Group Policy Central

The guys at the Ask the Directory Services Team blog have just published the list of latest Directory Services related hotfixes ( see http://blogs.technet.com/b/askds/archive/2010/10/18/new-directory-services-content-10-10-10-16.aspx ). For your convenience I have put in a direct link and a short description for the two Group Policy related hotfixes.

KB2379592 – "Object reference not set to an instance of an object" error message when you view the GPO backup settings in the Group Policy Management Console.

Description

Resolves an “Object reference not set to an instance of an object.” when you select the “View Settings” of a GPO that has an advanced audit policy setting configured that you have also backed up.

KB970840 – Some settings in Group Policy Preferences for Internet Explorer do not deploy correctly to computers that are running Windows Server 2008, Windows Vista, Windows 7 or Windows Server 2008 R2

Description

Resolves the following IE8 preference settings from not working:

• Check boxes under Accessibility
  • "Reset text size to medium while zooming"
  • "Reset Zoom level to 100% for new windows and tabs"
• Check boxes under Security
  • "Allow active content to run in files"
  • "Allow software to run or install even…"
• Check boxes under International
  • "Send IDN Server Names"
  • "Send UTF -8 URL"
  • "Show information bar for encoded address"

It also resolves a freeze/crash in the Group Policy Object Editor when you are editing an Internet Explorer Group Policy Preferences setting.

A new hotfix (KB2171141) is out from Microsoft that resolves an issues with the IE8 search provider when applying the “Prevent Internet Explore Search box from displaying” is enabled (see image below).

This policy will remove remove the search box from Internet Explorer (see image below).

But then when a user logs on to the computer for the first time they are prompted to setup their default IE setting and then they will get this error message (see image below).

It also looks like this hotfix is also probably not going to be in Windows 7 Service Pack 1 as it is not listed in the complete list of hotfixes.

To download the hotfix and to get more info visit Internet Explorer 8 restores the search provider settings when the “Prevent Internet Explorer Search box from displaying” Group Policy setting is enabled

This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.

Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.

How to configure Internet Explorer to Allow and Block URL’s

Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.

Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button

Step 4. Click on the “Approved Sites” tab

Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”

Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”

Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.

Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.

Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.

By default when you enable the content advisor it will automatically block any web site that does not have a rating configured.  Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.

Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”

Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.

Step 9. Click OK

Done.

If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.

If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.

Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.

If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.

Related Resources:

If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings

You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.

I know a lot of people have asked for this third an final instalment on how to use Group Policy to manage home page settings and so I have finally been able to find some time to finish this series of posts.

Just to recap in Part 1 I showed you how to configure home page setting using the administrative templates native policy and in Part 2 I showed you how to do this using Group Policy Preferences.

In this post I will show you how to configured Internet Explorer home page settings using the Internet Explore Maintenance (IEM) group policy setting option. The IEM policy setting has been in Group Policy since the very beginning and is now a depracated setting as you can tell by the now various other methods of configuration home pages as outlined in Part 1 and Part 2. So if you are configuring this as a new setting definitely look at using the native Administrative Template or Group Policy Preferences first.

However the one advantage of using IEM is “Preferences Mode”…… Huh… I hear you… Well this is the OTHER Group Policy Preference (see below) and this option only applies to Internet Explorer Maintenance settings. The advantage of the Preferences Mode settings is that once the home page is configured the user will be able to change the home page to their own “Preference”.

(Now this might seem alright, however you need to wait till the end to find out why this is really cool…)

To configured the home page edit a Group Policy Object (GPO) that is targeted to the users you want to configured. Then navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > URLs and double click on “Important URL”.

Now simply tick “Customize Home page URL” and type the URL you want configured as the home page in the “Home page URL:” text box.

Now the users home page will be configured to the URL you configured above.

Now this is the SUPER COOL thing about setting… If you have enabled Preferences Mode and you configured the “Disabled changing Secondary Home Pages setting” that I talked about in Part 1 your users will be able to make a change the Primary Home but you can still force the URL of any of the secondary home page tabs (see image below where the users has change the Primary home page to Yahoo but the Google Secondary page remains). AWESOME!

Note: If you already have a setting configured in IEM then you will first need to “Reset Browser Settings” before you can enabled “Preferences Mode” which you can do by following these instructions How to remove imported Internet Explorer Group Policy Settings

For more information on Preference Mode see http://support.microsoft.com/kb/274846

For more information on Internet Explorer Maintenance setting see  http://technet.microsoft.com/en-us/library/cc728150(WS.10).aspx

There is currently a Cross Site Scripting issue with SharePoint 3.0 and 2007 which could allow someone to maliciously run an arbitrary script that could allow elevation of privilege in the SharePoint site. There is currently no hotfix out for this issues  however you can mitigate this issue by enabling the XSS Filter in Internet Explorer 8. Unfortunately this is not turned on by default for the Intranet Zone which is how the majority of SharePoint sites are accessed. So if you are an IT administrator and you want to protect against this issue before Microsoft releases a hotfix then below are the instruction showing how to enable this via Group Policy.

Step 1. Edit the Group Policy object that applies to all the user accounts you want to migrate this issue.

Note: If you want complete coverage of all users in your organisation then make this change the the default domain policy or another policy link to the top of the domain.

Step 2. Navigate to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and enabled the “Turn on Cross-Site Scripting (XSS) Filter” then ensure you set the drop down menu to “Enabled” then press OK.

To confirm the setting is applied you should now see that the “Enable XSS filter” option is configured to “Enabled” and it is greyed out as the setting has now been configured by group policy.

Unfortunately this setting cannot be enabled via Group Policy Preferences as you can see if does not have the XSS filter option.

To keep up to date with this issue and for more information on this issues see http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx and http://www.microsoft.com/technet/security/advisory/983438.mspx