View RSS Feed

HeyMerlin

Exam environment configuration with Windows 7 clients in a domain

Rate this Entry
by , 19th April 2012 at 10:18 PM (7216 Views)
A couple of weeks ago I posted a question regarding setting up one of my labs for an upcoming online final exam. A paraphrased summary of the question is below:

Quote Originally Posted by HeyMerlin View Post
I'm trying to figured out a way to configure Windows 7 firewall rules via GPO for the following environment:
  • Local account only, no domain accounts (this is easy via GPO)
  • Need access to one web server that serves the exam
  • Need access to CAS, DNS, and AD machines
  • Do not block traffic from specific machines used for administration.
  • Block everything else.


I'm considering the following configuration:
  • Block all incoming connections unless matched by a rule
  • Block all outgoing connections unless matched by a rule
  • Add rules for the following:
  • - Allow all DHCP (UDP, ports 67 & 68)
  • - Allow all traffic to our DNS servers (I have a list of these)
  • - Allow all traffic to our CAS servers (I have a list of these)
  • - Allow all traffic to our AD servers (I have to get a list of these)
  • - Allow all traffic to our exam server
  • - Allow all traffic from our administration servers
Having now successfully configured the lab in question and hosted the exam I thought others may find the solution useful. First here is the general description of of our lab environment:
  • Windows 7 clients joined to a Server 2008 R2 hosted domain on a relatively large campus.
  • Network infrastructure under centralized control thereby making physical changes impossible. No practical way of physically isolating the lab in question.
  • Windows domain under centralized control. Only permissions to manipulate department OUs, computer objects, security groups, and GPOs in the domain.


The solution I used involves the creation of three GPOs in the AD; actually the first one below was previously in place.
  1. Normal Login restriction GPO.
    This is the preexisting GPO that used in our labs to limit which users are allowed to log into which lab machines. If you have not used this style of GPO before the catch is that the GPO tattoos the client machine. This means that disabling the GPO will not reverse the effects of it. If you need to change the allowed list of users you need to either change the GPO or disable it and use a second GPO to tattoo the client with the changed user list. In this scenario this GPO will be re-applied after the exam is over to allow all the regular uses access to the lab clients.
    This GPO is linked, enabled but not enforced in the appropriate OU before, during, and after the exam. It is not necessary to modify this GPO specifically for the exam.
    GPO details:
    • Computer Configuration/Policies/Windows Settings/Local Policies/User Rights Assignment/Allow log on locally
      Add all users that you normally allow to access to the client machine. Do not forget to add BUILTIN\Administrators and NTAUTHORITY\SYSTEM. In my case this included AD Security Groups that are populated with our department's personnel and students along with a few local groups including one ExamAccounts group.
    • Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups/Group (Name: ExamAccounts)
      • Action: update
        NOTE: you do not want to use Replace here as a new SID will be created each time the policy is applied. This will mean the group SID will differ from the SID allowed to logon above.
      • Delete all member users: disabled
      • Delete all member groups: disabled
      • Stop processing items on this extension if an error occurs on this item: no
      • Remove this item when it i no longer applied: yes

  2. Exam user account GPO.
    This GPO creates/deletes the local user account to be used during the exam by the students. It can be enabled anytime previous to the exam but only disable it when you are sure that none of the exam files on each machine are no longer needed. Hopefully you have backed up all the files to a central location "just in case" right after the exam anyway.
    GPO details:
    • Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups/User (Name: exam)
      • User name: exam
      • User cannot change password: true
      • Password never expires: true
      • Account is disabled: true
      • Account expires: never
      • Stop processing items on this extension if an error occurs on this item: no
      • Remove this item when it is no longer applied: yes
    • Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups/Group (Name: ExamAccounts)
      • Action: Update
      • Group name: ExamAccounts
      • Delete all member users: disabled
      • Delete all member groups: disabled
      • Add members: exam
      • Stop processing items on this extension if an error occurs on this item: no
      • Remove this item when it i no longer applied: yes

  3. Exam environment GPO.
    This is the GPO that does all the heavy lifting and provides the actual exam environment. This includes enabling the exam account, restricting the allowed accounts, and setting up the firewall.
    This GPO must be set to enforced to ensure that its settings overrides any other GPO. Enable this GPO and reboot the machines just prior to the exam. Then after the exam, disable the GPO and reboot the machines for normal access.
    GPO details:
    • Computer Configuration/Policies/Windows Settings/Local Policies/User Rights Assignment/Allow log on locally
      Add all users that are allow to access to the client machine during the exam. As above do not forget to add BUILTIN\Administrators and NTAUTHORITY\SYSTEM.
      • BUILTIN\Administrators
      • NTAUTHORITY\SYSTEM
      • ExamAccounts (local group created above)
    • Computer Configuration/Policies/Windows Settings/Windows Firewall with Advanced Security/Domain Profile Settings
      • Firewall state: on
      • Inbound connections: block
      • Outbound connections: block
      • Apply local firewall rules: no
      • Apply local connection security rules: no
      • Display notifications: no
    • Computer Configuration/Policies/Windows Settings/Windows Firewall with Advanced Security/Inbound Rules
      • Add the predefined rule "Core Networking" - Action: allow
      • Remote Desktop - Action: allow, Scope: limited to particular machines or networks as desired
      • Add exceptions for any other particular machines (remote scope set to the IP address) used to remotely administer the machines if needed.
    • Computer Configuration/Policies/Windows Settings/Windows Firewall with Advanced Security/Outbound Rules
      • Add the predefined rule "Core Networking" - Action: allow
        The one exception to the "Action: allow" is for "Core Networking - Group Policy (NP-OUT)" which must be set to block. This prevents the exam participants from accessing any network drives. Accessing GPO files in the AD is still permitted by a specific targeted rule below.
      • Add rules for specific servers such ad the AD DCs, CAS servers, Moodle server (for handing in exams), A/V update servers, etc. The one catch is that although you may have dc1.mydomain.edu through dc4.mydomain.edu you also have a machine called mydomain.edu which you will need to add in this list; this server hosts the actual GPO files for your domain.
        Typical settings:
        • Enabled: true
        • Program: any
        • Action: allow
        • Protocol, Local/Remote ports, Local scope, and ICMP settings: any
        • Remote scope: IP address(es) of your server(s)
    • Computer Configuration/Policies/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile
      These settings are here to override any similar settings in other GPOs.
      • Windows Firewall: Allow inbound file and printer sharing exception: disabled
      • Windows Firewall: Allow inbound Remote Desktop exceptions: Enabled - Limit scope as above
      • Windows Firewall: Allow local port exceptions: disabled
      • Windows Firewall: Allow local program exceptions: disabled
      • Windows Firewall: Define inbound port exceptions: disabled
      • Windows Firewall: Define inbound program exceptions: disabled
      • Windows Firewall: Prohibit notifications: disabled
      • Windows Firewall: Protect all network connections: enabled
    • Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups/User (Name: exam)
      • User name: exam
      • User cannot change password: true
      • Password never expires: true
      • Account is disabled: false
      • Account expires: never
      • Stop processing items on this extension if an error occurs on this item: no
      • Remove this item when it is no longer applied: no
      • Apply once and do not reapply: no


Using the above configuration I was able to have the remotely flip the lab into exam mode, and then back into regular mode simply by enabling and disabling GPO number 3 above. Once the course instructor confirmed that all exam files were collected and submitted disabling GPO number 2 above removed the local exam account and all files from the lab machines.

I'd love to hear your comments and any suggestions for improvements on the above. In the case that you use the above information I'd appreciate hear how it went.

Merlin.

Updated 24th April 2012 at 08:42 PM by HeyMerlin (Error regarding gpo preference action)

Categories
Sysadmin , Group Policies

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: