Group Policy Central

Microsoft has just released Security Compliance Manager v2.5 beta https://connect.microsoft.com/site715/program2682 along with a heap of new security baseline for you to use to compare against your environment. In case you are not familiar with SCM then it is a great product from Microsoft that consolidates all the best practice for their software with in-depth explanation for each setting.

Notably this new version has security baselines for Exchange Server 2010 and 2007. These baseline are also customised for the specific role of the server. Also interesting is the baseline settings not only include group policy computer settings but also Powershell command to configured aspects of the product that are not as simply to make as a registry key change.

As you can see from the image below the PowerShell script to perform the required configuration is listed in the detail pain…

As yet I can only assume you need to copy the PS command and make you own script for you to run again your exchange server. Still better than nothing… and the software is still beta so we are likely to see more improvements soon… 

One of the most common complaints I hear about Group Policy is that it make the log on slow… Well.. I have been using the Windows Developer Preview of Windows 8 for a while now and I have only just discovered a cool new feature that might just help address this issue.

When you run a GPRESULT report on a computer you will now show the the time it take to process the individual components of Group Policy so you can much more easily determine what is making your computer run “SLOW”… If you notice under the “Component Status” section of the GPResult report it now lists the “Time Taken” to process the core Group Policy Infrastructure and each of the extensions. Now you can tell if it is actually group policy and/or one of the many, many,  many, many…. many… setting you apply to your computer that is slowing down your computer start up…

TIP: Clicking on the blue date time will give you the “Processing Details” window.

Removable memory sticks are the back door for data in any organisation. BitLocker to Go can do some way to controlling this vector however you might want to simple close off all access to removable drives for all your users. So if you are running Windows 7 you will be glad to know there are a heap of Windows 7 GPO setting that allows you to control access to your removable devices.

Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

Approximately 2 years ago today the Group Policy Central web site went live. I am very glad to say that it has been going from strength to strength since then… I of course would like to thank all of you for visiting and coming back to my site as it is you the visitor to my site that makes all this effort worth while.

Just to show you how much this site has grown below are a few stats for this site to date:

1. 1,088,594 all time visits
2. 4,741 views on your busiest day, October 19, 2011
3. 1,631 comments
4. 256 Posts

And below is a bar graph showing the growth of the site since day one…

With a lot of Windows 8 some things coming this year I have no doubt that that there will be heaps more exciting content to come later this year… 

Microsoft has just released a report (see AppLocker Deployment at Microsoft)  describing the process they used to implementation of AppLocker via Group Policy. This was done to so that Microsoft would maintaining compliance with the U.S. Digital Millennium Copyright Act (DMCA) by preventing all their computers from running P2P software.

The report shows that after they fully rolled out the AppLocker policy setting the number of P2P cases dropped to nearly 0%. It was also interesting that the report noted that there was not a single support call regarding AppLocker for all 200,000 computers when the settings were rolled out.

Not a single support call for an AppLocker-related problem has occurred.

This document focus’s more on the process for testing and deployment of AppLocker in a large environment rather than the exact technical steps. I assume what made this a lot easier for Microsoft is that the most popular BitTorrent clients uTorrent is a digitally signed program. This makes it a lot easier for AppLocker to identify the application as it only need to look at the digital signature to determine if the program should be blocked. Meaning that they do not have to constantly update the Group Policy setting with a new hash value whenever a new version of the client is released.

Personally I certainly think BitTorrent software has a legitimate and legal place. For example check out The Tunnel Movie which was a full length movie that was released freely using BitTorrent. Rather ironically Windows has its P2P service built-in called Background Intelligent Transfer Service (BITS) which is used for distributing software updates to computers efficiently over WAN and LAN links.

However this is still good case study at the process you need to take to rollout AppLocker to prevent users from running particular programs that say may not be a secure version. e.g. Adobe Reader v9 see http://blog.stealthpuppy.com/virtualisation/dont-virtualize-adobe-reader-x/).

If you are interested for instructions for using AppLocker then check out my other blog post Best Practice: How to configure AppLocker Group Policy in Windows 7 to block third-party browsers