In the space provided enter the command that launches the Local Group Policy Editor

Group Policy Editor

The Group Policy Editor is used (obviously) to edit group policies associated with a domain, site, or other object. However, for an enterprise applications administrator, it’s not necessarily the editing capabilities that we need, but rather, the viewing capabilities. Group Policy Editor can show you what the effective policy is for any given object and help you understand if there are any restrictions in place that could be causing problems for your enterprise application or its users.

The Group Policy Editor can be executed from the Server Manager tools in Windows Server 2012 and is also available in earlier Windows versions. Again, for this example, we’re using Windows Server 2012. Figure 3.10 shows Group Policy Editor running with the default domain policy for a specific domain displayed. Within the Settings tab, we can view any settings that are in place per this policy. In this example, there is a security policy restricting a specific path. This could potentially cause issues if access to this path is required for the user that the enterprise application runs under and it doesn’t have sufficient privileges.

Summary

Windows 7 includes a variety of local management tools. There is Control Panel, the MMC, the Computer Management Console, the Local Group Policy Editor, and the Windows Registry. Each of these management tools provides a different function. They all come together to provide a total management solution for your Windows 7 system.

It's important that your system hardware is properly installed and configured. Malfunctioning hardware can really be a hassle to fix. Windows 7 includes applications like Device Manager and the Devices and Printers applet to help ensure that your hardware is properly installed. Device Manager and Windows Update can help ensure that your devices are configured with the most up-to-date drivers.

Everything in your system relies on your disks and file systems. This is where all of your files are stored. If your disks and file systems are not properly configured, you system may not run at all. Windows 7 volumes can provide convenience through disk spanning or fault tolerance through RAID 5. You need to make sure that you choose a configuration that best suits your needs.

Controlling the Windows Firewall Through Group Policy

Note that the user, even a local administrator, may not be able to change the configuration settings for Windows Firewall with Advanced Security. If you find that these settings are grayed out, this indicates that the computer has Group Policy settings configured (either locally or through the application of domain policies) that control the WFAS settings.

Prohibiting Running the Windows Firewall with Advanced Settings MMC

As an administrator, you can use Group Policy to prevent users from running the Windows Firewall with Advanced Settings management console, but you will find that setting in a location in the Group Policy Editor that is completely different from other firewall settings. To do this, navigate to the following location in the GPE MMC:

User Configuration | Administrative Templates | Microsoft Management Console | Restricted/Permitted Snap-ins

In the right pane, scroll down and double-click Windows Firewall with Advanced Security, as shown in Figure 11.25.

Figure 11.25. Restricting the use of the Windows Firewall with Advanced Security snap-in.

Select Disabled. This prevents the snap-in from being added to an MMC, and it will not appear in the Add/Remove Snap-ins list in the MMC. It also prevents running this console from the command line as a standalone console. A user who tries to do so will receive an error message, stating that policy prohibits the use of this snap-in.

Note that you can also enable the policy Restrict users to the explicitly permitted list of snap-ins. If that policy is enabled, the Windows Firewall with Advanced Security snap-in will be prohibited when the Windows Firewall with Advanced Security policy is not configured. Otherwise, it will be allowed when this policy setting is not configured.

Group Policy Settings That Control Windows Firewall Behavior

There are a number of Group Policy settings available through the local Group Policy Editor or the Group Policy Management Console (GPMC), which pertain to the Windows Firewall with Advanced Security, as shown in Figure 11.26.

Figure 11.26. Group Policy settings that control WFAS.

These policies include the following:

▪

Allow authenticated IPsec bypass: Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport.

▪

Allow ICMP exceptions: Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Note that if you do not enable the “Allow inbound echo request” message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer.

▪

Allow inbound file and printer sharing exception: Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445 to allow inbound file and printer sharing.

▪

Allow inbound remote administration exception: Allows remote administration of the computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI) by opening TCP ports 135 and 445.

▪

Allow inbound Remote Desktop exceptions: Allows the computer to receive inbound Remote Desktop requests by opening TCP port 3389.

▪

Allow inbound UDP framework exceptions: Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices, such as routers with built-in firewalls, by opening TCP port 2869 and UDP port 1900.

▪

Allow local port exceptions: Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list.

▪

Allow local program exceptions: Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list.

▪

Allow logging: Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.

▪

Define inbound port exceptions: Allows users to view and change the inbound port exceptions list defined by Group Policy.

▪

Define inbound program exceptions: Allows users to view and change the program exceptions list defined by Group Policy.

▪

Do not allow exceptions: Blocks all unsolicited incoming messages and overrides all other Windows Firewall policy settings that allow such messages.

▪

Prohibit notifications: Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list.

▪

Prohibit unicast response to multicast or broadcast requests: Prevents the computer from receiving unicast responses to its outgoing multicast or broadcast messages, other than DHCP unicast responses.

▪

Protect all network connections: Turns on Windows Firewall; disabling this policy prevents WFAS from running and prevents locally logged-on administrators from starting it.

Publisher Summary

This chapter focuses on the changes to Group Policies in Windows 7 and Windows Server 2008 R2, some of the improvements that are included in Windows PowerShell v2. It also looks into the improvements in Windows 7's remote management capabilities and the improvements in the Windows 7 implementation of remote desktop. The components of the Remote Server Administration Toolkit (RSAT) such as the Group Policy Editor are also illustrated. This allows one to edit the Windows Server 2008 R2 Group Policies and push those changes to the client computers. By applying Group Policies to specific organizational units (OUs), one can affect only a subset of the computers in the environment, specifically the users or computers within that OU. For even greater control, one can also use Windows Management Instrumentation (WMI) filters to specify a further subset of computers to apply the OU to. Microsoft has extended the power of the Group Policy Editor by including some PowerShell Cmdlets, which allows one to control the Group Policies without having to open the Microsoft Management Console (MMC) and the Group Policy Editor.

Best Practices

As these options are controlled by the browser itself, it is difficult to control their use as an administrator. The one exception is Internet Explorer 7 and later versions, for which there is a group policy that allows you to disable the ability to delete browsing history. This setting can be found in the Group Policy editor under Administrative Templates | Windows Components | Internet Explorer | Delete Browser History. Under this final folder is a setting to Turn off “Delete Browsing History” functionality, along with various other deletion controls.4

For serious infractions that absolutely require determining the browser history, it may be possible to forensically recover the deleted browser cache files after they've been erased. This would assist in helping to see what content the user downloaded, and some sites, but may be limited. For instance, in Mozilla Firefox, all history details are now stored in miniature databases that are scrubbed clean after a user has deleted his or her browsing history.

Clear Virtual Memory Pagefile

When you have a server that can be accessed from the Internet, the possibility exists that an attacker could access a memory dump to gain access to data they normally would not be able to access. This includes the virtual memory page file, as well as system dumps that Windows has taken.

To protect the virtual memory page file, a policy setting can be enabled which upon shutdown of Windows will cause the page file to be rewritten with 0s. This setting is called “Shutdown: Clear virtual memory page file.” It can be set via a group policy or via the “Local Security Policy” MMC (Microsoft Management Console) within the Administrative Tools menu off of the Start Menu. To set it on a single server, open the “Local Security Policy” and then navigate to the Local Policies folder and the Security Options folder. Then double click on the policy “Shutdown: Clear virtual memory pagefile” and set the setting to enabled as shown in Figure 6.16.

In order to set this setting on all computers on a domain (or a subset of computers on a domain), the setting should be enabled within a group policy that is applied to the computers, which should have the setting enabled. To do this, open the Group Policy Editor and edit the correct policy that affects the correct computers, then navigate to:

Computer Configuration

Policies

Windows Settings

Security Settings

Local Policies

Security Options

After navigating to the Security Options folder, locate and edit the “Shutdown: Clear virtual memory page file” policy, setting the value to enabled as shown in Figure 6.16. Closing the Group Policy Editor will save the settings back to the domain controller, allowing the setting change to replicate to all domain controllers within the domain, then eventually to all the computers affected by the group policy.

There is a downside to enabling the “Shutdown: Clear virtual memory page file” setting: Notably, computers will begin taking a much longer time to shutdown or reboot. This longer time occurs because before Windows will complete the shutdown process, the page file will be overwritten with zeros so that no data from within the page file can be accessed. The more RAM a server has, the longer this process will take, with servers with a GB or two taking just a few minutes and servers with hundreds of GBs of RAM taking hours to complete the process. In addition to the amount of RAM in the server changing the amount of time it takes, the speed of the hard drives that hold the operating system will also impact the performance of the process.

In order to prevent an attacker from getting access to a memory dump, Windows’ ability to dump the memory to disk should be disabled on a server unless it needs to be enabled for a specific reason. On a single server, this is done through the system control panel. After opening the system control panel, select the Advanced tab and click the Settings button within the “Startup and Recovery” section. In the new Window that opens, change the “Write debugging information” dropdown menu to “(none)” as shown in Figure 6.17.

There is no group policy setting that can be used to disable the setting over all computers in a domain. However, a group policy can still be used to make the needed registry change. The registry setting that needs to be changed is HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDump Enabled. The setting is a DWORD value, which should be set to 0. To set a registry value within a group policy, edit the group policy and navigate to:

Computer Configuration

Preferences

Windows Settings

Registry

Right click on Registry and select “New” from the context menu then select “Registry Item.” Set the Hive to HKEY_LOCAL_MACHINE and the key path to “SYSTEM\CurrentControlSet\Control\CrashControl” as shown in Figure 6.18. Set the “Value name” to CrashDumpEnabled, the “Value type” as REG_DWORD and set the “Value data” to 00000000 as shown in Figure 6.18.

No matter how this setting is disabled, either on the local server or globally through a group policy, the server(s) will need to be rebooted in order for the setting change to take effect. The reboot can either be done at the time the change is made manually or upon the next normal reboot which happens.

While changing these settings will increase the security of the server, it will greatly decrease the ability to troubleshoot system problems. The first troubleshooting technique when attempting to resolve Windows instability issues would normally be to analyze the system memory dump. In the event that these memory dumps are not available, these settings will need to be reversed so that memory dumps can be created and used for debugging. After this debugging has been completed, the settings would then need to be put back into place in order to resolve the problem.

Group Policy

If you are an administrator of a Windows environment, you may decide that the best approach for your workplace would be to disable drivers of external components on all machines without having to make a change to each system. You may also want to disable certain drives types only for specific groups of computers within your network. Windows 2003 server does not include this policy by default, and you will need to create a custom administrative template. The procedures outlined below were performed on a Windows Vista Ultimate system but should be similar to those experienced on a Windows 2003 domain environment.

Tip

You must authenticate with administrative privileges in order to use Group Policy Editor.

Open Notepad and enter the following text to the file, saving it with an adm extension (for example, File.adm). If you would like to cut and paste this information into notepad, this information is available on the Microsoft Web site.SS

CLASS MACHINE

CATEGORY !!category

CATEGORY !!categoryname

POLICY !!policynameusb

KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

EXPLAIN !!explaintextusb

PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 3 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

END ITEMLIST

END PART

END POLICY

POLICY !!policynamecd

KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"

EXPLAIN !!explaintextcd

PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 1 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

END ITEMLIST

END PART

END POLICY

POLICY !!policynameflpy

KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

EXPLAIN !!explaintextflpy

PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 3 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

END ITEMLIST

END PART

END POLICY

POLICY !!policynamels120

KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"

EXPLAIN !!explaintextls120

PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 3 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

[strings]

category="Custom Policy Settings"

categoryname="Restrict Drives"

policynameusb="Disable USB"

policynamecd="Disable CD-ROM"

policynameflpy="Disable Floppy"

policynamels120="Disable High Capacity Floppy"

explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"

explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"

explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"

explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"

labeltextusb="Disable USB Ports"

labeltextcd="Disable CD-ROM Drive"

labeltextflpy="Disable Floppy Drive"

labeltextls120="Disable High Capacity Floppy Drive"

Enabled="Enabled"

Disabled="Disabled"

The steps below outline how to add a template allowing the disablement of typical removable device drivers using Group Policy editor. These procedures assume you already have Group Policy editor installed on the target machine.

Click Start, then Run, and type gpedit.msc.

Browse to locate the Computer Configuration object, as seen in Figure 4.3.

Right-click Administrative templates and choose Add/Remove template.

Click the Add button in the lower-left corner of the pane provided, as seen in Figure 4.4.

Browse to locate the .adm file you just created and select Open.

Highlight Administrative Templates again and then in the View menu click Filtering.

Clear the check mark next to Only show policy settings that can be fully managed, as seen in Figure 4.5, and then press OK.

Under Computer Configuration, go to Administrative Templates\Classic Administrative Templates\Custom Policy Settings\Restrict Drives. You should now see the policies entries that were just created in the right pane, as seen in Figure 4.6.

Double-click to select which drive type you would like to disable. Click Enabled, then select Enabled to disable the USB port in the policy setting, as seen in Figure 4.7.

You have now created a custom policy that will allow you to regulate the computers who are members of your domain. Apply the policy to the appropriate containers that contain the target systems in order to enable the enforcement.TT Be mindful when making such a sudden and drastic change to your environment. Proper requirements gathering should be done prior to implementing any sort of corporate- or domain-wide policy to ensure you don't break functionality that is deemed critical to the business.UU Rigorous testing should also be done on all relevant systems to ensure compliance and compatibility. Also keep in mind, this policy will not be enforced on standalone systems or alternate operating systems that are not part of the domain. It will also not apply to the respective devices that are currently installed on the target systems.

Creating a Policy-based QoS GPO

In the below exercise, we will create a new Policy-based QoS GPO for traffic destined for port 80 (http). This will give standard Web browsing traffic a higher value leaving the computer over other network traffic. If the network devices support the DSCP value provided by the policy, they will also give the traffic higher priority.

In our example, we will use a local computer policy; however, the same policy can be set up in AD. Open the group policy editor: Start | Run type gpedit.msc and click OK. The Local Group Policy Editor will open as seen in Figure 3.8.

Expand the nodes Computer Configuration | Windows Settings and User Configuration | Windows Settings (see Figure 3.9). You will notice that Policy-based QoS can be applied to the computer or to the user. For our example, we will use a computer-based policy.

Right click the Policy-based QoS node and choose Create New Policy.

The Policy-based QoS Wizard will launch (see Figure 3.10). Enter a descriptive name in the Policy Name field. Then use the Specify DSCP value option to set a DSCP value. In our example, we will not be throttling the traffic so leave this option unchecked. Click Next to continue.

We can assign the DSCP policy to specific applications by choosing the executable, or if this server is set up as a Web application server, we can specify the URL of the application. For our example, we will leave the default of All Applications selected (see Figure 3.11). Click Next to continue.

We can specify that this policy applies only to certain source or destination IP addresses (see Figure 3.12). We will leave both of these options as the default for our example. Click Next.

We now need to choose the protocol and port number or range that we want the DSCP value to (see Figure 3.13). For our testing purposes, let us choose port 80 (http) as the destination port. This will allow us to easily use a Web browser to test our policy. Click Finish to create the policy.

You should now see the policy appear under the Policy-based QoS node in the Local Group Policy Editor window as seen in Figure 3.14.

Now let us test our new policy. To perform this test, you will need to download and install Network Monitor. Network Monitor can be downloaded from Microsoft Download Center at http://download.microsoft.com. After installing Network Monitor, open it by going to Start | All Programs | Network Monitor 3.3.

The Network Monitor Start Page will be opened as seen in Figure 3.15. Click the link New Capture Tab to set up a new network capture session.

A new capture tab will be opened. Click the Start button at the top of the Network Monitor window to start capturing traffic (see Figure 3.16).

Now let us create some outbound http traffic. Open Internet Explorer by going to Start | All Programs | Internet Explorer.

Browse a standard http Web site. Then close Internet Explorer.

Go back to the Network Monitor window and click the Stop button. You should see that the utility has captured traffic in the frame summary pane (see Figure 3.17).

Expand the iexplorer.exe node in the network conversations pane.

Locate one of the IPv4 sessions (see Figure 3.18) and select the session you want to view.

After selecting an IPv4 session, notice the list of frames in the frames summary pane as seen in Figure 3.19. Select a frame that contains DstPort=HTTP(80).

Expand the IPv4 section in the frame details pane (see Figure 3.20). Notice the DifferentiatedServicesField subnode. You will notice that the frame has been given a DSCP value of 10. This shows that the policy is correctly applying a DSCP value to outbound port 80 traffic.

Test various QoS policies in your test lab during your Windows Server 2008 R2 deployment. You can use them to help ensure that the critical applications receive necessary network bandwidth to perform optimally.

Configuring TPM with Startup Key and PIN

The Manage-bde utility allows you to manage BitLocker from the command line. Before you use it to configure BitLocker operating system drive protection with the highest level of security (TPM with startup key and PIN), you will need to edit Group Policy to require additional authentication. Here is how it can be done:

Log on with an administrative account.

In the Run box, type gpedit.msc to open the Group Policy Editor. Hold SHIFT + CTRL when you press ENTER, to run the console as an administrator.

Navigate to:

Computer Configuration | Administrative Templates |Windows Components |BitLocker Drive Encryption | Operating System Drives.

In the right pane, double-click Require additional authentication at startup, as shown in Figure 9.8.

Click Enabled.

Make sure the box that says Allow BitLocker without a compatible TPM is unchecked, as shown in Figure 9.9.

Under the settings for computers with a TPM to:

Set the first three settings to Do not allow

Set the last setting to Require startup key and PIN with TPM

Next, you need to set up the TPM. Do this through the BitLocker Control Panel app. At the bottom left, click TPM Administration. Initialize the TPM, following the instructions in the utility. A restart may be required. After the restart, you will be prompted to back up the TPM owner key.

Next, use Manage-bde to add a recovery key:

Open an administrative command window.

Insert a USB flash drive and notice its drive letter.

Type the following at the command prompt:

manage-bde -protectors -add C: -RecoveryKey < USB flash drive letter >:

The utility will return confirmation that the key protectors were added and saved to the directory represented by your USB flash drive letter, along with the external key's ID and file name.

Keep the USB flash drive in a safe place. This recovery key can be used to start the computer without the TPM and PIN.

Next, create the startup key (this is a second USB flash drive):

Insert the second USB flash drive and notice its drive letter.

At the administrative command prompt, type the following:

manage-bde -protectors -add C: -TPMandPINandStartupKey -tp < your PIN > -tsk < second USB flash drive letter >:

The utility will return the same confirmation information as noted above.

Leave the second USB flash drive in the computer for now.

Next, use Manage-bde to encrypt the drive by typing the following at the administrative command prompt: manage-bde -on < drive letter of operating system drive to be encrypted >:

The utility will return information similar to what is shown below in Figure 9.10.

After you restart and log on, and the drive passes the hardware test, the encryption will begin.15

User Account Control Settings

Unlike Windows Vista, UAC settings can be set instead of simply turned off. Setting the UAC to a setting lower than default will disable the secure desktop. It is not recommended to turn off UAC. Turning off UAC will disable many security settings in Windows 7 including some in IE 8.

UAC settings may be accessed in different ways:

Go to Control Panel | Action Center and click Change User Account Control Settings on the left pane.

Control Panel | User Accounts | Change User Account Control Settings

Type uac in the Start menu Search

There are four options in the UAC Settings (Figure 8.9):

Always notify me when:

Programs try to install software or make changes to my computer.

I make changes to Windows settings.

Default – Notify me only when programs try to make changes to my computer.

Don't notify me when I make changes to Windows settings.

Notify me only when programs try to make changes to my computer (does not dim the desktop).

Don't notify me when I make changes to Windows settings.

Never notify me when:

Programs try to install software or make changes to my computer.

I make changes to Windows settings.

UAC settings may also be managed through Group Policy in the Local Security Policy console or Local Group Policy editor as shown in Figure 8.10 by expanding Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options:

UAC: Admin Approval Mode for the Built-in Administrator account – Enabled by default, this feature requires the built-in administrator, which is disabled by default, to require elevation prompt and Admin Approval Mode.

UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop – Disabled by default, this allows User Interface Accessibility (UIAccess) programs to automatically disable the secure desktop for elevation prompts on standard users.

UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode – This option sets how the elevation prompt receives consent from the administrator. The options are:

Elevate without prompting

Prompt for credentials on the secure desktop

Prompt for consent on the secure desktop

Prompt for credentials

Prompt for consent

Prompt for consent from nonWindows binaries

UAC: Behavior of the elevation prompt for standard users – This option sets how the elevation prompt receives consent from the standard user. The options are:

Automatically deny elevation requests

Prompt for credentials on the secure desktop

Prompt for credentials

UAC: Detect application installations and prompt for elevation – Enabled by default, this configures whether Admin Approval Mode or elevation prompt are enabled when attempting to install an application.

UAC: Only elevate executables that are signed and validated – Disabled by default, this setting will only elevate executables and DLLs that are signed and validated in the Trusted Publisher store.

UAC: Only elevate UIAccess applications that are installed in secure locations – Enabled by default, this setting will only elevate UIAccess applications located in %SystemRoot%\%ProgramFiles%\ or %WindowsDirectory%\system32\.

UAC: Run all administrators in Admin Approval Modes – Enabled by default, this requires all administrators to use elevation prompts and Admin Approval Modes.

UAC: Switch to the secure desktop when prompting for elevation – Enabled by default, this setting sets whether secure desktop (dimmed display) is initiated for elevation prompts.

UAC: Virtualize file and registry write failures to per-user locations – Enabled by default, this should remain enabled for software compatibility.

Thankfully, Microsoft included different settings for UAC for administrators to tweak for each environment. As each environment is different especially in reference to applications, it is difficult to recommend settings. We recommend enabling and using the most UAC settings that don't interfere with user productivity.