Group Policy Central

I was recently approached to do a book review on “Least Privilege Security for Windows 7,Vista and XP by Russell Smith” published by Packt Publishing. This book is a comprehensive guide at showing how to configure your Windows environment so that your users can operate without administrator permissions. While most administrators realise that giving administrators access to the end users is really poor practice and can lead to many security issues it is quite often a permission that some users require to do their job for whatever reason.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

In this article I am going to talk about how you can use Group Policy to control the firewall that comes out of the box with Windows but first I want to give you a bit of history of the evolution of host based firewall in Windows. Firewalls have long been around for year protecting internal corporate networks from outside attackers (see image below).

With the explosion of mobile workers in the late 90’s more and more people were connecting their laptops directly to the internet without the benefit of protection of a corporate firewall. As a result back in the early 2000’s third-party firewall products such as ZoneAlarm became a very popular way to security against attacks. Microsoft then added a host based firewall with the release of Windows XP/2003 that was unfortunately turned off by default. As a result of having the firewall turned off by default in there were a number of computer worms of which most notably were the Blaster worm and Sasser worm that spread like wildfire to pretty much any Windows computer that had not been specifically secured.

As a result Microsoft decided to make a major change with how Windows XP was configured with the release of Service Pack 2. When users installed service pack 2 they were now prompted to turn on the firewall thus protecting them from malicious communications. The problem with enabling a firewall however is that you generally block all incoming traffic by default which means product such as Skype and/or Windows Messenger could no longer receive incoming call’s or messages. To get around this issues end users would be prompted when an application wanted to open up a incoming port on the network. Corporate IT staff could control this for the users using Group Policy via the Windows Firewall section under Administrative Templates > Network > Network Connections.

This was a good first step however creating a set of firewall rules using the native group policy setting under Windows Firewall was challenging at best as there most setting had to be configured manually.

With the release of Windows Vista/2008 Microsoft totally revamped the Windows Firewall to allow for much easier administration. IT Admins now have much more granular control over how they can manage the firewall rules and they now have the ability to control both inbound and outbound communication as well as being able to selective enable rules depending on what network the computer is connected. They also changed where you configured the firewall via group policy to Windows Settings > Security Settings > Windows Firewall with Advanced Security which has enable some cool features such as importing and exporting firewall rules which I will go into later.

Below I will go though an example of a IT administrator wanting to setup a default set of firewall rules for a Windows 7 laptop computers and with a rule to allow Skype when connected at home and on the Internet but not when connected to the domain. Normally in the real world you would have many more inbound exceptions however you should be able to use this as a guide to get you started to build your firewall rule setup specifically for your environment.

Before you begin: If you have already configured firewall setting under the older “Windows Firewall” section these policy rule will also apply and the two rule sets will try to merge with unpredictable results. I recommend that you make sure that no “Windows Firewall” setting are applied to your Vista/2008 or greater computers and that you solely apply the firewall setting to these newer computers via the “Windows Firewall with Advanced Security” group policy security option.

Configuring Windows Firewall Rule

First we will setup a reference computer with the firewall rule the way we want and then explore them so we can import them into a group policy. Configuring the firewall rules on the PC first gives us an opportunity to properly test the rules before deploying them to other computers. If also allows us to export all the rules in one action so that you don’t have to go through the lengthy process of setting up all the rules manually one by one.

In this example this computer is running Windows 7 and already has Skype 4.2 installed.

Step 1. Right click on the network status icon in the system tray and click on "Open Network and Sharing Center”

Step 2. Click on “Windows Firewall” in the lower left hand corner.

Step 3 optional. We are going to have a quick high level overview of the firewall rules by clicking on on “Allow a program or feature through Windows Firewall” in the left hand pane.

As you can see Skype has been setup to work in the Domain, Private and Public profiles. In this example we are going to configure this so that it will only work in the Home/Work and Public profiles so that users cannot use Skype when they are connected to the corporate domain via the LAN.

Note: that the options here are locked out as you have not yet elevated your credentials.

Step 4 optional. Click Cancel

Step 5. Click on “Advanced Settings” on the left hand pane.

Step 6. Click on “Inbound Rules” and then double click on the “Skype” firewall rule entry on the right hand column.

Note: The currently configured Profile is set to “All”

Now we will configure the Skype rule to be disable using the domain profile however you can also use this properties dialogue box to configured other granular setting. I recommend that you go though all these tabs and become familiar with all the setting you can control using this dialogue box.

Step 7. Click on the “Advanced” tab

Step 8. Un-tick the “Domain” check box and then click “OK”

Note: The Profile is now configured to “Private, Public”

If you go back into the “Allow programs to communicate thought Windows Firewall” option you will now see that the Domain options for Skype has been un-ticked.

Now you need to test your firewall rule set to make sure that it behaves as you expect. Assuming everything is OK then you export your firewall rules so you can import them into a Group Policy. You may also want to save export the rule set before you begin to make sure you have something to role back to in case you totally stuff up the rule set and break your network.

Exporting Windows Firewall Rules

Step 1. In the Windows Firewall with Advance Security section click on “Action” in the menu and then “Export Policy”

Step 2. Select a location to save your firewall rules and then type the name of the file you want to save them as  (e.g. default_rules.wfw) then click “Save”.

Note: If you have had to elevate as another user to modify the firewall rules then you will be saving the file in the administrator accounts profile.

Step 3. Click “OK”

Importing Windows Firewall Rules into a Group Policy

Now that you have exported the firewall rules we will now import the exported file into a group policy so that you can apply the same rule set to all the workstations on your network.

Step 1. Edit a Group Policy Object (GPO) that targets the computer that you want apply these firewall rules applied.

Step 2. Open Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security and click on “Windows Firewall with Advanced Security”

Step 3. In the menu click on “Action” and then “Import Policy…”

Step 4. Click “Yes”

Note: This is ok if you have not done this before however if this is the second time you have done this you might want to create a new GPO and import the rules into that one so as to not to blow away your existing policy rules.

Step 5. Select the firewall rule export file that created before and click “Open”

Wait…

Step 6. Click “OK”

Done.

You can now review the rules that have been imported into the GPO.

Note: You can see how the Skype rule is configured as Private, Public as we configured before on the local computer. If you want to change the again you can simple double click on the rule and customise the rule how you want from within here.

You can also selectively disable rules and cut, copy & paste rules between separate GPO’s. This is how you would merge rules if you imported the rule set from into a new GPO back in step 4.

How to copy, delete or disable a rule…
 

How to paste a rule into an existing policy…

You should now be notified that in all the firewall dialogue boxes (see images below) on the workstation that the firewall policy is now being controlled via group policy.

Note the new column that states weather this is configured by Group Policy. Each rule is list twice as one represent the firewall rule controlled via Group Policy that cannot be configured and the other represent the local rule which can still be enabled by the local administrator.

How to exclusively apply Group Policy Firewall rules

If you don’t want the local administrator to be able to apply additional firewall rules to the network then you can also configured it so that the Group Policy rules are exclusively applied to the local firewall.

Step 1.  Again open the same GPO that you have the firewall rules applied and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security and right click on “Windows Firewall with Advanced Security” and click “Properties”

Step 2. Click on the “Customize..” button in the Setting section

Step 3. Change the “Apply local firewall rules:” option to “No” and click OK

Now if you go back to the “Allowed Programs” under “Windows Firewall” you will notice that the Domain column is now totally greyed out and no rules can be applied to the domain profile even if you are a local admin.

Hopefully you this will have given enough to start controlling your windows firewall using group policy.

If you are feeling really adventurous you can also do the same thing to your servers to keep them secure as they are a lot more static with the firewall rule requirements which makes them even easier to manage. For example you could export the firewall rules of your SQL server and then import them into a GPO that is applied to all your other SQL Servers. This way when ever you move a computer object into the SQL Server OU the firewall rules are automatically setup and enforced… Nice..

This weeks setting is one that has just been mentioned in the AD Blogs Friday mail sack and until today was a setting/feature of Windows Vista/7 that I didn’t know existed. This setting display information about previous logons during a user logon and is very similar to the last logon screen I see when logging onto an online banking web site. This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options and must be applied to workstations AND domain controllers for it to work. The only down side for this setting is that you need to be in 2008 native mode to work so this might exclude some organisations for now.

WARNING: Be sure that you apply this setting to your domain controllers first otherwise they will not be able to logon.

Below is the message a users will see when after the logon successfully when the previous logon was also successful.

In this example we see the message when someone logon successfully where the 5 previous logon events had failed. Obviously this logon count number (see highlighted below) would raise a really big red flag for a users especially if you are sure that you were not the one to logon incorrectly.

For more information check out:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

http://technet.microsoft.com/en-us/library/dd446680(WS.10).aspx

Microsoft have now started to release definition updates to Microsoft Security Essentials (MSE) via WSUS. This now allows any corporate that is running WSUS to centrally deploy pattern updated from a single server. While most corporation probably will not have MSE deployed in their environment it might still be worth while to enable to ensure any fringe cases of computers on the domain are still being secured. This Microsoft blog specifically calls this being done for educational institutes that have low cost PC’s connected to their network.

I know this is not strictly a Group Policy, but WSUS does rely upon Group Policy heavily and therefore I find many Group Policy admin’s are also the WSUS admin’s for their organisations.

Heads up…  I also hope to do a details blog about how to use Group Policy to configured WSUS in the future.

See the full blog about it on the WSUS Product Team Blog at http://blogs.technet.com/wsus/archive/2010/03/31/microsoft-security-essentials-anti-malware-definitions-now-available-via-wsus.aspx

BeyondTrust has just come out with a white paper entitled “90% of Critical Microsoft Windows 7 Vulnerabilities are Mitigated by Eliminating Admin Rights”. This paper has some very interesting statistics around the percentages of security issues that are mitigate if a users is not running as administrator.

• 90% of Critical Windows 7 vulnerabilities reported to date
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009

Obviously Microsoft has pushed very hard to not have users run with administrator access with the introduction of User Account Control (UAC) in Windows Vista. This forced any users even if they were administrator to run in normal privilege mode unless required and only then grant them administrator access via a prompt.

So if your environment is ready for you users to have admin access removed and you want an easily way to lock down the local administrator groups on all your computers you can achieve this using Group Polices in one of two ways.

Method 1. Restricted Groups

The first and most common method is called "restricted groups" which can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups. This policy has a mode called "Members" can be used to tightly control who is a member of any local group on a computer (e.g. "administrators" and "power users") however this is also not very granular. The "Member of" option of the "restricted groups" will add an additional member to the local group but it will not remove any un-authorised members. So while both modes are very powerful they certainly have their limitations. One advantage of this option however is that it is a native setting and therefore will work out of the box with Windows 2000, XP and Vista.

Method 2. Group Policy Preferences

You can use Group Policy Preferences to secure local administrator groups in a ways that still removes any au-authorised users but still have the flexibility to granularly grant permission for a single user to a single local group on a particular computer. While this does not get around the problem of having to grant a users administrator access to their own workstation it does prevent them from being administrator of other workstation on the LAN. This greatly mitigates the possibility of one users  infecting the entire network quickly as they will NOT have admin access to all the other computers around them. For more instructions on how to use Group Policy Preference to secure the local admin group you can read my previous blog here http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Of course removing administrator access is certainly a big step in one direction but whenever considering security make sure you take a “Defence In-depth” approach. To do this you should start by making sure you also regularly install security updates; have current Anti-Virus software installed and consider enabling host based firewalls even when connected to the corporate LAN.

You can download the BeyondTrust whitepaper from http://www.beyondtrust.com/downloads/whitepapers/Microsoft_Vulnerability_Analysis_2009.asp