Group Policy Center

Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection.

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Continue reading ‘Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)’ »

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

Continue reading ‘How to use Group Policy to control Services’ »

Update: Microsoft have now released the patch to the .lnk vulnerability MS10-046: Vulnerability in Windows Shell could allow remote code execution . If you have previously deployed the workaround using this article then it is now time to reverse the change you made by simple jumping to Removing the KB2286198 Workaround via Group Policy section and following the instructions. Needless to say this is a particular bad security issue and that you should be deploying this patch to all the computers in your environment ASAP. You have been Warned!!!

There is currently a Microsoft Security Advisory KB2286198 out that affects all copies of Windows about a security issues with displaying icons on shortcuts via non-local drives (e.g. Removable, Network and WebDav folders). The security advisory lists the workaround to the issues that effectively disables displaying all shortcuts. While this is not exactly a prettiest workaround (see image below) it does prevent you from being vulnerable to the security exploit.

There is a Microsoft Fix It for the issues if you just want to apply this workaround to a handful of computers but below I will show how you can apply the same workaround to all your domain computers using Group Policy.

KB2286198 Workaround via Group Policy Instructions

First we are going to create a policy that we can use at a later stage to restore the icon handler. The value that we are

Step 1. Edit a Group Policy Object that applies to all the computers you want to apply the workaround

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and in the menu click on Action > New > Registry Item

Step 4. Change the Hive to “HKEY_CLASSES_ROOT” then type “lnkfile\shellex\IconHandler” in the Key Path then tick Default and type “{00021401-0000-0000-C000-000000000046}” in the “Value Data” field and then click OK

We now want to disable this entry as we are going to use to to restore the Icon Handler once you the patch for this issue is out.

Step 5. Click on the IconHandler item in the right hand column and then click  “Disable this item” (Red Circle) in the toolbar.

Now we create the entry that disables the Icon Handler…

Step 6. Right click on the IconHandler registry item you just created and click “Copy”

Step 7. Right click somewhere in the blank in the right column and click “Paste”

Step 8. Click Yes

Step 9. Click on the second IconHandler registry item and click “Enable this item” (Green Circle) in the toolbar.

Step 10. Double click on the second IconHandler registry item and clear the “Value Data” field then click Ok.

Step 11. Now select and copy both IconHandler 1 & 2 and paste them again into a blank area (see step 6,7 & 8).

Step 12. Double click on IconHandler 3 & 4 and change the “lnkfile” in the Key Path to “piffile” (should now look like below image).

Now we are going to disable the WebClient Service that is the second part of this workaround…

Step 13. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and in the menu Action > New > Service

Step 14. Change the Startup value to “Disabled” and type “WebClient” in the Service Name text field then change the Service Action to “Stop Service” and click OK.

Done…

The workaround will now push out to all you workstations and become affective on the next reboot (see image below).

Removing the KB2286198 Workaround via Group Policy

Step 1. In the GPO you set this up in navigate back to Computer Configuration > Preferences > Windows Settings > Registry and delete enabled registry entries (probably the second and fourth) and then click on the remaining two registry entries and click on Enable this item in the toolbar (see image below).

Step 2. In the same GPO navigate to Computer Configuration > Preferences > Control Panel Settings > Services and double click on the WebClient service item and change the Startup to “Manual" and the Service Action to “No change” then click OK.

Hopefully this will keep you secure until Microsoft release a patch for this security issue. As always implement these fixes at your own risk and I make no guarantees that these workaround will necessarily work in your environment.

Further References

• http://securitygarden.blogspot.com/2010/07/fix-it-released-for-security-advisory.html
• http://securitygarden.blogspot.com/2010/08/critical-out-of-band-update-released.html
• http://support.microsoft.com/kb/2286198
• http://www.microsoft.com/technet/security/advisory/2286198.mspx
• http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

In my previous article In this article Best Practice:Active Directory Structure Guidelines – Part 1 I spoke about some of the guidelines I personally use when developing an Active Directory OU structure. In this next part I will discuss some guidelines I use when designing a Group Policy Object infrastructure.

Ideally you should make the the Active Directory OU and GPO design decision together to best ensure that you have the most efficient design possible. However if you have an existing OU structure designed a lot of these guidelines can still be applied to most existing environments.

As in Part 1 these are simply guidelines that I use and should not be taken as hard an fast rules. I quite often finding myself having to break these rules due to real world conflicts or just because one rule might conflict with the other rule. If you do find your self in a situation where you are not sure which path to take try to chose the option that will result in the least administrative effort in the long term.

Continue reading ‘Best Practice: Group Policy Design Guidelines – Part 2’ »

I have been doing Active Directory and Group Policy work for a while now and I have developed my own set of rules that I try to use where ever possible. So below I have written down all my rules in no particular order for you to go over and use for yourself. You may only chose to use only some of these rules or you might want to use them all depending on your circumstance. This is a two part series where I will first talk about designing you Active Directory Organisation Unit structure and then in part 2 (Best Practice: Group Policy Design Guidelines – Part 2) I will discuss some more ideas for applying Group Policy to the OU structure.

