8/10/2019 70-640_Lesson09_PPT_041009.ppt
1/29
8/10/2019 70-640_Lesson09_PPT_041009.ppt
2/29
Skills MatrixTechnology Skill Objective Domain Objective #
Managing SoftwareThrough Group Policy
Configure softwaredeployment GPOs
4.5
8/10/2019 70-640_Lesson09_PPT_041009.ppt
3/29
Managing Software through Group Policy
Group Policy can be used to install, upgrade,patch, or remove software applications when acomputer is started, when a user logs on to thenetwork, or when a user accesses a fileassociated with a program that is not currentlyon the users computer.
Group Policy can be used to fix problems
associated with applications. For example, if auser inadvertently deletes a file from anapplication, Group Policy can be used to launcha repair process that will fix the application.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
4/29
.MSI File
Microsoft Windows Server 2008 uses theWindows Installer with Group Policy toinstall and manage software that is
packaged into an . msi file . The Windows Installer Service, responsible
for automating the installation and
configuration of the designated software. The Windows Installer Service requires a
package file (.msi file) that contains all ofthe pertinent information about thesoftware.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
5/29
MSI File
The .msi file: Is a relational database file that is copied to the
target computer system with the program files itdeploys.
Assists in the self-healing process for damagedapplications and clean application removal.
Consists of external source files that may berequired for the installation or removal of
software. Includes summary information about the software
and the package. Includes reference point to the path where the
installation files are located.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
6/29
.MST File
You may need to modify Windows Installerfiles to better suit the needs of yourcorporate network.
Modifications to .msi files requiretransform files, which have an .mstextension.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
7/29
Patch file (.msp)
Windows Installer files with the .msp extensionserve as patch files.
Patch f i les are used to apply service packs andhot fixes to installed software.
Instead, it contains, at minimum, a databasetransform procedure that adds patchinginformation to the target installation packagedatabase.
For this reason, .msp files should be located inthe same folder as the original .msi file when youwant the patch to be applied as part of theGroup Policy software installation. This allowsthe patch file to be applied to the original
package or .msi file.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
8/29
ZAP File
When repackaging an application is not an option and aWindows Installer file is not available, you can use a.zap file to publish an application.
A .zap file is a non Windows Installer package that canbe created in a text editor.
The disadvantages of creating .zap files are as follows: They can be published, but not assigned. Deployments require user intervention, instead of being fully
unattended.
Local administrator permissions might be required to performthe installation.
They do not support custom installations or automatic repair. They do not support the removal of applications that are no
longer needed or applications that failed to install properly.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
9/29
Software Distribution Point
Before deploying software using GroupPolicy, you must create a d i s t r ibu t ionsh are/Sof tw are d is t r ib ut io n p oin t .
Users who are affected by the GroupPolicy assignment should be assignedNTFS Read permission to the folder
containing the application and packagefiles.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
10/29
Assigning and Publishing Software
Assigning Software If you assign the program to a user, it is installed
when the user logs on to the computer. If you assign the program to a computer, it is installed
when the computer starts, and it is available to allusers who log on to the computer. When a user first runs the program, the installation is
finalized. Publishing Software
You can publish a program distribution to users. When the user logs on to the computer, the published
program is displayed in the Add or Remove Programsdialog box, and it can be installed from there.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
11/29
Assigning and Publishing Software
8/10/2019 70-640_Lesson09_PPT_041009.ppt
12/29
Software Restrictions Policies
Provide organizations greater control inpreventing potentially dangerousapplications from running.
Software restriction policies are designedto identify software and control itsexecution.
Administrators can control who will beaffected by the policies.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
13/29
Software Restrictions Policies
8/10/2019 70-640_Lesson09_PPT_041009.ppt
14/29
Software Restrictions Policies
When considering the use of software restriction policies,you must determine your approach to enforcingrestrictions.
The three basic strategies for enforcing restrictions are: Unrestr ic ted. This allows all applications to run except those
that are specifically excluded. Disal lowed. This prevents all applications from running
except those that are specifically allowed. Basic User. This prevents any application from running that
requires administrative rights, but allows programs to run thatonly require resources that are accessible by normal users.
By default, the Software Restriction Policies area has anUnrestricted value in the Default Security Level setting.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
15/29
Software Restrictions Policies
Four types of software restriction rules canbe used to govern which programs can orcannot run on your network:
Hash rule Certificate rule Path rule
Network zone rule
8/10/2019 70-640_Lesson09_PPT_041009.ppt
16/29
Software Restrictions Policies
Hash The file is hashed, resulting in a cryptographic
fingerprint that remains the same regardless ofthe file name or location.
You can use this method to prevent a particularversion of a program from running, or to prevent aprogram from running no matter where it islocated.
Certificate You can build Certificate rules by providing a
code-signing software publisher certificate. Certificate rules apply no matter where the
program file is located or what it is named.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
17/29
Software Restrictions Policies
Path Apply to all programs that run from the specified
local or network path, or from subfolders that arein the path.
Internet Zone Apply software restriction policy rules based on
the Microsoft Internet Explorer security zone inwhich the program is run.
Currently, these rules apply only to MicrosoftWindows Installer packages that are run from thezone. Internet Zone rules do not apply toprograms that are downloaded by Internet
Explorer.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
18/29
Summary
Group Policy can be used to deploy newsoftware on your network and remove orrepair software originally deployed by aGPO from your network.
This functionality is provided by theWindows Installer service within theSoftware Installation extension of eitherthe User Configuration\Software Settingsor Computer Configuration\SoftwareSettings node.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
19/29
Summary
Three types of package files are used withthe Windows Installer service: .msi files for standard software installation.
.mst files for customized softwareinstallation.
.msp files for patching .msi files at the time
of deployment. All pertinent files must reside in the same
file system directory.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
20/29
Summary
A .zap file can be written to allow non Windows Installer compliant applicationsto be deployed.
A .zap file does not support automaticrepair, customized installations, orautomatic software removal.
In addition, these files must be published.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
21/29
Summary
A shared folder named a softwaredistribution point must be created to storeapplication installation and package files
that are to be deployed using GroupPolicy. Users must have the NTFS Read
permission to this folder for softwareinstallation policies to function.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
22/29
Summary
Software to be deployed using Group Policy caneither be Assigned or Published.
Assigning software using the User Configuration
node of a Group Policy allows the application tobe installed when the user accesses theprogram using the Start menu or an associatedfile.
Assigning software can also be performed usingthe Computer Configuration node of a GroupPolicy, which forces the application to beinstalled during computer startup.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
23/29
Summary
Publishing an application allows theapplication to be available through Add OrRemove Programs in Control Panel.
In addition, published applications can bedivided into domain-wide softwarecategories for ease of use.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
24/29
Summary
Software restriction policies wereintroduced in Windows Server 2003 andallow the software's executable code to be
identified and either allowed or disallowedon the network.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
25/29
Summary
The three Default Security Levels withinSoftware Restriction Policies are: Unrestricted, which means all applications
function based on user permissions. Disallowed, which means all applications
are denied execution regardless of the
user permissions. Basic User, which allows only executables
to be run that can be run by normal users.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
26/29
Summary
Four rule types can be defined within aSoftware Restriction Policy.
They include, in order of precedence,hash, certificate, network zone, and pathrules.
The security level set on a specific rule
supersedes the Default Security Level ofthe policy.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
27/29
Summary
Enforcement properties within SoftwareRestriction Policies allow the administratorto control users affected by the policy.
Administrators can be excluded from thepolicy application so that it does nothamper their administrative capabilities.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
28/29
Summary
Certificate rules require enabling theSystem settings: Use Certificate Rules onWindows Executables for Software
Restriction Policies located in ComputerConfiguration\Windows Settings\SecuritySettings\Local Policies\ Security Options.
8/10/2019 70-640_Lesson09_PPT_041009.ppt
29/29
Summary
Path rules can point to either a file systemdirectory location or a registry path location.
The registry path location is the more secure
option of the two choices because the registrykey location changes automatically if thesoftware is reinstalled.
In contrast, if a file system directory is blocked
for executables, the program can still run froman alternate location if it is moved or copiedthere, allowing the possibility of a securitybreach.