGPOAccelerator.msiincludedwiththisguidancequicklyinstallsthetooloncomputersrunninganyofthefollowingoperatingsystems:
∙WindowsServer®2008SP2
∙WindowsServer®2003R2
∙Windows®7
∙WindowsVista®SP2
∙Windows®XPSP3
MostGPOAcceleratortasksrequirethatyouinstalltheGroupPolicyManagementConsole(GPMC)onthecomputerrunningthetool.TheGPOAcceleratorwillalertyouiftheGPMCoranyotherrequiredcomponentsarenotpresent.
WhenyouruntheWindows®Installer(.msi)file,itcreatestheGPOAcceleratorfolderintheProgramFilesfolderonyourcomputer.The.msifilealsocreatesasubfolderstructureintheGPOAcceleratorfolder.
WhoShouldReadThisGuide
ThisguidesupplementsthesecurityguidesforWindows Server2008,Windows Server2003,Windows Vista,Windows XP,andthe2007Microsoft®Officerelease.ItisprimarilyintendedforITgeneralists,securityspecialists,networkarchitects,andotherITprofessionalsandconsultantswhoplanapplicationorinfrastructuredevelopmentforbothdesktopandlaptopclientcomputersinanenterpriseenvironment.Thisguidanceisnotintendedforhomeusers.Werecommendtoonlyusethisguidanceafterreadingoneofthereferencedsecurityguides.
Thisguidanceassumesthefollowingknowledgeandskills:
∙MCSEonWindowsServer 2003oralatercertificationandtwoormoreyearsofsecurity-relatedexperience,orequivalentknowledge.
∙In-depthknowledgeoftheorganization’sdomainandActiveDirectoryenvironments.
∙ExperienceintheadministrationofGroupPolicyusingtheGroupPolicyManagementConsole(GPMC),Gpupdate,andGpresult.
HowtoUsetheGPOAcceleratorinYourEnvironment
TheGPOAcceleratorhelpsyoudeployGPOsinyourenvironment,whichrequirescarefulplanningandtesting.BeforeusingtheGPOAccelerator,youshouldfamiliarizeyourselfwiththeconceptsdescribedintheappropriatesecurityguides.YoucanthenreviewChapter1,"GPOAcceleratorCommand-LineOptionsandUserInterface,"tolearnaboutthedifferentoptionsavailableforusingtheGPOAcceleratortoestablishoneofthesecuritybaselinesdefinedinthefollowingsection.
TheremainingchaptersinthisguideprovidedetailedstepsfromrunningtheGPOAcceleratorwithdifferentoperatingsystems.
PrescribedSecurityBaselineEnvironments
ThesecuritybaselineGPOsthattheGPOAcceleratorhelpsyoutodeployprovideacombinationoftestedsettingsthatenhancesecurityforcomputersrunningtheseoperatingsystemsandapplicationsinthefollowingtwodistinctenvironments:
∙EnterpriseClient(EC)
∙SpecializedSecurity–LimitedFunctionality(SSLF)
TheEnterpriseClient(EC)Environment
TheEnterpriseClient(EC)environmentreferredtointhisguidanceconsistsofadomainusingAD DSinwhichcomputersrunningWindowsServer 2008withActive DirectorymanageclientcomputersthatcanruneitherWindows VistaorWindows XP,andmemberserversrunningWindowsServer 2008orWindowsServer 2003 R2.
Thedomaincontrollers,memberservers,andclientcomputersaremanagedinthisenvironmentthroughGroupPolicy,whichisappliedtosites,domains,andOUs.GroupPolicyprovidesacentralizedinfrastructurewithinAD DSthatenablesdirectory-basedchangeandconfigurationmanagementofuserandcomputersettings,includingsecurityanduserdata.TheGroupPolicythisguideprescribesdoesnotsupportclientcomputersrunningWindows® 2000.
TheSpecializedSecurity–LimitedFunctionality(SSLF)Environment
TheSpecializedSecurity–LimitedFunctionality(SSLF)baselineinthisguideaddressesthedemandtohelpcreatehighlysecureenvironmentsforcomputersrunningWindowsServer 2008.Concernforsecurityissogreatintheseenvironmentsthatasignificantlossoffunctionalityandmanageabilityisacceptable.TheEnterpriseClient(EC)securitybaselinehelpsprovideenhancedsecuritythatallowssufficientfunctionalityoftheoperatingsystemandapplicationsforthemajorityoforganizations.
CautionTheSSLFsecuritysettingsarenotintendedforthemajorityofenterpriseorganizations.TosuccessfullyimplementtheSSLFsettings,organizationsmustthoroughlytestthesettingsintheirenvironmenttoensurethattheprescribedsecurityconfigurationsdonotlimitrequiredfunctionality.
IfyoudecidetotestanddeploytheSSLFconfigurationsettingstoserversinyourenvironment,theITresourcesinyourorganizationmayexperienceanincreaseinhelpdeskcallsrelatedtothelimitedfunctionalitythatthesettingsimpose.Althoughtheconfigurationforthisenvironmentprovidesahigherlevelofsecurityfordataandthenetwork,italsopreventssomeservicesfromrunningthatyourorganizationmayrequire.ExamplesofthisincludeRemoteDesktop,whichallowsuserstoconnectinteractivelytodesktopsandapplicationsonremotecomputers.
Usingthe/LABOptiontoEvaluatetheSecurityGuideSettings
TheGPOAccelerator/LABoptioncreatestheOUsandGPOsthatarediscussedinthereferencedsecurityguides,andthenlinkstheGP
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- How To Use the GPOAccelerator