Group Policy Central

Last week I was a guest on the Australia IT Pro podcast called the “Coalface Tech Podcast” where I spoke on the topic of Group Policy. I was joined by regular team members, including Matt Marlor, Steve Molkentin, Simone Bennett and Nicholas Rayner and we talked about pretty much all things Group Policy, including preferences, AGPM and I even when into some of my group policy best practices.

You can listen to the post cast right now from AuTechHeads Coalface Tech Podcast or use this link with any good podcast reader RSS to CoalFace Tech Podcast

Kudo’s to anyone who can tell me how many time I plug my web site…

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

Continue reading ‘Best Practice: How to use Group Policy to control Services’ »

The setting of the week this week disables one of the features in Windows 7 that allowed users to pin programs to the taskbar. This option will be handy if you are in an environment where you want to prevent users from customising the taskbar such as a kiosk or library style computer. The setting can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and only applies to Windows 7.

Note: If you do apply this setting to your existing users all the existing pinned taskbar programs will be removed on the next logon.

Below are some screenshots of the UI with the setting enabled.

“Pin to Taskbar” is removed

“Pin this program to taskbar” is removed

All existing pinned programs will be removed.

This week setting of the week is called “Change Start Menu power button” which allows you to configured the start menu shutdown button in Windows 7 and Windows Server 2008 R2. You can find this setting under User Configurations>Policies>Administrative Templates>StartMenu and Taskbar.

If you have setup your computer to support Hybrid-Sleep then you should consider configuring this option to help ensure that your users select the “sleep” option.

Before

After

Note: If you select the “Sleep” or “Hibernate” options and the computers does not support that power mode then the option of shutdown will be used instead.

Update: Microsoft have now released the patch to the .lnk vulnerability MS10-046: Vulnerability in Windows Shell could allow remote code execution . If you have previously deployed the workaround using this article then it is now time to reverse the change you made by simple jumping to Removing the KB2286198 Workaround via Group Policy section and following the instructions. Needless to say this is a particular bad security issue and that you should be deploying this patch to all the computers in your environment ASAP. You have been Warned!!!

There is currently a Microsoft Security Advisory KB2286198 out that affects all copies of Windows about a security issues with displaying icons on shortcuts via non-local drives (e.g. Removable, Network and WebDav folders). The security advisory lists the workaround to the issues that effectively disables displaying all shortcuts. While this is not exactly a prettiest workaround (see image below) it does prevent you from being vulnerable to the security exploit.

There is a Microsoft Fix It for the issues if you just want to apply this workaround to a handful of computers but below I will show how you can apply the same workaround to all your domain computers using Group Policy.

KB2286198 Workaround via Group Policy Instructions

First we are going to create a policy that we can use at a later stage to restore the icon handler. The value that we are

Step 1. Edit a Group Policy Object that applies to all the computers you want to apply the workaround

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and in the menu click on Action > New > Registry Item

Step 4. Change the Hive to “HKEY_CLASSES_ROOT” then type “lnkfile\shellex\IconHandler” in the Key Path then tick Default and type “{00021401-0000-0000-C000-000000000046}” in the “Value Data” field and then click OK

We now want to disable this entry as we are going to use to to restore the Icon Handler once you the patch for this issue is out.

Step 5. Click on the IconHandler item in the right hand column and then click  “Disable this item” (Red Circle) in the toolbar.

Now we create the entry that disables the Icon Handler…

Step 6. Right click on the IconHandler registry item you just created and click “Copy”

Step 7. Right click somewhere in the blank in the right column and click “Paste”

Step 8. Click Yes

Step 9. Click on the second IconHandler registry item and click “Enable this item” (Green Circle) in the toolbar.

Step 10. Double click on the second IconHandler registry item and clear the “Value Data” field then click Ok.

Step 11. Now select and copy both IconHandler 1 & 2 and paste them again into a blank area (see step 6,7 & 8).

Step 12. Double click on IconHandler 3 & 4 and change the “lnkfile” in the Key Path to “piffile” (should now look like below image).

Now we are going to disable the WebClient Service that is the second part of this workaround…

Step 13. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and in the menu Action > New > Service

Step 14. Change the Startup value to “Disabled” and type “WebClient” in the Service Name text field then change the Service Action to “Stop Service” and click OK.

Done…

The workaround will now push out to all you workstations and become affective on the next reboot (see image below).

Removing the KB2286198 Workaround via Group Policy

Step 1. In the GPO you set this up in navigate back to Computer Configuration > Preferences > Windows Settings > Registry and delete enabled registry entries (probably the second and fourth) and then click on the remaining two registry entries and click on Enable this item in the toolbar (see image below).

Step 2. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and double click on the WebClient service item and change the Startup to “Manual" and the Service Action to “No change” then click OK.

Hopefully this will keep you secure until Microsoft release a patch for this security issue. As always implement these fixes at your own risk and I make no guarantees that these workaround will necessarily work in your environment.

Further References

• http://securitygarden.blogspot.com/2010/07/fix-it-released-for-security-advisory.html
• http://securitygarden.blogspot.com/2010/08/critical-out-of-band-update-released.html
• http://support.microsoft.com/kb/2286198
• http://www.microsoft.com/technet/security/advisory/2286198.mspx
• http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx