Group Policy Central

I was recently approached to do a book review on “Least Privilege Security for Windows 7,Vista and XP by Russell Smith” published by Packt Publishing. This book is a comprehensive guide at showing how to configure your Windows environment so that your users can operate without administrator permissions. While most administrators realise that giving administrators access to the end users is really poor practice and can lead to many security issues it is quite often a permission that some users require to do their job for whatever reason.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

Windows Desktop Search 4.0 is a fantastic local search engine for Windows XP that allows users to quickly search all their local files and network file servers. This is also a requirement for anyone that want to use the instant search feature in Outlook 2007 as it utilises this search engine to perform an index of your inbox.

However as you can see the user interface for the search is much different and by default will not perform non-indexed search’s of network file share without setting up a search location. The problem is that for some users this is a lot to get used to and they quite often go back to using the “Search Companion” (see circled in red).

So there is a registry key you can configure if you want to make the “Search Companion” the default search provider for Windows XP but you don’t want to remove the Windows Desktop Search because of all the goodness it give you in Outlook 2007

Search Companion Registry Key Details

Key: HKCU\Software\Microsoft\Windows Desktop Search\DS
Value: ShowStartSearchBand (REG_DWORD)
Data: 0 (zero)

How to enable Search Companion

Step 1. Edit a Group Policy Object that is targeted to the users that you want to enable the search companion option.
Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry
Step 3. In the menu click on Action > New > Registry Item
Step 4. Setup the following for your new registry item

Once the policy is applied to your users the search command from explorer or from the start menu you will launch the “search companion” by default.

Source: http://jamielesouef.com/microsoft/change-windows-desktop-search-to-search-companion/

(Wow… I have been doing this for 6 months now… how time flies… )

This weeks setting of the week is another old one however it is very important for any environment that is still running Windows XP SOE. The “Do not allow Windows Messenger to be run” will prevent any user from running Windows Messenger that comes out of the box with Windows XP. Now Windows Messenger 4.6 that comes with Windows XP is no longer supported but disabling the program should help avoid any confusion for user that also have Windows Live Messenger installed.

This is a user setting that can be found under User Configuration > Policies > Administrative Templates > Windows Components > Windows Messenger and while it does say it applied to Windows XP this in reality is only a Windows XP setting as there is no Windows Messenger in Windows Vista or above.

While most organisation already have this program removed from the SOE (see image below) this is a good safety net setting for anyone who has joined their non-SOE version of messenger to the domain.

Now to be clear this will only prevent the user running Windows Messenger and not the live of Windows Live Messenger or other third-party messenger programs.

This setting will not remove messenger from the computer but when the users clicks on the Windows Messenger link.

,

I used to think that it was not possible to set IP address information via Group Policy however I did some checking this week and was pleased to find that there was a way to configure your computers DNS Server addresses. Unfortunately this setting only applies to Windows XP, however lots of people still use XP so it is still somewhat relevant. This setting is simple called “DNS Servers” and can be found under Computer Configuration > Administrative Template > Network > DNS Client.

Figure 1.

To configure this setting simple check Enabled and type each IP address of the DNS Servers with a space between them.

While DNS Server settings are normally configured via DHCP this option can be really handy when you have two separate Active Directory forests on the same LAN. This is common where two companies have physically merged but still run separate AD’s forests connected to the same network. Now for name resolution you can setup DNS forwarders from forest A to forest B however this does not work for dynamic DNS registrations of the computer names.

Note: When this setting is applied its a little bit tricky to confirm that it has actually applied as both the network properties (see figure 2.) and even and ipconfig /all will show the manually configured IP DNS setting (see figure 3.). However if you do a NSLOOKUP (also see figure 3.) you will notice that the DNS server that it uses is the DNS Server that is configured in the Group Policy or alternatively you can just rely upon an rsop.msc report.

Figure 2.

Figure 3.

In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.

Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

Then click OK.

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”

You should see something like the images below in your group policy.

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers