Group Policy Central

Microsoft have now released Microsoft Security Essentials 2.0 to the web which has a number of new features over the previous version.

• Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off.
• Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats.
• New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance.
• Network inspection system* – Protection against network-based exploits is now built in to Microsoft Security Essentials.

Therefore I have updated my previous post based Group Policy for Microsoft Security Essentials to support configuring the newly added features.

If you want more general info about MSE v2 see: Security Garden: Microsoft Security Essentials 2.0 Released

If you want to download it visit  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e1605e70-9649-4a87-8532-33d813687a7f

Before I begin I should remind you that Microsoft only allows MSE to be used for free in small businesses with less that 10 seats (see here). But MSE does not natively support Group Policy and having to configured even 10 copies of Microsoft Security Essentials (MSE)  manually can be a pain. So the instructions below is simply a way to configure the registry keys of the application using the Group Policy Preferences Registry key setting.

Tip: If the below instructions to create the registry keys seems like to much work you will be glad to know that I have put a link at the bottom to an XML Group Policy Preferences Registry file. You can use this file to import the all the Policy Registry setting I talk about below automatically.

How to use Group Policy Preferences Registry key setting.

Before we begin we first need to know how to create a Group Policy Preferences Registry Key setting that we will use to control each of the registry keys we need to configured MSE. The following steps will need to be repeated for each registry key below.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: Group Policy for Microsoft Security Essentials 2.0’ »

Microsoft have just announced they will allow small business with less that 10 seats to use Microsoft Security Essentials for free. But even having to configured 10 copies of Microsoft Security Essentials (MSE) can be a pain so below is a quick tutorial on how you can Group Policy Enable Microsoft Security Essentials.

Update: Microsoft have now updated their Microsoft Security Essentials web site to say small business can now “officially” use MSE.

Before we begin I want to be clear that MSE does NOT natively support group policy this is simply a way to configure the registry keys of the application using the Group Policy Preferences Registry key setting.

Note: If the below instructions to create the registry keys seems like to much work you will be glad to know that I have put a link at the bottom to an XML Group Policy Preferences Registry file. You can use this file to import the all the Policy Registry setting I talk about below automatically.

How to use Group Policy Preferences Registry key setting.

Before we begin we first need to know how to create a Group Policy Preferences Registry Key setting that we will use to control each of the registry keys we need to configured MSE. The following steps will need to be repeated for each registry key below.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: Group Policy for Microsoft Security Essentials’ »

Update: Microsoft have now released the patch to the .lnk vulnerability MS10-046: Vulnerability in Windows Shell could allow remote code execution . If you have previously deployed the workaround using this article then it is now time to reverse the change you made by simple jumping to Removing the KB2286198 Workaround via Group Policy section and following the instructions. Needless to say this is a particular bad security issue and that you should be deploying this patch to all the computers in your environment ASAP. You have been Warned!!!

There is currently a Microsoft Security Advisory KB2286198 out that affects all copies of Windows about a security issues with displaying icons on shortcuts via non-local drives (e.g. Removable, Network and WebDav folders). The security advisory lists the workaround to the issues that effectively disables displaying all shortcuts. While this is not exactly a prettiest workaround (see image below) it does prevent you from being vulnerable to the security exploit.

There is a Microsoft Fix It for the issues if you just want to apply this workaround to a handful of computers but below I will show how you can apply the same workaround to all your domain computers using Group Policy.

KB2286198 Workaround via Group Policy Instructions

First we are going to create a policy that we can use at a later stage to restore the icon handler. The value that we are

Step 1. Edit a Group Policy Object that applies to all the computers you want to apply the workaround

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and in the menu click on Action > New > Registry Item

Step 4. Change the Hive to “HKEY_CLASSES_ROOT” then type “lnkfile\shellex\IconHandler” in the Key Path then tick Default and type “{00021401-0000-0000-C000-000000000046}” in the “Value Data” field and then click OK

We now want to disable this entry as we are going to use to to restore the Icon Handler once you the patch for this issue is out.

Step 5. Click on the IconHandler item in the right hand column and then click  “Disable this item” (Red Circle) in the toolbar.

Now we create the entry that disables the Icon Handler…

Step 6. Right click on the IconHandler registry item you just created and click “Copy”

Step 7. Right click somewhere in the blank in the right column and click “Paste”

Step 8. Click Yes

Step 9. Click on the second IconHandler registry item and click “Enable this item” (Green Circle) in the toolbar.

Step 10. Double click on the second IconHandler registry item and clear the “Value Data” field then click Ok.

Step 11. Now select and copy both IconHandler 1 & 2 and paste them again into a blank area (see step 6,7 & 8).

Step 12. Double click on IconHandler 3 & 4 and change the “lnkfile” in the Key Path to “piffile” (should now look like below image).

Now we are going to disable the WebClient Service that is the second part of this workaround…

Step 13. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and in the menu Action > New > Service

Step 14. Change the Startup value to “Disabled” and type “WebClient” in the Service Name text field then change the Service Action to “Stop Service” and click OK.

Done…

The workaround will now push out to all you workstations and become affective on the next reboot (see image below).

Removing the KB2286198 Workaround via Group Policy

Step 1. In the GPO you set this up in navigate back to Computer Configuration > Preferences > Windows Settings > Registry and delete enabled registry entries (probably the second and fourth) and then click on the remaining two registry entries and click on Enable this item in the toolbar (see image below).

