1 00:00:00,336 --> 00:00:01,901 Group Policies. 2 00:00:01,901 --> 00:00:04,794 A Group Policy is a set of rules or policies 3 00:00:04,794 --> 00:00:07,252 that can be applied to a set of users 4 00:00:07,252 --> 00:00:10,359 or computer accounts within an operating system. 5 00:00:10,359 --> 00:00:12,642 Now, to Access the Group Policy Editor, 6 00:00:12,642 --> 00:00:16,344 simply go to the run prompt and enter gpedit. 7 00:00:16,344 --> 00:00:18,507 The Local Group Policy editor will then launch and 8 00:00:18,507 --> 00:00:20,858 this is used to create and manage policies 9 00:00:20,858 --> 00:00:22,816 within a Windows environment. 10 00:00:22,816 --> 00:00:25,157 Each policy acts as a security template 11 00:00:25,157 --> 00:00:28,186 that can apply a set of rules to different users. 12 00:00:28,186 --> 00:00:29,895 These rules can contain things like 13 00:00:29,895 --> 00:00:33,592 Password complexity requirements, Account lockout policies, 14 00:00:33,592 --> 00:00:36,548 Software restrictions, and Application restrictions. 15 00:00:36,548 --> 00:00:39,022 If you're using an Active Directory domain controller 16 00:00:39,022 --> 00:00:41,766 in a Windows environment, you actually have access to a more 17 00:00:41,766 --> 00:00:45,090 advanced version of the Group Policy Editor as well. 18 00:00:45,090 --> 00:00:46,443 In corporate environments, 19 00:00:46,443 --> 00:00:48,654 it's common to create a Security Template with 20 00:00:48,654 --> 00:00:51,467 predefined rules based upon your Organization's 21 00:00:51,467 --> 00:00:53,427 Administrative Policies. 22 00:00:53,427 --> 00:00:56,297 This Security Template is a group of policies that can be 23 00:00:56,297 --> 00:00:57,856 loaded through a single procedure 24 00:00:57,856 --> 00:01:00,029 within the group policy editor. 25 00:01:00,029 --> 00:01:02,907 A large part of hardening the operating system occurs 26 00:01:02,907 --> 00:01:06,461 through loading different Group Policy objectives or GPOs 27 00:01:06,461 --> 00:01:09,381 against the workstation or against the server. 28 00:01:09,381 --> 00:01:12,106 These Group Policies are also used to create a secure 29 00:01:12,106 --> 00:01:13,752 baseline as part of your larger 30 00:01:13,752 --> 00:01:15,939 Configuration Management Program. 31 00:01:15,939 --> 00:01:18,839 Using them, new accounts and computers can quickly be 32 00:01:18,839 --> 00:01:22,340 configured with all of your organizational requirements. 33 00:01:22,340 --> 00:01:24,205 After creating your secure baseline, 34 00:01:24,205 --> 00:01:26,679 it's important to conduct Baselining. 35 00:01:26,679 --> 00:01:29,852 Baselining is a process of measuring changes in the network, 36 00:01:29,852 --> 00:01:32,215 hardware, or software environment. 37 00:01:32,215 --> 00:01:34,867 Effectively, baseline helps establish 38 00:01:34,867 --> 00:01:37,337 what normal is for your organization. 39 00:01:37,337 --> 00:01:40,220 By knowing what normal is, you can then identify what 40 00:01:40,220 --> 00:01:42,957 abnormal or a deviation looks like. 41 00:01:42,957 --> 00:01:45,575 For example, if you're looking at your network utilization 42 00:01:45,575 --> 00:01:46,818 over a period of time, 43 00:01:46,818 --> 00:01:49,733 you can identify high periods and low periods. 44 00:01:49,733 --> 00:01:51,928 If you normally have low periods of activity during a 45 00:01:51,928 --> 00:01:54,283 Saturday afternoon, for example, but this Saturday 46 00:01:54,283 --> 00:01:57,890 afternoon, you saw an excessively high amount of activity. 47 00:01:57,890 --> 00:02:00,320 You should look into that and investigate it. 48 00:02:00,320 --> 00:02:03,041 For example, in this image, we can see one very 49 00:02:03,041 --> 00:02:04,834 high spike of activity. 50 00:02:04,834 --> 00:02:06,862 We would compare this to a known baseline 51 00:02:06,862 --> 00:02:09,866 and then determine this spike is expected or 52 00:02:09,866 --> 00:02:11,835 if it should be investigated further. 53 00:02:11,835 --> 00:02:14,392 Every deviation should be looked at and categorized as 54 00:02:14,392 --> 00:02:16,942 either acceptable and expected or 55 00:02:16,942 --> 00:02:19,262 an issue to investigate further. 56 00:02:19,262 --> 00:02:21,972 Many data breaches have been discovered by investigating 57 00:02:21,972 --> 00:02:24,102 higher than expected network utilization 58 00:02:24,102 --> 00:02:27,549 during periods of time that should have been relatively low. 59 00:02:27,549 --> 00:02:29,578 By looking at this, they have found things like 60 00:02:29,578 --> 00:02:32,183 data exfiltration and other problems that 61 00:02:32,183 --> 00:02:35,016 have happened through the network.