Group Policy Center

Microsoft have now released hotfix (KB980356) to resolve an issues with configuring a scheduled task described as “Incorrect start dates are displayed for the scheduled tasks that are deployed by Group Policy preferences in Windows Server 2008 or in Windows Vista”. This issues results a problem with the schedule task being configured to run on the wrong date (e.g. a day early) due to the way “the Group Policy preferences engine handles the date incorrectly”.

For more information check on the issue and for a link to the download go to KB980356

Source Aug. 27 – Sep. 2 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

In the July 29 to August 12th Hot-fix release for Windows 6/7 there have been a number of Group Policy related hotfixes released. As far as I can tell none of these hotfixes are listed as being in Windows 7 Service Pack 1 that is currently in beta (see The complete list of Group Policy Hotfix’s in Windows 7/2008 R2 Service Pack 1) so if you are experiencing any of the above hotfixes it will be some time before you will be able to deploy them as part of a service pack.

• KB2250489 You cannot turn off the screen saver in the Windows Mobility Center when the "Prevent changing wallpaper" Group Policy setting is enabled on a computer that is running Windows Vista SP2
• KB2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008 or Windows Vista
• KB2096902 Virtual machines in a VDI environment are not rolled back as expected if the disconnected Remote Desktop connections on the virtual machines are stopped by Group Policy
• KB2254754 You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
• KB2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
• KB2275315 You cannot read the GPO in the SYSVOL directory in Windows 7 or in Windows Server 2008 R2 if you enable the "Deny write" permission of the GPO
• KB2284538 Apply once and do not reapply Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2

Source: Jul. 29 – Aug. 12 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

I was recently approached to do a book review on “Least Privilege Security for Windows 7,Vista and XP by Russell Smith” published by Packt Publishing. This book is a comprehensive guide at showing how to configure your Windows environment so that your users can operate without administrator permissions. While most administrators realise that giving administrators access to the end users is really poor practice and can lead to many security issues it is quite often a permission that some users require to do their job for whatever reason.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

Just a single new hot fix has come out this week that affects group policy…

981704 The file name of an ADM file is displayed incorrectly in the GPMC report in Windows Vista or in Windows Server 2008

This hotfix resolves a problem with a GPO report in the Group Policy Management Console showing as “Extra Registry Settings” if you have imported a ADM file and then moved it to another location. For more info see http://support.microsoft.com/kb/981704

I have seen an number of posts form IT Administrators on the Microsoft Group Policy forums asking how prevent their users from connecting to a wireless network. Maybe it is because they have an open WIFI network on the floor above that users keep connecting to so they can by pass the proxy server URL restrictions or they don’t want their users from accessing the internet from well known WIFI hot spots.

In the tutorial below I am going to show you how to block your laptops from connecting to specific wireless networks with the example SSID of “dlink”. This black list method is useful when you want to prevent users from connecting to networks such as “Free Public WiFi” which is nothing more than a trap set by hacker to steal people’s passwords.

Then I will go through the way will to block all wireless networks except for one called “private_ab” using the White List method. This is very useful if you only want your users to connect to wireless network you know are safe to use.

Lastly I will then quickly show you how to totally disable your wireless adapter from being able to connect to any networks.

The instructions below are specific to Vista and Windows 7 as there were a whole heap of new group policy settings that were introduced back when Vista was released.

How to Black List/White List Wireless Networks using Group Policy

Note: Steps 1 to 5 are common for setting up both black and white lists. Then the process branches and describes how to setup a black list then white list in steps 6 & 7.

Step 1. This is a computer based setting so edit a Group Policy Object (GPO) that is targeted to all the laptops in your network

Step 2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies

Step 3. Click on “Action” in the menu and then click on “Create A New Wireless Network Policy for Windows Vista and Later Releases”.

Note: You can only create one Windows Vista and later and one Windows XP wireless setting within each GPO.

Step 4. Now give the give the setting a Policy Name and Description. Ensure that the “Use Windows WLAN AutoCOnfig service for clients” is ticked so that Windows does not allow third-party software to control the wireless network adapter (e.g. Intel Wireless LAN configuration Tool).

Step 5. Now click on the Network Permission Tab and click “Add…”

Setting up a Wireless Network Black List using Group Policy

Step 6. Type in the name of the SSID you want to black list (e.g. “dlink”) then select the type of Network Type (e.g. Infrastructure) and select "Deny” from the Permission type then click “OK”

Step 7. Click “OK”

Now the user views all the wireless network the will no longer be able to connect the network that has been configured as Deny. (e.g. “dlink”)

Setting up a Wireless Network White List using Group Policy

Step 6. Type in the name of the SSID you want to white list (e.g. “private_ab”) then select the type of Network Type (e.g. Infrastructure) and select "Allow” from the Permission type then click “OK”

Step 7. Tick “Prevent connections to ad-hoc networks” and tick “Prevent connections to infrastructure networks” then click “OK”

Now you will ONLY be able to connect to the wireless network called “private_ab” and all other networks will be denied.

Note: Configuring a white list will not configure a wireless profile to connect to the allowed network, it simple allows the user to configure a profile for that particular SSID.

How to disable your wireless networks access via Group Policy

Now if you want to totally deny you users from connecting to any network profile just skip step 6. from the White List procedure leave the “Prevent connections to ad-hoc networks” and “Prevent connections to infrastructure networks”.

You users will no longer be able to connect to any wireless networks and when they click on the network in they will receive the message “Your network administrator has blocked you from connecting to this network”.

Note: Any network profile you have configured in the General tab will be automatically added as an allowed network having the two “Prevent connections” options tick will ensure that the user will not be able to connect to anything but your corporate wireless network.

Back to another profile setting this week and this one can save any organisation using Windows Vista or greater a lot of time if you manual provision your accounts. The setting is called “Set roaming profile path for all users logging onto this computer” and it configures the users roaming profile path that is normally configured on a per account basis in Active Directory Users and Computers (see below). Being able to apply this setting via Group Policy means it is one more user attribute that you no longer need to configure on the users account. This of course makes provisioning users account just that little bit simple which should save both time and the possibility for human errors.

This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.

But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.

Windows has a cool feature that allows you to tell if your computer has Internet connectivity when you are connected to a network (see image below). This feature is called Network Connectivity Status Indicator (NCSI) it uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resoles to 131.107.255.255

Windows 7

However if you find this error message really annoying there is now a Windows 7 group policy will turn it off. This is a machine setting so edit a Group Policy Object that is applied to all the workstations you want to turn this message off. Then navigate to Computer Configuration > Policies > Administrative Templates > Network Connections and enabled the “Do not show the “local access only” network icon” policy setting.

TADA… Now you will no longer see the exclamation icon on the network icon.

For more information on how NCSI works and this Windows 7 policy see http://technet.microsoft.com/en-us/library/ee126135(WS.10).aspx

Windows Vista

Unfortunately Windows Vista does not have the same Group Policy however there is a registry key that can be applied using Group Policy Preferences that has the same affect.

Key: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
Value: EnableActiveProbing
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet” in the Key Path then type “EnableActiveProbing” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

For more information on how NCSI works and this Windows Vista policy see http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx