window gpo
介绍 (Introduction)
My clients usually adopt a security framework such as Center for Internet Security (CIS).
我的客户通常采用安全框架,例如Internet安全中心(CIS)。
Part of the paid subscription to CIS is what they call "CIS Remediation Kits" which are ultimately Active Directory security hardening policies. These policies are regularly updated to include new and updated hardening policies or to address identified issues.
CIS的付费订阅的一部分是他们所说的“ CIS补救工具包”,它们最终是Active Directory安全强化策略。 这些策略会定期更新,以包括新的和更新的强化策略或解决已发现的问题。
I never apply any policy to all devices at once, in fact I find this a very bad practice. Instead, I automatically phase a policy out to computers and users by utilizing my ADRandomAddToGroup tool (See Phasing in a Group Policy)
我从来没有一次对所有设备应用任何策略,实际上我发现这是一个非常糟糕的做法。 相反,我利用ADRandomAddToGroup工具自动将策略逐步淘汰给计算机和用户(请参阅组策略中的阶段化 )
The reason I apply a policy as a phased in approach is that, no matter how many device you include in your testing environment, it is unrealistic to think that a such a sample group would be a proper representation of all production systems, especially in a larger environment.
我将策略作为分阶段实施方法的原因是,无论您的测试环境中包含多少设备,都认为这样的样本组可以正确代表所有生产系统(尤其是在生产环境中)是不现实的。更大的环境。
I have, on more than one occasion, found mission critical, legacy systems that no-one supports or knows about, that do not support a particular security setting. You might even be surprised how some security suites are not capable of running on a security-hardened computer.
我已经不止一次地发现,没有人支持或不知道的,不支持特定安全设置的关键任务遗留系统。 您甚至可能会惊讶于某些安全套件无法在经过安全加固的计算机上运行。
Using this process, you will identify issues not identified via testing earlier, without impacting the larger user community.
使用此过程,您将发现较早的测试未发现的问题,而不会影响更大的用户社区。
Essentially, out-of-the-box, you can limit a GPO to a specific group by altering the security of the GPO.
从本质上说,您可以通过改变GPO的安全性来将GPO限制为特定组。
My ADRandomAddToGroup tool leverages this capability and allows me to randomly add computers or users to a group, whilst giving me the options to control how many objects are added to a group at a time, as well as setting an included/excluded Distinguished Names value.
我的ADRandomAddToGroup工具利用了此功能,并允许我将计算机或用户随机添加到组中,同时为我提供了一些选项,以控制一次向一个组中添加多少个对象,以及设置包含/排除专有名称的值。
This has worked well for me over the years for phasing in a single version GPO, but have found it challenging to maintain more than two versions of a policy. The issue is that, before I manage to get all computers/users onto a newer version of the remediation kit, a new one is released.
多年来,这对于我逐步使用单个版本的GPO一直很有效,但发现维持一个以上版本的策略具有挑战性。 问题是,在设法使所有计算机/用户都使用较新版本的修复工具包之前,要发布一个新的修复工具。
In large environments, it becomes a real pain to test and roll these policies out.
在大型环境中,测试和推出这些策略确实很痛苦。
ADCycleGroups (ADCycleGroups)
I decided to develop a new tool to automate the moving of computers from one version to the next, until it finally gets to the latest GPO policy. If, at any point, a new hardening policy is released, it can simply be added to the phased group list and member will move to the new group as soon as its minimum group member time is reached.
我决定开发一种新工具,以自动将计算机从一个版本迁移到另一个版本,直到最终采用最新的GPO策略。 如果在任何时候发布了新的强化策略,则可以将其简单地添加到分阶段的组列表中,并且只要达到其最小组成员时间,成员就会移至新组。
For example: The following config will move groups members, maximum of 4 per execution after they have been a member for at least 1 days, from RG-CIS_COMP_L1_v1.4.0 to CN=RG-CIS_COMP_L1_v1.4.2 and will move groups members, maximum of 2 per execution after they been a member for at least 10 days, from RG-CIS_COMP_L1_v1.4.2 to CN=RG-CIS_COMP_L1_v1.5.0
例如:以下配置将成为组成员至少1天后每次执行最多4个组成员,从RG-CIS_COMP_L1_v1.4.0到CN = RG-CIS_COMP_L1_v1.4.2,并将组成员最大为成为会员至少10天后,每次执行2次,从RG-CIS_COMP_L1_v1.4.2到CN = RG-CIS_COMP_L1_v1.5.0
CIS COMP L1|1|CN=RG-CIS_COMP_L1_v1.4.0,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|01:00:00:00|4
CIS COMP L1|2|CN=RG-CIS_COMP_L1_v1.4.2,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|10:00:00:00|2
CIS COMP L1|3|CN=RG-CIS_COMP_L1_v1.5.0,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|10:00:00:00|5
实作 (Implementation)
1) Download and extract ADCycleGroups.zip (here is VirusTotal scan) to a folder of your choice, saved on the computer on which it will be scheduled to run.
1)下载并解压缩ADCycleGroups.zip ( 这是VirusTotal扫描 )到您选择的文件夹,该文件夹保存在计划运行的计算机上。
2) Run Configurator.exe (Configurator Editor).
2)运行Configurator.exe ( 配置器编辑器)。
a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key AAuPAoB1ektD4EkKBVXtdajuxsTIo9Xj and record encrypted password
a)在“ 加密”选项卡上,输入将执行清除任务的帐户的密码。 用密钥AAuPAoB1ektD4EkKBVXtdajuxsTIo9Xj加密并记录加密的密码
b) On the Settings tab, enter the domain information, the service account user name and the encrypted password recorded in step 2a
b)在“ 设置”选项卡上,输入在步骤2a中记录的域信息,服务帐户用户名和加密密码
c) Set History File to a writable location. This file will store the state of the groups during the execution of the tool
c)将历史记录文件设置为可写位置。 该文件将在工具执行期间存储组的状态
d) On the PhaseInSets tab, add the various PhaseInSets using the following notation
d)在PhaseInSets选项卡上,使用以下表示法添加各种PhaseInSets
CIS COMP L1|1|CN=RG-CIS_COMP_L1_v1.4.2,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|00:00:00:30|1
CIS COMP L1 | 1 | CN = RG-CIS_COMP_L1_v1.4.2,OU = CIS,OU =角色组,OU =组,OU = HQ,DC = IT,DC = com | 00:00:00:30 | 1个
Friendly name for the phase set
相集的友好名称
Order in which groups move from one group to the next
组从一组移到下一组的顺序
Distinguished Name of the group to add members to
要向其添加成员的组的专有名称
The minimum time-span that a member should remain in group (dd:hh:mm:ss or hh:mm:ss)
成员应保留在组中的最小时间跨度(dd:hh:mm:ss或hh:mm:ss)
The maximum number of members that can move per execution
每次执行可移动的最大成员数
3) After that, you can schedule or manually run ADCycleGroups.exe
3)之后,您可以安排或手动运行ADCycleGroups.exe
结论 (Conclusion)
I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below.
希望本教程对您有所帮助。 鼓励您在下面提出问题,报告任何错误或对此作出任何其他评论。
Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...
注意 :如果您需要有关此主题的更多“支持”,请考虑使用Experts Exchange 的“提问”功能。 我会监督提出的问题,并很高兴与其他电子工程师一起提供以这种方式提出的问题所需的任何其他支持...
Please do not forget to press the "Thumbs Up" button if you think this article was helpful and valuable for EE members.
如果您认为本文对EE成员有用且有价值,请不要忘记按下“竖起大拇指”按钮。
It also provides me with positive feedback. Thank you!
它还为我提供了积极的反馈。 谢谢!
翻译自: https://www.experts-exchange.com/articles/33592/ADCycleGroups-Multi-Level-GPO-Phase-In-Tool.html
window gpo
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
