1.3.2 Security Extension Overview
Security policies contain settings (which the protocol configures) that enable underlying security components to enforce the following:
Password, account lockout, and Kerberos policies.
System audit settings.
Privilege and rights assignments.
Application security configuration data values and security descriptors.
Event log settings.
Security group membership.
Configuration information of long-running processes and programs, and security descriptors on them.
File and folder security descriptors.
The following major steps are for security configuration:
Security policy authoring.
Security policy assignment.
Security policy distribution.
Security policy authoring is enabled through an administrative tool for the Group Policy: Core Protocol with an administrative plug-in for behavior specific to this protocol. The plug-in allows an administrator to author security policies within a user interface. The plug-in then saves the security policies into .inf files with a standard format, and stores them on a network location that is accessible by using the Server Message Block (SMB) Protocol, as specified in [MS-SMB].
Security policy assignment is performed by the Group Policy: Core Protocol administrative tool, which constructs GPOs, as specified in [MS-GPOL] section 2.2.8.1. Each GPO contains a reference to the network location containing the security policy files generated by the administrative-tool plug-in.
Security policy distribution involves a corresponding protocol-specific Group Policy plug-in on the client machine, which is invoked to process any GPO that refers to security policy settings. The security protocol client-side plug-in extracts the network location specified in the GPO, transfers the security policy files by using the SMB protocol, and then uses the security policy files to configure the client's security settings.