70-640_Lesson09_PPT_041009.ppt

8/10/2019 70-640_Lesson09_PPT_041009.ppt

1/29

8/10/2019 70-640_Lesson09_PPT_041009.ppt

2/29

Skills MatrixTechnology Skill Objective Domain Objective #

Managing SoftwareThrough Group Policy

Configure softwaredeployment GPOs

4.5

8/10/2019 70-640_Lesson09_PPT_041009.ppt

3/29

Managing Software through Group Policy

Group Policy can be used to install, upgrade,patch, or remove software applications when acomputer is started, when a user logs on to thenetwork, or when a user accesses a fileassociated with a program that is not currentlyon the users computer.

Group Policy can be used to fix problems

associated with applications. For example, if auser inadvertently deletes a file from anapplication, Group Policy can be used to launcha repair process that will fix the application.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

4/29

.MSI File

Microsoft Windows Server 2008 uses theWindows Installer with Group Policy toinstall and manage software that is

packaged into an . msi file . The Windows Installer Service, responsible

for automating the installation and

configuration of the designated software. The Windows Installer Service requires a

package file (.msi file) that contains all ofthe pertinent information about thesoftware.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

5/29

MSI File

The .msi file: Is a relational database file that is copied to the

target computer system with the program files itdeploys.

Assists in the self-healing process for damagedapplications and clean application removal.

Consists of external source files that may berequired for the installation or removal of

software. Includes summary information about the software

and the package. Includes reference point to the path where the

installation files are located.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

6/29

.MST File

You may need to modify Windows Installerfiles to better suit the needs of yourcorporate network.

Modifications to .msi files requiretransform files, which have an .mstextension.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

7/29

Patch file (.msp)

Windows Installer files with the .msp extensionserve as patch files.

Patch f i les are used to apply service packs andhot fixes to installed software.

Instead, it contains, at minimum, a databasetransform procedure that adds patchinginformation to the target installation packagedatabase.

For this reason, .msp files should be located inthe same folder as the original .msi file when youwant the patch to be applied as part of theGroup Policy software installation. This allowsthe patch file to be applied to the original

package or .msi file.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

8/29

ZAP File

When repackaging an application is not an option and aWindows Installer file is not available, you can use a.zap file to publish an application.

A .zap file is a non Windows Installer package that canbe created in a text editor.

The disadvantages of creating .zap files are as follows: They can be published, but not assigned. Deployments require user intervention, instead of being fully

unattended.

Local administrator permissions might be required to performthe installation.

They do not support custom installations or automatic repair. They do not support the removal of applications that are no

longer needed or applications that failed to install properly.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

9/29

Software Distribution Point

Before deploying software using GroupPolicy, you must create a d i s t r ibu t ionsh are/Sof tw are d is t r ib ut io n p oin t .

Users who are affected by the GroupPolicy assignment should be assignedNTFS Read permission to the folder

containing the application and packagefiles.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

10/29

Assigning and Publishing Software

Assigning Software If you assign the program to a user, it is installed

when the user logs on to the computer. If you assign the program to a computer, it is installed

when the computer starts, and it is available to allusers who log on to the computer. When a user first runs the program, the installation is

finalized. Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published

program is displayed in the Add or Remove Programsdialog box, and it can be installed from there.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

11/29

Assigning and Publishing Software

8/10/2019 70-640_Lesson09_PPT_041009.ppt

12/29

Software Restrictions Policies

Provide organizations greater control inpreventing potentially dangerousapplications from running.

Software restriction policies are designedto identify software and control itsexecution.

Administrators can control who will beaffected by the policies.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

13/29

Software Restrictions Policies

8/10/2019 70-640_Lesson09_PPT_041009.ppt

14/29

Software Restrictions Policies

When considering the use of software restriction policies,you must determine your approach to enforcingrestrictions.

The three basic strategies for enforcing restrictions are: Unrestr ic ted. This allows all applications to run except those

that are specifically excluded. Disal lowed. This prevents all applications from running

except those that are specifically allowed. Basic User. This prevents any application from running that

requires administrative rights, but allows programs to run thatonly require resources that are accessible by normal users.

By default, the Software Restriction Policies area has anUnrestricted value in the Default Security Level setting.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

15/29

Software Restrictions Policies

Four types of software restriction rules canbe used to govern which programs can orcannot run on your network:

Hash rule Certificate rule Path rule

Network zone rule

8/10/2019 70-640_Lesson09_PPT_041009.ppt

16/29

Software Restrictions Policies

Hash The file is hashed, resulting in a cryptographic

fingerprint that remains the same regardless ofthe file name or location.

You can use this method to prevent a particularversion of a program from running, or to prevent aprogram from running no matter where it islocated.

Certificate You can build Certificate rules by providing a

code-signing software publisher certificate. Certificate rules apply no matter where the

program file is located or what it is named.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

17/29

Software Restrictions Policies

Path Apply to all programs that run from the specified

local or network path, or from subfolders that arein the path.

Internet Zone Apply software restriction policy rules based on

the Microsoft Internet Explorer security zone inwhich the program is run.

Currently, these rules apply only to MicrosoftWindows Installer packages that are run from thezone. Internet Zone rules do not apply toprograms that are downloaded by Internet

Explorer.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

18/29

Summary

Group Policy can be used to deploy newsoftware on your network and remove orrepair software originally deployed by aGPO from your network.

This functionality is provided by theWindows Installer service within theSoftware Installation extension of eitherthe User Configuration\Software Settingsor Computer Configuration\SoftwareSettings node.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

19/29

Summary

Three types of package files are used withthe Windows Installer service: .msi files for standard software installation.

.mst files for customized softwareinstallation.

.msp files for patching .msi files at the time

of deployment. All pertinent files must reside in the same

file system directory.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

20/29

Summary

A .zap file can be written to allow non Windows Installer compliant applicationsto be deployed.

A .zap file does not support automaticrepair, customized installations, orautomatic software removal.

In addition, these files must be published.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

21/29

Summary

A shared folder named a softwaredistribution point must be created to storeapplication installation and package files

that are to be deployed using GroupPolicy. Users must have the NTFS Read

permission to this folder for softwareinstallation policies to function.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

22/29

Summary

Software to be deployed using Group Policy caneither be Assigned or Published.

Assigning software using the User Configuration

node of a Group Policy allows the application tobe installed when the user accesses theprogram using the Start menu or an associatedfile.

Assigning software can also be performed usingthe Computer Configuration node of a GroupPolicy, which forces the application to beinstalled during computer startup.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

23/29

Summary

Publishing an application allows theapplication to be available through Add OrRemove Programs in Control Panel.

In addition, published applications can bedivided into domain-wide softwarecategories for ease of use.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

24/29

Summary

Software restriction policies wereintroduced in Windows Server 2003 andallow the software's executable code to be

identified and either allowed or disallowedon the network.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

25/29

Summary

The three Default Security Levels withinSoftware Restriction Policies are: Unrestricted, which means all applications

function based on user permissions. Disallowed, which means all applications

are denied execution regardless of the

user permissions. Basic User, which allows only executables

to be run that can be run by normal users.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

26/29

Summary

Four rule types can be defined within aSoftware Restriction Policy.

They include, in order of precedence,hash, certificate, network zone, and pathrules.

The security level set on a specific rule

supersedes the Default Security Level ofthe policy.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

27/29

Summary

Enforcement properties within SoftwareRestriction Policies allow the administratorto control users affected by the policy.

Administrators can be excluded from thepolicy application so that it does nothamper their administrative capabilities.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

28/29

Summary

Certificate rules require enabling theSystem settings: Use Certificate Rules onWindows Executables for Software

Restriction Policies located in ComputerConfiguration\Windows Settings\SecuritySettings\Local Policies\ Security Options.

8/10/2019 70-640_Lesson09_PPT_041009.ppt

29/29

Summary

Path rules can point to either a file systemdirectory location or a registry path location.

The registry path location is the more secure

option of the two choices because the registrykey location changes automatically if thesoftware is reinstalled.

In contrast, if a file system directory is blocked

for executables, the program can still run froman alternate location if it is moved or copiedthere, allowing the possibility of a securitybreach.