I want to be clear that these are only guidelines and not rules that need to be strictly adhered to. In almost all case there are exceptions to these guidelines and you might even find your self implementing them in a hybrid approach. I intend for this web page to be updated on a regular basis as none of these rules are set in stone and thing obviously change all the time.

Continue reading ‘Best Practice: Active Directory Structure Guidelines – Part 1’ »

In this article I am going to talk about how you can use Group Policy to control the firewall that comes out of the box with Windows but first I want to give you a bit of history of the evolution of host based firewall in Windows. Firewalls have long been around for year protecting internal corporate networks from outside attackers (see image below).

With the explosion of mobile workers in the late 90’s more and more people were connecting their laptops directly to the internet without the benefit of protection of a corporate firewall. As a result back in the early 2000’s third-party firewall products such as ZoneAlarm became a very popular way to security against attacks. Microsoft then added a host based firewall with the release of Windows XP/2003 that was unfortunately turned off by default. As a result of having the firewall turned off by default in there were a number of computer worms of which most notably were the Blaster worm and Sasser worm that spread like wildfire to pretty much any Windows computer that had not been specifically secured.

As a result Microsoft decided to make a major change with how Windows XP was configured with the release of Service Pack 2. When users installed service pack 2 they were now prompted to turn on the firewall thus protecting them from malicious communications. The problem with enabling a firewall however is that you generally block all incoming traffic by default which means product such as Skype and/or Windows Messenger could no longer receive incoming call’s or messages. To get around this issues end users would be prompted when an application wanted to open up a incoming port on the network. Corporate IT staff could control this for the users using Group Policy via the Windows Firewall section under Administrative Templates > Network > Network Connections.

This was a good first step however creating a set of firewall rules using the native group policy setting under Windows Firewall was challenging at best as there most setting had to be configured manually.

With the release of Windows Vista/2008 Microsoft totally revamped the Windows Firewall to allow for much easier administration. IT Admins now have much more granular control over how they can manage the firewall rules and they now have the ability to control both inbound and outbound communication as well as being able to selective enable rules depending on what network the computer is connected. They also changed where you configured the firewall via group policy to Windows Settings > Security Settings > Windows Firewall with Advanced Security which has enable some cool features such as importing and exporting firewall rules which I will go into later.

Below I will go though an example of a IT administrator wanting to setup a default set of firewall rules for a Windows 7 laptop computers and with a rule to allow Skype when connected at home and on the Internet but not when connected to the domain. Normally in the real world you would have many more inbound exceptions however you should be able to use this as a guide to get you started to build your firewall rule setup specifically for your environment.

Before you begin: If you have already configured firewall setting under the older “Windows Firewall” section these policy rule will also apply and the two rule sets will try to merge with unpredictable results. I recommend that you make sure that no “Windows Firewall” setting are applied to your Vista/2008 or greater computers and that you solely apply the firewall setting to these newer computers via the “Windows Firewall with Advanced Security” group policy security option.

Configuring Windows Firewall Rule

First we will setup a reference computer with the firewall rule the way we want and then explore them so we can import them into a group policy. Configuring the firewall rules on the PC first gives us an opportunity to properly test the rules before deploying them to other computers. If also allows us to export all the rules in one action so that you don’t have to go through the lengthy process of setting up all the rules manually one by one.

In this example this computer is running Windows 7 and already has Skype 4.2 installed.

Step 1. Right click on the network status icon in the system tray and click on "Open Network and Sharing Center”

Step 2. Click on “Windows Firewall” in the lower left hand corner.

Step 3 optional. We are going to have a quick high level overview of the firewall rules by clicking on on “Allow a program or feature through Windows Firewall” in the left hand pane.

As you can see Skype has been setup to work in the Domain, Private and Public profiles. In this example we are going to configure this so that it will only work in the Home/Work and Public profiles so that users cannot use Skype when they are connected to the corporate domain via the LAN.

Note: that the options here are locked out as you have not yet elevated your credentials.

Step 4 optional. Click Cancel

Step 5. Click on “Advanced Settings” on the left hand pane.

Step 6. Click on “Inbound Rules” and then double click on the “Skype” firewall rule entry on the right hand column.

Note: The currently configured Profile is set to “All”

Now we will configure the Skype rule to be disable using the domain profile however you can also use this properties dialogue box to configured other granular setting. I recommend that you go though all these tabs and become familiar with all the setting you can control using this dialogue box.

Step 7. Click on the “Advanced” tab

Step 8. Un-tick the “Domain” check box and then click “OK”

Note: The Profile is now configured to “Private, Public”

If you go back into the “Allow programs to communicate thought Windows Firewall” option you will now see that the Domain options for Skype has been un-ticked.

Now you need to test your firewall rule set to make sure that it behaves as you expect. Assuming everything is OK then you export your firewall rules so you can import them into a Group Policy. You may also want to save export the rule set before you begin to make sure you have something to role back to in case you totally stuff up the rule set and break your network.

