Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant
Deploying security templates to multiple computers
Deploying security templates to multiple computers
Rather than applying security templates to one computer at a time, you can deploy your security configurations to multiple computers through Group Policy. To do this, you need to import the security template into a GPO processed by the computers to which the template settings should apply. Then, when policy is refreshed, all computers within the scope of the GPO receive the security configuration.
Security templates apply only to the Computer Configuration portion of Group Policy. Before you deploy security configurations in this way, you should take a close look at the domain and organizational unit (OU) structure of your organization and make changes as necessary to ensure that the security configuration is applied only to relevant types of computers. Essentially, this means that you need to create OUs for the different types of computers in your organization, and then move the computer accounts for these computers into the appropriate OUs. Afterward, you need to create and link a GPO for each of the computer OUs. For example, you could create the following computer OUs:
? Domain Controllers An OU for your organization’s domain controllers. This OU is created automatically in a domain.
? High-Security Member Servers An OU for servers that require higher than usual security configurations.
? Member Servers An OU for servers that require standard server security configurations.
? Laptop and Mobile Devices An OU for laptops and mobile devices, which are inherently less secure and might require enhanced security configurations.
? High-Security User Workstations An OU for workstations that require higher than usual security configurations.
? User Workstations An OU for workstations that require standard workstation security configurations.
? Remote Access Computers An OU for computers that remotely access the organization’s network.
? Restricted Computers An OU for computers that require restrictive security configurations, such as computers that are used in labs or kiosks.
REAL WORLD You need to be extra careful when you deploy security templates through GPOs. If you haven’t done this before, practice in a test environment first, and be sure to also practice recovering computers to their original security settings. If you create a GPO and link the GPO to the appropriate level in the Active Directory structure, you can recover the computers to their original state by removing the link to the GPO. This is why it’s extremely important to create and link a new GPO rather than use an existing GPO.
To deploy a security template to a computer GPO, follow these steps:
1. After you configure a security template and have tested it to ensure that it is appropriate, open the GPO you previously created and linked to the appropriate level of your Active Directory structure. In the Group Policy Management editor, open Computer ConfigurationWindows SettingsSecurity Settings.
2. Press and hold or right-click Security Settings, and then tap or click Import Policy.
3. In the Import Policy From dialog box, select the security template to import, and then tap or click Open. Security templates end with the.inf file extension.
4. Check the configuration state of the security settings to verify that the settings were imported as expected, and then close the policy editor. Repeat this process for each security template and computer GPO you’ve configured. In the default configuration of Group Policy, it will take 90 to 120 minutes for the settings to be pushed out to computers in the organization.
- Deploying a security policy to multiple computers
- Интегрированная безопасность (NT Integrated Security)
- Chapter 2 Building and Deploying a Run-Time Image
- 7.7.2. mod_security
- Managing Password Security for Users
- Managing DNS Security
- UNIX Security Considerations
- DNS Security Considerations
- Using DNS Security Extensions
- Multiple Inheritance
- Passwords and Physical Security
- Keeping Up-to-Date on Linux Security Issues