Step 2. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and double click on the WebClient service item and change the Startup to “Manual" and the Service Action to “No change” then click OK.

Hopefully this will keep you secure until Microsoft release a patch for this security issue. As always implement these fixes at your own risk and I make no guarantees that these workaround will necessarily work in your environment.

Further References

• http://securitygarden.blogspot.com/2010/07/fix-it-released-for-security-advisory.html
• http://securitygarden.blogspot.com/2010/08/critical-out-of-band-update-released.html
• http://support.microsoft.com/kb/2286198
• http://www.microsoft.com/technet/security/advisory/2286198.mspx
• http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

A Google Engineer recently irresponsibly disclosed to the public after only warning Microsoft 5 days earlier of a vulnerabilities that allows a malicious third-party to take advantage of a security issue with the Help and Support Center in Windows XP/2003 after. As a result this has left many users (and organisations) open to attack using this exploit. Thankfully Microsoft have quickly responded and they have published an security advisory (http://www.microsoft.com/technet/security/advisory/2219475.mspx) about this issue with workaround instructions while they are working on a security fix.

Update: This security vulnerability is now being actively used by hackers.

For your benefit I have written instructions below showing you how you can mitigate this security issue using Group Policy Preferences. As this workaround involves in deleting a registry key (and sub-keys) I have also put in instructions on how to backup and restore this key after you have deployed a the fix for this issue in your organisation.

How to backup the affected registry

In these steps you will create a registry keys backup file for later use to restore the functionality of the Help and Support Center after you are deploy the related hotfix. Normally you can backup the registry using the Registry Wizard in Group Policy Preferences however this is a Windows XP specific key and you cannot remotely import a HKEY_CLASSES_ROOT remotely via Group Policy Management Console therefore we need to Export (a.k.a backup) the registry key via the traditional Regedit method.

Step 1. Go to a Windows XP computer that you want to use for a template to backup the registry.

Step 2. Run Regedit and navigate to the HKEY_CLASSES_ROOT\HCP key then click on File and then Export

Step 4. Save the registry as key a file (example HCP_Backup.reg)

Note: Keep this file safe as you will need it to restore the HCP key once you have deployed the hotfix.

How to delete the HCP registry key

These instruction will show you how to delete the HKEY_CLASSES_ROOT\HCP key that is the suggested workaround to this security issue.

Step 1. Create a new Group Policy Object that is targeted to the computer object you want to apply this workaround.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and then from the menu click on Action > New > Registry Item

Step 3. Select Delete from the Action pop-down menu and then HKEY_CLASSES_ROOT from the HIVE: menu and type HCP in the Key Path:

Step 4 (Optional): Then click on the Common Tab and tick Apply once and do not reapply.

Note: Doing this will allow you to restore the functionality for selected users if required by simply running the previously

The HCP functionality will now be broken when you click on any HCP:// link. While this is not an often used feature of Windows XP I have seen it some organisations that use a link to the just straight to the “Offer Remote Assistance” feature.

How to restore the HCP registry key

Once Microsoft releases an security hotfix for this issues then you may want to restore the registry key we deleted above. Unfortunately (as I mentioned before) we are not able to easily import the registry key using the “Registry Wizard” option of Group Policy Preferences as you can only import HKLM_CLASSES_ROOT keys locally on a PC. Therefore we will need to use a logon script (OH NO!!!) to import the original HCP keys.

Step 1. Edit the same GPO that you previously deleted the HCP key.

Step 2. Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) and double click on Startup in the right hand pane.

Step 3. Click on Show files…

Step 4. Paste a copy of the HCP_Backup.reg file we created in the backup steps then close the folder.

Step 5. Back on the Startup Properties windows click on the Add… button.

Step 6. Type regedit.exe in the Script Name: field and /s HCP_Backup.reg in the Script Parameters: field then click OK

This will now import the backup registry key the next time the computer reboots.

Step 7 (CLEAN UP). Finally go navigate to Computer Configuration > Preferences > Windows Settings > Registry in the Group Policy Management Editor and either disable or delete the HCP Delete key preference item previously created.

Hope it helps…

There is currently a Cross Site Scripting issue with SharePoint 3.0 and 2007 which could allow someone to maliciously run an arbitrary script that could allow elevation of privilege in the SharePoint site. There is currently no hotfix out for this issues  however you can mitigate this issue by enabling the XSS Filter in Internet Explorer 8. Unfortunately this is not turned on by default for the Intranet Zone which is how the majority of SharePoint sites are accessed. So if you are an IT administrator and you want to protect against this issue before Microsoft releases a hotfix then below are the instruction showing how to enable this via Group Policy.

Step 1. Edit the Group Policy object that applies to all the user accounts you want to migrate this issue.

Note: If you want complete coverage of all users in your organisation then make this change the the default domain policy or another policy link to the top of the domain.

Step 2. Navigate to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and enabled the “Turn on Cross-Site Scripting (XSS) Filter” then ensure you set the drop down menu to “Enabled” then press OK.

To confirm the setting is applied you should now see that the “Enable XSS filter” option is configured to “Enabled” and it is greyed out as the setting has now been configured by group policy.

Unfortunately this setting cannot be enabled via Group Policy Preferences as you can see if does not have the XSS filter option.

To keep up to date with this issue and for more information on this issues see http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx and http://www.microsoft.com/technet/security/advisory/983438.mspx