Group Policy Central

Microsoft has just released a report (see AppLocker Deployment at Microsoft)  describing the process they used to implementation of AppLocker via Group Policy. This was done to so that Microsoft would maintaining compliance with the U.S. Digital Millennium Copyright Act (DMCA) by preventing all their computers from running P2P software.

The report shows that after they fully rolled out the AppLocker policy setting the number of P2P cases dropped to nearly 0%. It was also interesting that the report noted that there was not a single support call regarding AppLocker for all 200,000 computers when the settings were rolled out.

Not a single support call for an AppLocker-related problem has occurred.

This document focus’s more on the process for testing and deployment of AppLocker in a large environment rather than the exact technical steps. I assume what made this a lot easier for Microsoft is that the most popular BitTorrent clients uTorrent is a digitally signed program. This makes it a lot easier for AppLocker to identify the application as it only need to look at the digital signature to determine if the program should be blocked. Meaning that they do not have to constantly update the Group Policy setting with a new hash value whenever a new version of the client is released.

Personally I certainly think BitTorrent software has a legitimate and legal place. For example check out The Tunnel Movie which was a full length movie that was released freely using BitTorrent. Rather ironically Windows has its P2P service built-in called Background Intelligent Transfer Service (BITS) which is used for distributing software updates to computers efficiently over WAN and LAN links.

However this is still good case study at the process you need to take to rollout AppLocker to prevent users from running particular programs that say may not be a secure version. e.g. Adobe Reader v9 see http://blog.stealthpuppy.com/virtualisation/dont-virtualize-adobe-reader-x/).

If you are interested for instructions for using AppLocker then check out my other blog post Best Practice: How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

Here is another one of my TechEd 2010 Australia sessions…

Description: Managing Desktop Security is more than just installing scanning software, it’s about managing the applications, the data and ensuring the environment is monitored. In this session we look at AppLocker for to help you decide which ones to allow and which ones to squelch. Then at securing data both on the machine and in transit using Bitlocker and Bitlocker To Go. Finally capping it off with Forefront Endpoint Protection to let us know when all is not what it seems…

http://www.msteched.com/2010/Australia/CLI306

Source http://www.msteched.com/2010/NewZealand/CLI314

Ned Pyle from the Active Directory Service team has just done a super post to the Ask the Directory Services Team called Post-Graduate AD Studies. This is a collection of links to pretty much every AD/Group Policy related TechNet article known to man. Definitely a post that you will want to bookmark to use as a reference whenever you have any AD or Group Policy related problems or questions.

Below is a list of all the Group Policy related articles that are listed in the post:

• Group Policy
• AppLocker
• Core Group Policy Technical Reference
• Designing a Group Policy Infrastructure
• Group Policy Components
• Group Policy Management Console
• Group Policy Object Editor

Check out the whole article at: Post-Graduate AD Studies – Ask the Directory Services Team – Site Home – TechNet Blogs.

P.S. Can anyone pick where I got the inspiration for the title?

Jeremy Moskowitz (fellow Group Policy MVP) has just appeared in an interview with Matt Hester on Bytes by TechNet web site.

They covered how IT Professionals start with Windows 7 and Windows Server 2008 R2, why they need to know about Group Policy and what is new with Group Policy in Windows 7. Jeremy also highlighted some tips for his IT Pro peers related to some components of Group Policy including the Central Store.

Check out the video below:

This video should work with Silverlight or HTML5 video supported browsers.