Group Policy Central

This weeks setting is a new configuration setting in Offline Files called “Exclude files form being cached”. This setting can be used by IT administrators to block any un-wanted file types from being made available for offline use. You can find this setting under Computer Configuration > Policies > Administrative Templates > Network > Office Files and it will only work on Windows 7.

This setting can be really useful when you have user policies in your environment that block certain types of files on your file servers such as *.jpg or *.mp3. When combined with Windows Server File System Filters you can use it to make some very tight controls on your corporate file servers.

One of the powerful feature of Group Policy that have been around since its inception has been the ability to deploy and manage MSI based applications. Once senario you might find yourself in due to increasing popularity of Windows x64 is how do you deploy the right version of an application to your SOE however you are still running a mixture x86/x64 environments. Normally you can just deploy the x86 version of an application to both x86/x64 platforms however there are some scenarios where this might not be possible or simply not ideal.

Below I will show you how to prevent the deployment of the example application the “Geosense for Windows” to computer running Windows x64. Now this program is a good example as it come in both x86 and x64 bit versions as  it comes with software-driven location sensor driver for Windows 7. Drivers are of course one of the few types of x86 applications you can install on a x64 versions of Windows. You may also want to use this option if you have a high performance x64 version of an application that can take advantage of the system with greater than 4gb of ram.

Step 1. Open the properties of the x86 application you want to prevent deploying to x64 Windows

Step 2. Click on the “Deployment” tab

Step 3. Click on “Advanced…”

Notice that by default that Make 32-bit X86 application available to Win64 machines is ticked…

Step 4. Un-tick “Make 32-bit X86 application available to Win64 machines”

Step 5. Click “OK”

Now the application will no longer try to install on x64 version of Windows.

So now you have prevent installing 32-bit version of the application on 64bit version of Windows how do I prevent x64 version of application from installing on 32-bit versions of Windows? Nothing.

As you can see below when you add an MSI for a 64bit application it detects the platform that it has been compiled so that it wont try and deploy x64 applications to x86 versions of Windows.

Also note the “Make 32-bit X86 application available to Win64 machines” is not shown as option does not apply.

I have seen an number of posts form IT Administrators on the Microsoft Group Policy forums asking how prevent their users from connecting to a wireless network. Maybe it is because they have an open WIFI network on the floor above that users keep connecting to so they can by pass the proxy server URL restrictions or they don’t want their users from accessing the internet from well known WIFI hot spots.

In the tutorial below I am going to show you how to block your laptops from connecting to specific wireless networks with the example SSID of “dlink”. This black list method is useful when you want to prevent users from connecting to networks such as “Free Public WiFi” which is nothing more than a trap set by hacker to steal people’s passwords.

Then I will go through the way will to block all wireless networks except for one called “private_ab” using the White List method. This is very useful if you only want your users to connect to wireless network you know are safe to use.

Lastly I will then quickly show you how to totally disable your wireless adapter from being able to connect to any networks.

The instructions below are specific to Vista and Windows 7 as there were a whole heap of new group policy settings that were introduced back when Vista was released.

How to Black List/White List Wireless Networks using Group Policy

Note: Steps 1 to 5 are common for setting up both black and white lists. Then the process branches and describes how to setup a black list then white list in steps 6 & 7.

Step 1. This is a computer based setting so edit a Group Policy Object (GPO) that is targeted to all the laptops in your network

Step 2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies

Step 3. Click on “Action” in the menu and then click on “Create A New Wireless Network Policy for Windows Vista and Later Releases”.

Note: You can only create one Windows Vista and later and one Windows XP wireless setting within each GPO.

Step 4. Now give the give the setting a Policy Name and Description. Ensure that the “Use Windows WLAN AutoCOnfig service for clients” is ticked so that Windows does not allow third-party software to control the wireless network adapter (e.g. Intel Wireless LAN configuration Tool).

Step 5. Now click on the Network Permission Tab and click “Add…”

Setting up a Wireless Network Black List using Group Policy

Step 6. Type in the name of the SSID you want to black list (e.g. “dlink”) then select the type of Network Type (e.g. Infrastructure) and select "Deny” from the Permission type then click “OK”

Step 7. Click “OK”

Now the user views all the wireless network the will no longer be able to connect the network that has been configured as Deny. (e.g. “dlink”)

Setting up a Wireless Network White List using Group Policy

Step 6. Type in the name of the SSID you want to white list (e.g. “private_ab”) then select the type of Network Type (e.g. Infrastructure) and select "Allow” from the Permission type then click “OK”

Step 7. Tick “Prevent connections to ad-hoc networks” and tick “Prevent connections to infrastructure networks” then click “OK”

Now you will ONLY be able to connect to the wireless network called “private_ab” and all other networks will be denied.

Note: Configuring a white list will not configure a wireless profile to connect to the allowed network, it simple allows the user to configure a profile for that particular SSID.

How to disable your wireless networks access via Group Policy

Now if you want to totally deny you users from connecting to any network profile just skip step 6. from the White List procedure leave the “Prevent connections to ad-hoc networks” and “Prevent connections to infrastructure networks”.

You users will no longer be able to connect to any wireless networks and when they click on the network in they will receive the message “Your network administrator has blocked you from connecting to this network”.

Note: Any network profile you have configured in the General tab will be automatically added as an allowed network having the two “Prevent connections” options tick will ensure that the user will not be able to connect to anything but your corporate wireless network.

There is currently a security advisory out about a Zero Day vulnerability in Internet Explore 6 & 7 on Windows XP and Vista. While there is no patch out for this issues so far you can mitigate the security a number ways using Group Policy. Below I have listed two ways to implement the workaround as listed by Microsoft using Group Policy.

Method 1. Modify the Access Control List (ACL) on iepeers.dll

Step 1. Edit a Group Policy Object (GPO) that is targeted to the computer accounts you want to apply this setting. Then navigate to Computer Configurations > Windows Settings > Security Settings > File System.

Step 2. Click on “Action” in the menu and then “Add File…”

Step 3. Type “%WINDIR%\System32\iepeers.DLL” into the Folder: field then click “OK”

Step 4. Click “Add”and then add the “Everyone” group and click “OK”

Step 5. Tick the Full Control “Deny” tick box. This will then tick all the Deny tick boxes.

Step 6.  Click “Yes” to the Deny warning.

Step 7. Click “OK” to the permissions option.

Note: If you want to apply this to x64 version of Windows as well repeat step 2 thought 7 but type “%WINDIR%\SYSWOW64\iepeers.DLL” instead in the Folder: field.

You have now denied permissions to the file that has the issues.

Once you have applied the patch to fix this vulnerability be sure to go into each of file security settings and remove the “Everyone” deny permission from the setting.

Method 2: Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Step 1. Edit a GPO that is targeted to the users accounts you want to apply security setting. Then Enabled both the “Allow active scripting” under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Page > Internet Zone and the Intranet Zone. Then configure the Options to either “Prompt” or “Disable”.

Once you have performed the above configuration changes be sure to add *.windowsupdate.microsoft.com, *.update.microsoft.com and any other site you require to run Active Scripting on to the trusted sites zone list. Instructions on how to do this can be found here How to use Group Policy to configure Internet Explorer security zone sites

Disclaimer: I do not guarantee that this information will work. All the above information is to be used at your own risk.

For more details on the security vulnerability and other ways to mitigate this issue see Microsoft Security Advisory (981374)

Looks like this site was down for most of the day… Argh…  I have logged a job with DreamHost and now the site seems to be working… hm… Seems to be ok now but feel free to ping me at @alanburchill if you have any issues with accessing the site.