9
1 Staying Abreast of Group Policy Changes White Paper

Staying Abreast of Group Policy Changes

Embed Size (px)

Citation preview

Page 1: Staying Abreast of Group Policy Changes

1

Staying Abreast of Group Policy Changes

White Paper

Page 2: Staying Abreast of Group Policy Changes

Staying Abreast of Group Policy Changes—White Paper

2

Contents

Introduction ...................................................................................................................................................... 3

Change Auditing for Compliance ...................................................................................................................... 4

How Change Auditing Relates to Change Management .................................................................................. 5

Case in Point: Group Policy Changes ................................................................................................................ 7

Native Tools ................................................................................................................................................. 7

Building Versus Buying ................................................................................................................................ 7

Third-Party Software ................................................................................................................................... 8

Success Recipe ............................................................................................................................................. 8

The Smart Choice: NetWrix Group Policy Change Reporter ............................................................................ 9

Page 3: Staying Abreast of Group Policy Changes

3

Introduction In the IT infrastructure of a company, change is normal. This aspect of an organization's life cannot remain static for a number of reasons:

IT components are designed to be dynamic, flexible, and capable of supporting diverse configurations.

The huge volume and diversity of information means today's enterprises rely on information technology, so a variety of completely unrelated tasks depend on the information cycle.

The rate of changes, though varied across the range of tasks, is considerable.

There is interdependency of information. A change in a single component can necessitate a series of changes in others. For example, a virus outbreak may lead to a revision of the antivirus policy, meaning that a new software distribution task needs to be created, Internet Explorer security zones need to be updated, and so on.

If information is allowed to become stale, operations can be disrupted. However, for the same reasons the information flow should not be allowed to stagnate, changes should not go unwatched. Those aspects of company life entrusted to IT are easier to change than other structures. However, the consequences of adverse changes can be as detrimental and expensive to correct as physical damage.

In addition, IT staff has to deal with compliance. SOX, HIPAA, GLBA, and FISMA compliance measures are not dictated by internal needs, but still must be considered for the enterprise to function smoothly.

How is it possible to make sure all necessary changes are implemented and the effects of unwanted changes are minimized? This white paper describes approaches to change auditing, explains how audit data can be used for change management, and focuses on one of the most important IT components for centralized and automated administration today: Group Policy.

Page 4: Staying Abreast of Group Policy Changes

4

Change Auditing for Compliance Audit data must be kept for a very long time, up to 7 years by some regulations. The scope of the stored data should be sufficient to satisfy any requests from the auditors, and be as detailed as possible. Whether an auditor needs to know who modified the GPO used for the Accounting OU or view a complete history of changes to the default domain policy for the past 5 years, the data should be readily available for analysis.

Very importantly, the data should clearly indicate who initiated the recorded change. Otherwise, the responsibility for any harm caused by the changes rests with the CIO. The more complete the audit data, the more certainty there is that the actual responsible party will be held accountable for damaging actions.

Page 5: Staying Abreast of Group Policy Changes

5

How Change Auditing Relates to Change Management

Change management is a continuous process of deciding what kinds of changes to the IT infrastructure must and must not take place, what changes you want to watch for, and what you need to do about the changes you find. This process is impossible without a comprehensive body of audit data, which is provided by the auditing solution.

The volume of change-related audit data is necessarily large, and not all of it is useful for change management. In a corporate IT environment, the aspects that require special attention are primarily related to identity configuration and security configuration.

In these vital areas, not all changes deserve inspection, especially not when the volume of changes is routinely overwhelming. However, attention can be duly guided by clear-cut assessment criteria, such as those listed below.

Critical versus inconsequential

On the priority scale, changes vary by the consequences they cause. Clearly, the deletion of a Group Policy object is a more serious issue than the renaming of that object.

The response time for critical changes should be as short as possible, and the changes should be constantly monitored. Many of such change types are well-known and easy to track; this helps reduce the number of critical changes that need special attention.

Planned versus unplanned

Unanticipated changes are a problem. First, they are the primary cause of outages. Second, if these events are frequent and are not prevented, they may be the reason for a failed security audit. Such changes should not go unmonitored. However, even planned changes should be monitored to ensure they happen on time and without policy violations.

An example of a planned change is deployment of a new software package through Group Policy. This is a sensitive action that should never fall under the radar—care must be taken to ensure the software is installed as expected, no components are skipped, and no extraneous components are included. Likewise, applying an existing Group Policy object to a new organizational unit must be on record, unconditionally. If this is done without proper care, it may result in privilege escalation or, conversely, loss of productivity (for example, no access to Control Panel settings).

A meaningful change that is not typical is also most probably unplanned, and should be analyzed.

Noise versus signal

Audit trails contain a percentage of events that unambiguously indicate important changes. These events are easy to track. For example, changes to firewall settings controlled by Group Policy should be immediately investigated. When managed irresponsibly, these settings can open backdoors on servers and client computers.

Page 6: Staying Abreast of Group Policy Changes

6

However, the amount of useful information found in audit trails is never large. Many events are normally logged for even minor changes, and these events may need to be correlated to find out what actually happened. This means the same type of event may be part of the background noise, or it may accompany a critical change, depending on what other events were logged around the same time. An example of such an inconspicuous event is when a potentially non-secure service (such as RPC, www or WMI) is enabled (the state changes from Disabled to Run at startup) in the GPO settings for a DMZ service. This change is easy to overlook, but the result is increased attack surface on the DMZ servers.

Inadvertent versus malicious

Adverse changes are not always ill-intentioned. They may be the result of mistakes or irresponsible administration, especially when there are no evident attempts to cover the tracks after such changes. Inadvertent changes like this are often reversible.

It can be difficult to tell whether or not a change was intentional. For example, the priority order of Group Policy objects can be changed so that a less restrictive policy overrides a more restrictive policy. Without an investigation, it may not be clear whether this was done on purpose. Another possible change of this kind is the disabling of centralized automatic updates from Windows Server Update Services, which can cause all computers to download updates directly from the Microsoft website (generating huge traffic) or to never download them at all. To investigate such matters and restore the correct configuration, detailed records of what happened are essential.

Prioritizing the changes helps you build your change management strategy.

Page 7: Staying Abreast of Group Policy Changes

7

Case in Point: Group Policy Changes Group Policy is an indispensable tool for policy enforcement and centralized end-point configuration. With Windows as the dominant business platform, Group Policy is vital for security, configuration and operations management.

Changes to some parts of this system can bring the entire business process to a standstill. The tools you use for change management must be able to cope with the enormous amount of audit data that needs to be sifted through. This section lists the main approaches used in production IT environments.

Native Tools

Freely available Windows MMC-based native tools, such as Active Directory Users and Computers, Group Policy Object Editor, Group Policy Management Console, and others, are entry-level solutions. They have the advantage of requiring no customization or third-party software but, even in a mid-size IT infrastructure, they are not powerful enough to perform any meaningful change management.

A viable non-free native alternative is the Advanced Group Policy Management tool, which is part of the Microsoft Desktop Optimization Pack. It provides improved Group Policy auditing and administration capabilities, and a framework for delegating them. However, the convenience comes at a cost—the product is licensed at $10 per user per year. In an organization with 1000 user accounts, the bill runs up to $10,000 per year.

Even with a well-designed change management strategy, native tools are either costly or unable to significantly reduce the effects of adverse changes; this is due to the high latency between the change and its discovery, and lack of reporting capabilities. A change is not examined until after it has caused some negative results, such as service failure or slowdown of operations.

The time between an unwarranted change and its undesirable effects can be very short, and change- detection automation is very important to ensure a timely response. However, if the administrator is armed with only native tools, a change-induced problem might take a week or longer to solve.

Building Versus Buying

The search for automation and analysis methods can lead a company to invest in in-house software. The range of technologies that can be employed is wide. PowerShell, the .NET framework, and many other programming and scripting languages, have bindings for Active Directory and Windows APIs, which are extensively documented.

Unfortunately, Group Policy auditing is a very complex programming task because, in this case, auditing is not simply a matter of processing the Security log. Group Policy changes are not recorded to event logs by the native auditing system, so more advanced technologies are needed for that purpose.

The effectiveness of in-house development is determined not so much by what is possible to do as by what can be done in a given time with the given resources. If the company does not specialize in change auditing

Page 8: Staying Abreast of Group Policy Changes

8

software—and most do not—then time and resources are bound to be too scarce for comfort. Even if the in-house solution is good, its development is certain to face problems:

Support—the software produced in-house may have many authors, which increases support difficulty; in addition, such a solution may evolve organically and is not likely to be centralized

Testing—new software does not normally go into production use until it has undergone extensive tests, which require a great deal of time and expertise

In-house scripts and programs may be the optimal solution for some companies, but this is a rare case in large distributed environments that have to accommodate internal and remote clients, heterogeneous systems, and so on. Often a more cost-effective and better-quality alternative is to purchase third-party software specifically designed for Group Policy change management.

Third-Party Software

When it comes to choosing a third-party solution for Group Policy change auditing, a great variety of available software seems to fit the bill. The final decision can be influenced by many factors, such as:

Transparency of information about the product's capabilities

Quality-price ratio

Cost of ownership

When the choice is made, it is important to remember that the tools cannot, on their own, solve complex problems in Group Policy change auditing, tracking, and management.

Success Recipe

To be effective in tracking Group Policy changes, it is important to have both a sensible strategy and software tools that are flexible enough to meet all your needs but do not get in the way of your strategy.

Prioritize the changes by importance, relevance, and purpose. Be sure to differentiate between planned and unplanned changes. For planned changes, make certain they actually take place as expected; for unplanned changes, minimize discovery time and ensure timely response where needed.

Page 9: Staying Abreast of Group Policy Changes

9

The Smart Choice: NetWrix Group Policy Change Reporter

NetWrix Group Policy Change Reporter incorporates knowledge and understanding of the needs of Group Policy change auditing personnel. It is a cost-effective solution offering competitive functionality at a low price. Group Policy Change Reporter places Group Policy change information directly at the administrator's fingertips, without the need to extract it by roundabout methods.

The advanced reports provided with the product are based on SQL Server Reporting Services technology. Another feature essential for compliance is long-term archival of audit data.

Group Policy Change Reporter comes in two versions: freeware and commercial.

The freeware version can be used indefinitely, and is suitable for small businesses with lenient auditing requirements.

The commercial version is available as a free download. This version is as easy to use as the freeware version, but includes many advanced features. It is fully enabled for a 20-day evaluation period. To continue using the product after the expiration of the evaluation period, you must purchase it from NetWrix.

For details, see http://netwrix.com/group_policy_change_reporting.html.

©2009 NetWrix Corporation. All rights reserved. NetWrix and Group Policy Change Reporter are trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

http://netwrix.com/group_policy_change_reporting.html

THE MANAGEMENT SOLUTION FOR DEMANDING ... e...Staying ahead of the pack means keeping constantly abreast of what is going on at your company. This solution allows you to access your

THE MANAGEMENT SOLUTION FOR DEMANDING ... e...Staying ahead of the pack means keeping constantly abreast of what is going on at your company. This solution allows you to access your

Documents
Staying Flat, Staying Thin, Staying Effective

Staying Flat, Staying Thin, Staying Effective

Business
SHOPPING CENTRES REOPEN KEEPING ABREAST WITH

SHOPPING CENTRES REOPEN KEEPING ABREAST WITH

Documents
Hanover Risk Solutions E-Learning Series · PDF fileFor non-profits or for-profits, staying current with professional training, keeping abreast of what ... HANOVER RISK SOLUTIONS E-LEARNING

Hanover Risk Solutions E-Learning Series · PDF fileFor non-profits or for-profits, staying current with professional training, keeping abreast of what ... HANOVER RISK SOLUTIONS E-LEARNING

Documents
2017 Annual Report 102317 TB - cdn.ymaws.com · employers and community members in staying abreast of industry trends and changes in the ... policy, and environmental changes. The

2017 Annual Report 102317 TB - cdn.ymaws.com · employers and community members in staying abreast of industry trends and changes in the ... policy, and environmental changes. The

Documents
Staying Abreast In Georgia · October 10, 10 am — 12 pm Metastatic Breast Cancer Forum Join The Georgia Women’s Legislative aucus, The enter for lack Women’s Wellness, G F and

Staying Abreast In Georgia · October 10, 10 am — 12 pm Metastatic Breast Cancer Forum Join The Georgia Women’s Legislative aucus, The enter for lack Women’s Wellness, G F and

Documents
It’s Not Over Yet!€¦ · turning 65 •2014 Medicare Transformation Act: Changes to Quality Measures; Changes to CASPER, CMS ... – Staying with the same RUG classifications

It’s Not Over Yet!€¦ · turning 65 •2014 Medicare Transformation Act: Changes to Quality Measures; Changes to CASPER, CMS ... – Staying with the same RUG classifications

Documents
Staying in Balance: Workforce Changes & Corporate Culture

Staying in Balance: Workforce Changes & Corporate Culture

Recruiting & HR
Individual Guide to Dragons Abreast Australia

Individual Guide to Dragons Abreast Australia

Documents
2015-01-30 (2) - McGill Librarydigital.library.mcgill.ca/hrcorpreports/pdfs/6/632555.pdf · Merchandising: To keep abreast with marketing changes and consumer requirements, we are

2015-01-30 (2) - McGill Librarydigital.library.mcgill.ca/hrcorpreports/pdfs/6/632555.pdf · Merchandising: To keep abreast with marketing changes and consumer requirements, we are

Documents
Staying Ahead of Google Shopping Changes: Insights from PLA Experts

Staying Ahead of Google Shopping Changes: Insights from PLA Experts

Marketing
Keeping abreast of Postcode changes in Local Areas Presented by Sharon May Senior Public Health Analyst

Keeping abreast of Postcode changes in Local Areas Presented by Sharon May Senior Public Health Analyst

Documents
The Medical Source for Benefit Professionals€¦ · Between controversies and guideline discrepancies, cancer screenings can be confusing. ... abreast of the new trends and changes

The Medical Source for Benefit Professionals€¦ · Between controversies and guideline discrepancies, cancer screenings can be confusing. ... abreast of the new trends and changes

Documents
Reducing your carbon emissions...while staying abreast of policy changes and new programs. As active members in industry groups, and by maintaining relationships with regulators, we

Reducing your carbon emissions...while staying abreast of policy changes and new programs. As active members in industry groups, and by maintaining relationships with regulators, we

Documents
Staying Abreast In Georgiaand the Metro Atlanta Breast Cancer Angel Fund of the Eric R. Beverly Family Foundation. “Pink Ribbons is an Atlanta tradi-tion for more than 600 attendees

Staying Abreast In Georgiaand the Metro Atlanta Breast Cancer Angel Fund of the Eric R. Beverly Family Foundation. “Pink Ribbons is an Atlanta tradi-tion for more than 600 attendees

Documents
Responsible Investment Policy - Fonds Desjardins · - Maintaining exemplary practices and staying abreast of changes in ESG issues. - Annual public reporting of our activities and

Responsible Investment Policy - Fonds Desjardins · - Maintaining exemplary practices and staying abreast of changes in ESG issues. - Annual public reporting of our activities and

Documents
Canadian Agency for Drugs and Technologies in Health ...€¦ · environment. Staying abreast of rapid technological changes remains a challenge. Information is more abundant than

Canadian Agency for Drugs and Technologies in Health ...€¦ · environment. Staying abreast of rapid technological changes remains a challenge. Information is more abundant than

Documents
Staying abreast of customer expectations

Staying abreast of customer expectations

Business
Program/sp18...  · Web view2019-10-11 · It is the student’s responsibility to keep abreast of such changes. I use ‘Announcements’ to highlight any changes. Learning Management

Program/sp18...  · Web view2019-10-11 · It is the student’s responsibility to keep abreast of such changes. I use ‘Announcements’ to highlight any changes. Learning Management

Documents
Abreast Of The Times

Abreast Of The Times

Documents
42-46 Layout 1 26/06/2017 12:30 Page 1 DAIRY INDUSTRY … · The dairy industry is offsetting its challenges with continuous innovation and staying abreast of changing consumer trends

42-46 Layout 1 26/06/2017 12:30 Page 1 DAIRY INDUSTRY … · The dairy industry is offsetting its challenges with continuous innovation and staying abreast of changing consumer trends

Documents
Staying on top of FCC regulations: how the latest changes

Staying on top of FCC regulations: how the latest changes

Documents
Recruitment and induction - Gloucestershire › media › 11415 › ... · Human resource planning Recruiters need to keep abreast of changes in the labour market to ensure that their

Recruitment and induction - Gloucestershire › media › 11415 › ... · Human resource planning Recruiters need to keep abreast of changes in the labour market to ensure that their

Documents
Staying Ahead of Google Shopping Changes

Staying Ahead of Google Shopping Changes

Internet
ANNUAL REPORT FISCAL YEAR 2013of Hawaii’s Bachelor of Science program in Medical Technology, and the University of Hawaii’s pathology residency program. Staying abreast of the

ANNUAL REPORT FISCAL YEAR 2013of Hawaii’s Bachelor of Science program in Medical Technology, and the University of Hawaii’s pathology residency program. Staying abreast of the

Documents
Contents · Web view3. Criteria for Staying Put Policy 4 4. Setting Up ‘Staying Put’ Placements 5 5. Changes in Support and regulatory arrangements if a placement becomes one

Contents · Web view3. Criteria for Staying Put Policy 4 4. Setting Up ‘Staying Put’ Placements 5 5. Changes in Support and regulatory arrangements if a placement becomes one

Documents
DEVELOPMENT SECTION Product - SOA...Income Streams Need to Be Managed—Part 2 By Ben H Wolzenski and John•S. McSwaney ... while staying abreast of the many changes and influences

DEVELOPMENT SECTION Product - SOA...Income Streams Need to Be Managed—Part 2 By Ben H Wolzenski and John•S. McSwaney ... while staying abreast of the many changes and influences

Documents
Staying up to Date with Online Content Changes Using Reinforcement Learning … · 2019-10-31 · Staying up to Date with Online Content Changes Using Reinforcement Learning for Scheduling

Staying up to Date with Online Content Changes Using Reinforcement Learning … · 2019-10-31 · Staying up to Date with Online Content Changes Using Reinforcement Learning for Scheduling

Documents
GUIDESTAR PUBLICATIONS GuideStar’s Six Tips for Better ...video, building a donor-friendly website, creating a thoughtful social media strategy, and staying abreast of the best and

GUIDESTAR PUBLICATIONS GuideStar’s Six Tips for Better ...video, building a donor-friendly website, creating a thoughtful social media strategy, and staying abreast of the best and

Documents
Staying Abreast In Georgia of Directors Patricia L. Dickey Amy Feintuch Sara Hanna Gulshan Harjee, M.D. Angela Ryan Nancy J. Whaley 2015 Officers Sheryl herico President Ruth Eldredge

Staying Abreast In Georgia of Directors Patricia L. Dickey Amy Feintuch Sara Hanna Gulshan Harjee, M.D. Angela Ryan Nancy J. Whaley 2015 Officers Sheryl herico President Ruth Eldredge

Documents