Exporting Windows Firewall Rules

Step 1. In the Windows Firewall with Advance Security section click on “Action” in the menu and then “Export Policy”

Step 2. Select a location to save your firewall rules and then type the name of the file you want to save them as  (e.g. default_rules.wfw) then click “Save”.

Note: If you have had to elevate as another user to modify the firewall rules then you will be saving the file in the administrator accounts profile.

Step 3. Click “OK”

Importing Windows Firewall Rules into a Group Policy

Now that you have exported the firewall rules we will now import the exported file into a group policy so that you can apply the same rule set to all the workstations on your network.

Step 1. Edit a Group Policy Object (GPO) that targets the computer that you want apply these firewall rules applied.

Step 2. Open Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security and click on “Windows Firewall with Advanced Security”

Step 3. In the menu click on “Action” and then “Import Policy…”

Step 4. Click “Yes”

Note: This is ok if you have not done this before however if this is the second time you have done this you might want to create a new GPO and import the rules into that one so as to not to blow away your existing policy rules.

Step 5. Select the firewall rule export file that created before and click “Open”

Wait…

Step 6. Click “OK”

Done.

You can now review the rules that have been imported into the GPO.

Note: You can see how the Skype rule is configured as Private, Public as we configured before on the local computer. If you want to change the again you can simple double click on the rule and customise the rule how you want from within here.

You can also selectively disable rules and cut, copy & paste rules between separate GPO’s. This is how you would merge rules if you imported the rule set from into a new GPO back in step 4.

How to copy, delete or disable a rule…
 

How to paste a rule into an existing policy…

You should now be notified that in all the firewall dialogue boxes (see images below) on the workstation that the firewall policy is now being controlled via group policy.

Note the new column that states weather this is configured by Group Policy. Each rule is list twice as one represent the firewall rule controlled via Group Policy that cannot be configured and the other represent the local rule which can still be enabled by the local administrator.

How to exclusively apply Group Policy Firewall rules

If you don’t want the local administrator to be able to apply additional firewall rules to the network then you can also configured it so that the Group Policy rules are exclusively applied to the local firewall.

Step 1.  Again open the same GPO that you have the firewall rules applied and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security and right click on “Windows Firewall with Advanced Security” and click “Properties”

Step 2. Click on the “Customize..” button in the Setting section

Step 3. Change the “Apply local firewall rules:” option to “No” and click OK

Now if you go back to the “Allowed Programs” under “Windows Firewall” you will notice that the Domain column is now totally greyed out and no rules can be applied to the domain profile even if you are a local admin.

Hopefully you this will have given enough to start controlling your windows firewall using group policy.

If you are feeling really adventurous you can also do the same thing to your servers to keep them secure as they are a lot more static with the firewall rule requirements which makes them even easier to manage. For example you could export the firewall rules of your SQL server and then import them into a GPO that is applied to all your other SQL Servers. This way when ever you move a computer object into the SQL Server OU the firewall rules are automatically setup and enforced… Nice..

During Kevin Sullivan Group Policy session at TechEd 2010 in the USA this year he mentioned an example of a being able to configure group policy to allow users to select whatever screensaver they want except the one called “(None)” (see image below). While this method does not prevent the users from select the (None) from the screensaver options list it will set it back to a screensaver of your choice when the user selects (None) option.

The logic to implement this policy is to test if the SCRNSAVE.EXE registry key exists and if it doesn’t then create the key with the screensaver that you want to enable.

Note: You can also use this tutorial as a guide for applying  other group policy preferences settings based on weather a registry key exists or not. A good example you might want to do this for is to test to see if a specific application registry key exists before you apply an application specific registry setting. This helps you keep a cleaner configured SOE by not un-necessarily applying configuration settings.

How to use Group Policy to allow the users to chose any screensaver except (None)

Step 1. Edit a Group Policy Object (GPO) that is targeted to the users accounts you wan to apply this policy

Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry then from the menu click on Action > New > Registry Item

Step 3. Select “Update” from the Action then type “Control Panel\Desktop” in the Key Path: text field then type “SCRNSAVE.EXE”  in the Value Name text field and “C:\Windows\System32\scrnsave.scr” in the Value data: text field.

Step 4. Click on the Common tab and then tick “Item-level targeting” and then click the “Targeting…” button.

Now we will target the screen saver to apply only when the “HKCU\Control Panel\Desktop\SCRNSAVE.EXE” registry key does NOT exist as this means the screen saver has been configured to “(None)”.

Step 5. Click on “New Item” then the “Registry Match” option.

Step 6. Select the “Value exists” Match type” then type “Control Panel\Desktop” in the key path field and then type “SCRNSAVE.EXE” in the value name field

Step 7. Click back on the targeting setting in the top pane and press “F8” which changes the option to “does not exist” then click OK and OK.

This policy will now apply the blank screen saver on the next group policy refresh to all targeted users whenever they select the “(None)”.

Below is a table that shows the screensaver set to “(None)” (before column) and then the after a policy refresh the screensaver is configured as “Blank” (After column). Then the users has selected the “Photos” (Custom column) screensaver and the policy is refreshed again however this time there is no change as the screensaver is configured with a value so it is not set back to “Blank”.

Before	After	Custom