Professional Documents
Culture Documents
DOCUMENT DETAILS
Status: Draft
Owner: PS. Chaitanya
Date: Wednesday, 02 December 2009
Version: Microsoft Active Directory 2003
Location: Hyderabad
CHANGE HISTORY
Version Date Changed By Change Description
Window PS. Chaitanya
s 2003
REVIEW PANEL
Version Date Name Designation
Window B.Ravi Shanker Business Head
s 2003
DISTRIBUTION LIST
Name Designation
Abinash Team Leader
APPROVAL PAGE
Designation Name Signed & Date
Stamped
GATI Pvt Ltd.
Customer
Representative (IT )
Hyderabad -500073
Table of Contents
Hyderabad -500073
------------------------------------------------------------------------------------------------------- 5
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
End Point Security has been a major area of concern for the
management and the IT Team of GATI.
Hyderabad -500073
document is in reference to the “Network Architecture Report”
submitted to GATI.
Intended audience
Current scope of analyzing the end point security and introducing the
domain environment t at GATI is not only limited to control the user
actins while accessing the information processing facilities but also to
create an architecture with the enhanced support for centralizing the
access control procedures as per the IT security policy rolled out by
GATI Management. Efforts have been made to control the end user
actions to mitigate invasive activities arising from within the local
network and the WAN locations also.
------------------------------------------------------------------------------------------------------- 7
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Statement of work
------------------------------------------------------------------------------------------------------- 8
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
• Controlled Access of Physical Ports such as USB, CD-ROMs
• No changes to registry settings
• Department wise identified account policies
• Software Restriction Policies
• Windows Update Services
• On-the-Fly Functions
• File Level Encryption for the data
• Roaming User Profiles.
NOTE: All components indicated in this proposal are based on the
inputs provided by GATI Pvt Ltd.
------------------------------------------------------------------------------------------------------- 9
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Resource Requirements
As with any large technology project, having the right resources for
planning and deployment is essential. The resources that you will
require for an Active Directory branch office deployment fall into three
categories:
Software Requirements
• Personnel Requirements
Your specific resource requirements will depend on a number of
factors, including project scope, solution features, implementation
schedule, and budget.
Software Requirements
------------------------------------------------------------------------------------------------------- 10
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Personnel Requirements
------------------------------------------------------------------------------------------------------- 11
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Project Documentation
------------------------------------------------------------------------------------------------------- 12
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Run the wizard
You must have Windows Server 2003 Service Pack 1 installed to run
this wizard. To access the wizard, go to Start | All Programs |
Administrative Tools | Security Configuration Wizard (Scw.exe).
When you first run the tool, it will prompt you to start or install any
network applications (e.g., IIS, Exchange, SQL, etc.) that the server will
use, so it can define the server role and apply the proper security
settings. The wizard will also ask whether you want to create a new
security policy, edit an existing policy, apply a policy, or roll back a
policy. For this example, we're using this tool after initial installation,
so select Create A New Security Policy.
------------------------------------------------------------------------------------------------------- 13
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Define the role
At this point, you can select a predefined role for your server from the
wizard's security configuration database. After you select the server
role, the wizard will prompt you to select the client features, additional
administrative options, additional services (for non-Microsoft
applications), and any special handling for these services.
Network security
------------------------------------------------------------------------------------------------------- 14
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Registry settings
Audit policy
Warning: If you use the wizard to apply the built-in audit security
template to set the System Access Control Lists (SACLs), you cannot
remove these settings through the rollback feature.
------------------------------------------------------------------------------------------------------- 15
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Internet Information Services
If this server will function as an IIS server, the wizard will prompt you to
configure the security for the Web server. You can select the Web
service extensions used for dynamic content, virtual directories used
for your Web server, and allow or deny anonymous users from
accessing Web site content.
Final thoughts
While some people might still prefer the pre-Windows Server 2003
method of securing their servers, the Security Configuration Wizard
provides a powerful and easy opportunity to create a role-based
security template that you can apply consistently to every server you
own. If you've been looking for a way to standardize and simplify
security settings for your Windows Server 2003 servers, don't overlook
the Security Configuration Wizard.
------------------------------------------------------------------------------------------------------- 16
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
According windows Active Directory Policy implement,
Windows 95/98/98Se No
Windows ME No
Windows NT4 Server/Workstation Yes
Windows 2000 All versions Yes
Windows XP Home Ed No
Windows XP Prof. Ed. Yes
Windows 2003 All Versions Yes
------------------------------------------------------------------------------------------------------- 17
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
How to lock down a Windows Server 2003 Terminal
Server session
You can use Group Policies to lock down a Terminal Server session on a
Microsoft Windows Server 2003-based or Microsoft Windows 2000-
based computer. With the following settings, even the administrator
account will have restricted access. It is highly recommended that you
create a new organizational unit instead of modifying the policies on an
existing one.
Note The use of these policies does not guarantee a secure computer,
and you should use them only as a guideline.
------------------------------------------------------------------------------------------------------- 18
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
on the Group Policy tab, click New Policy. Edit this policy with the
following settings:
------------------------------------------------------------------------------------------------------- 19
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
• [Computer Configuration\Administrative Templates\Windows
Components\Windows Installer]
------------------------------------------------------------------------------------------------------- 20
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
• [User Configuration\Windows Settings\Folder Redirection]
Application Data
Desktop
My Documents
Start Menu
------------------------------------------------------------------------------------------------------- 21
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context
menu
Hide these specified drives in My Computer (Enable this
setting for A through D.)
Prevent access to drives from My Computer (Enable this
setting for A through D.)
Hide Hardware Tab
------------------------------------------------------------------------------------------------------- 22
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
• [User Configuration\Administrative Templates\Start Menu &
Taskbar]
Hyderabad -500073
remove the Shut Down command. In Windows Server 2003,
this setting is named Remove and prevent access to the
Shut Down command.
• [User Configuration\Administrative Templates\Desktop]
Hyderabad -500073
Terminal Server, even if the explicit Deny is set for the
Administrator account.
• [User Configuration\Administrative
Templates\System\Logon/Logoff]
------------------------------------------------------------------------------------------------------- 25
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
For more information about how to lock down Windows Server 2003
Terminal Server Sessions, visit the following Web site:
How to Lock Down a User Profile Using Group Policy
------------------------------------------------------------------------------------------------------- 26
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
is to avoid any issues with running applications. This is not a
mandatory step.
From here on out I will list the policies that need to be enabled or
disabled.
User Configuration\Administrative Templates\Windows
Components\Windows Explorer
Remove the Folder Options menu item from the Tools menu -
Enabled
Remove File menu from Windows Explorer - Enabled
Remove "Map Network Drive" and "Disconnect Network Drive -
Enabled
Remove Search button from Windows Eplorer - Enabled
Remove Windows Explorer's default context menu - enabled
Hides the Manage item on the Windows Explorer context menu -
Enabled
Hide these specified drives in My Computer - Enabled
This option is configurable to your needs. You can restrict all
drives, some drives or whatever you may need.
User Configuration\Administrative Templates\Windows
Components\Windows Messenger
Do not allow Windows Messenger to run - Enabled
------------------------------------------------------------------------------------------------------- 27
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
User Configuration\Administrative Templates\Start Menu and
Task Bar
Remove user's folder from the Start Menu - Enabled
Remove links and access to Windows Update - Enabled
Remove My Documents from Start Menu - Enabled
Remove Documents menu from Start Menu - Enabled
Remove programs on Settings menu - Enabled
Remove Network Connections from Start Menu - Enabled
Remove Favorites from Start Menu - Enabled
Remove Search from Start Menu - Enabled
Remove Help from Start Menu - Enabled
Remove Run from Start Menu - Enabled
Remove My Pictures icon from Start Menu - Enabled
Remove My Music icon from Start Menu - Enabled
Remove My Network Places icon from Start Menu - Enabled
Add logoff to the Start Menu - Enabled
Remove Drag-and-Drop context menus on the Start Menu -
Enabled
Prevent changes to Taskbar and Start Menu Setting - Enabled
Remove access to the context menus for the taskbar - Enabled
------------------------------------------------------------------------------------------------------- 28
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Do not keep history of recently opened documents - Enabled
Clear history of recently opened documents on exit - Enabled
Lock the taskbar - Enabled
Remove Balloon Tips on Start Menu items - Enabled
Remove All Programs list from the Start Menu - Enabled
Remove user name from Start Menu - Enabled
Hide the notification area - Enabled
Do not display any custom toolbars in the taskbar - Enabled
Remove Set Program Access and Defaults from the Start Menu -
Enabled
User Configuration\Administrative Templates\Desktop
Remove My Documents icon on the desktop - Enabled
Remove Recycle Bin icon from desktop - Enabled
Remove Properties from the My Documents context menu -
Enabled
Remove Properties from the Recycle Bin context menu - Enabled
Hide My Network Places on the desktop - Enabled
Hide Internet Explorer icon on desktop - Enabled
Do not add shares of recently opened documents to My Network
Places - Enabled
------------------------------------------------------------------------------------------------------- 29
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Prevent adding, dragging, dropping and closing the Taskbar's
toolbars - Enabled
Prohibit adjusting desktop toolbars - Enabled
User Configuration\Administrative Templates\Control Panel
Prohibit access to the Control Panel
User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options
Remove Task Manager - Enabled
Remove Change Password - Enabled
You may have noticed there were no changes made to Internet
Explorer settings. My environment does not have internet access
so these settings are unnecessary but your environment may
have access to the internet and you should explore those
settings. I have a list of policy changes for IE and if you need
them send me a message and I will fill you in.
Don't be afraid to try different settings out. This works for my
environment and it may not be suitable for you.
Once these policies are changed run gpupdate /force from the
command line and reboot the Windows XP computer. Log in as
the user you created and check out what little access this user
has.
------------------------------------------------------------------------------------------------------- 30
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
------------------------------------------------------------------------------------------------------- 31
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
------------------------------------------------------------------------------------------------------- 32
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
• Enforce that only approved software is installed on system
computers
• Lockdown a machine
Unrestricted or Disallowed
------------------------------------------------------------------------------------------------------- 33
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Hyderabad -500073
default rule. Each rule can include descriptive text to help
communicate why the rule was created.
A software restriction policy supports the following four ways to
identify software:
Hash—A cryptographic fingerprint of the file.
Certificate—A software publisher certificate used to digitally sign a
file.
Path—The local or universal naming convention (UNC) path of where
the file is stored.
Zone—Internet Zone
Enforcement Options
There are two enforcement options: DLL checking and Skip
Administrators.
DLL Checking
------------------------------------------------------------------------------------------------------- 35
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
A program, such as Internet Explorer consists of an executable file,
iexplore.exe, and many supporting dynamic link libraries (DLL). By
default, software restriction policy rules are not enforced against DLLs.
This is the recommended option for most customers for three reasons.
Disallowing the main executable file prevents the program from
running, so there is no need to disallow all of the constituent dynamic
link libraries.
DLL checking results in performance degradation. If a user runs 10
programs during a logon session, the software restriction policy is
evaluated 10 times. If DLL checking is turned on, the software
restriction policy is evaluated for each DLL load within each program. If
each program uses 20 DLLs, this results in 10 executable program
checks plus 200 DLL checks, so the software restriction policy is
evaluated 210 times.
If the default security level is set to Disallowed, then not only does the
main executable file have to be identified to allow it to run, but all of
its constituent DLLs also must be identified, which can be burdensome.
DLL checking is provided as an option for environments that want the
highest assurance possible when running programs. While viruses
primarily target executables for infection, some target DLLs. To ensure
that a program has not been infected by a virus, you can use a set of
hash rules that identify the executable and all of its required DLLs.
------------------------------------------------------------------------------------------------------- 36
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
To turn on DLL checking:
Select the following option in the Enforcement Properties dialog
box,
Apply software restriction policies to the following > All
software files
Skip Administrators
An administrator may want to disallow the running of programs for
most users, but allow administrators to run anything. For example, a
customer may have a shared machine that multiple users connect to
using Terminal Server. The administrator may want users to be able to
run only specific applications on the machine, but allow members of
the local administrators group to run anything. To do this, use the Skip
Administrators option.
If the software restriction policy is created in a GPO attached to an
object in Active Directory, the preferred way to skip administrators is
to deny the Apply Group Policy permission on the GPO to a group
containing the administrators. This way less network traffic is
consumed downloading GPO settings that do not apply to
administrators. However, software restriction policies defined in Local
Security Policy objects have no way to filter based on users. In this
case the Skip Administrators option should be used.
To turn on Skip Administrators:
------------------------------------------------------------------------------------------------------- 37
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Select the following option in the Enforcement Properties dialog box
as shown in Figure 2 above:
Apply software restriction policies to the following users > All
users except local administrators
Note: Setting the Skip Administrators option is only valid for machine
policies.
Defining Executables
The Designated File Types dialog box shown in Figure 3 below lists
the file types to which the software restriction policy applies. The
designated file types are file types that are considered executable. For
example, a screen saver file (SCR), is considered executable because
when double-clicked in Windows Explorer it is loaded as a program.
The rules in a software restriction policy only apply to the file types
listed in the Designated File Types dialog box. If your environment uses
a file type that you want to be able to set rules on, add it to the list. For
example, if you use Perl scripting files, you may choose to add .pl and
other file types associated with the Perl engine to the Designated File
Types list.
Trusted Publishers
------------------------------------------------------------------------------------------------------- 38
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
The Trusted Publishers options shown in Figure 4 below allow you to
configure settings related to ActiveX® controls and other signed
content.
------------------------------------------------------------------------------------------------------- 39
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
content has not been revoked.
Scope of Software Restriction Policies
Software restriction policies do not apply to the following:
Drivers or other kernel mode software.
Any program run by the SYSTEM account.
Macros inside of Microsoft Office 2000 or Office XP documents.
Programs written for the common language runtime. (These programs
use the Code Access Security Policy.)
------------------------------------------------------------------------------------------------------- 40
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Right-click on domain or OU, then click Properties > Group Policy tab
>New/Edit.
Local Security Policy
To set up a security policy
Click Start, then Run.
Type secpol.msc, then click OK.
To create a policy:
Select Create New Policies from the Action menu.
Applying a Software Restriction Policy to a Group of Users
A software restriction policy is delivered through Group Policy to a site,
domain, or organizational unit. However, an administrator may want to
apply a software restriction policy to a group of users within a domain.
To do this, the administrator can use GPO filtering.
Hyderabad -500073
Default security level
Additional rules
Policy options
Linking the policy to a site, domain, or organizational unit
Stepping Through the Process
Step 1. GPO or Local Security Policy
Should the policy apply to many machines or users in a domain or
organizational unit, or should it only apply to the local machine?
If the policy should apply to many machines or users in a domain or
other Active Directory container, use a GPO.
If your policy should only apply to the local machine, use the Local
Security Policy.
Step 2. User or Machine Policy
Should the policy apply to users regardless of where they log in, or to a
machine regardless of who logs in?
If you want the policy to apply to a specific group of users, for example
the Marketing Department domain group, then you need a user policy.
If you want the policy to apply to a set of machines and all the users
that log on to those machines, then you need a machine policy.
Step 3. Default Security Level
Do you know all of the software your users will be running, or can they
install any software they choose?
------------------------------------------------------------------------------------------------------- 42
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
If you know all of the software your users will be running, you should
set the default security level to Disallowed.
If users can install any software they want, set the default security
level to Unrestricted.
Step 4. Additional Rules
Identify the applications you choose to allow or disallow using the four
rule types outlined in the Software Restriction Policy Architecture
section above.
To see which rules make sense for your policy, refer to Table 1. When
to Use Each Rule, above.
To create additional rules, refer to the Step-by-step Guide for Creating
Additional Rules, below.
Step 5. Policy Options
There are several policy options:
If you are using a local security policy, and do not want the policy to
apply to administrators on the machine, set the Skip Administrators
option.
If you want to check DLLs in addition to executables and scripts, turn
on the DLL checking option.
If you want to set rules on file types that are not in the default list of
designated file types, then add additional file types.
------------------------------------------------------------------------------------------------------- 43
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
If you want to change who can make decisions about downloading
ActiveX controls and other signed content, set Trusted Publishers
options.
Step 6. Linking the Policy to a Site, Domain, or Organizational
Unit
To link a GPO to a site.
Use the Active Directory Sites and Services snap-in.
Right-click the site, domain, or OU to which you want to link the GPO,
and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.
To link a GPO to a domain or OU,
Use the Active Directory Users and Computers snap-in.
Right-click the site, domain, or OU to which you want to link the GPO,
and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.
Filtering
GPO filtering can be done at this stage. You can have a portion of an
OU receive a GPO by filtering based on group membership. You can
also filter based on a WMI query.
Testing A Policy
------------------------------------------------------------------------------------------------------- 44
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
If you want to test your policy immediately, instead of waiting for the
next Group Policy refresh interval, run gpupdate.exe and log on again
to test your policy.
------------------------------------------------------------------------------------------------------- 45
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
You can start each program by clicking Start, Run, and then typing
msinfo32.exe. From msinfo32, select Software Environment and then
Running Tasks.
You can use the following command: wmic.exe process get
"ExecutablePath, ProcessID"
For our example, you will see the following tasks running:
"C:\Program Files\Microsoft Office\Office10\WINWORD.EXE"
"C:\Program Files\Microsoft Office\Office10\EXCEL.EXE"
"C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE"
"C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE"
Step 4. Identify Dependent Programs
Some programs launch other programs to perform tasks. Your software
application may depend on one or more supporting programs. For
example, Microsoft Word launches the Microsoft Clip Organizer to
manage clipart. The Microsoft Clip Organizer uses the following
programs:
C:\Program Files\Microsoft Office\Office10\MSTORDB.EXE
C:\Program Files\Microsoft Office\Office10\MSTORE.EXE
Microsoft Office also uses files in the C:\Program Files\Common Files
folder
Step 5. Generalize the Rules
------------------------------------------------------------------------------------------------------- 46
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
In this step you should group related rules together to create a more
general rule. Consider using environment variables, wild cards, and
registry path rules.
Continuing our example, each program is stored in C:\Program
Files\Microsoft Office\Office10, so it is sufficient to use one path rule for
that folder instead of four separate path rules. Also, if Office is always
installed in the Program Files folder on your machines, use an
environment variable instead of an explicit path. Thus, our proposed
rules are:
%ProgramFiles%\Microsoft Office\Office10
%ProgramFiles%\Common Files
Step 6. Have You Allowed Too Much?
This is the step where you look at what else is allowed by the rules you
have proposed. Creating a rule that is too general may allow programs
to run that you did not intend. The Office10 folder in our example also
contains:
FINDER.EXE
OSA.EXE
MCDLC.EXE
WAVTOASF.EXE
Because these programs are acceptable to run, we do not have to
change our rules.
------------------------------------------------------------------------------------------------------- 47
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Hyderabad -500073
%USERPROFILE%\Start Menu\Programs\Startup
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Win.ini, System.ini lines beginning with "run=" and "load="
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Once
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
n
Virus Scanning Programs
Most anti-virus software has a real-time scanner program that starts
when the user logs in and scans all files accessed by the user, looking
for possible virus contamination. Make sure your rules allow your virus
scanning programs to run.
Scenarios
This section examines some typical problems and how software
restriction policies can be used to solve them.
Block Malicious Scripts
An organization wants to be protected from script-based viruses.
Hyderabad -500073
organization, but a VBS can no longer be used for legitimate purposes.
A software restriction policy overcomes this handicap by blocking the
undesirable VBS, while allowing legitimate ones to run.
This policy can be created using the rules in Table 4.
Table 4 Rules for Blocking Malicious Scripts
------------------------------------------------------------------------------------------------------- 50
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
IT Department Certificate Unrestricte
d
This policy prevents all scripting files associated with the Windows
Scripting Host from running, except those that are digitally signed by
the IT Department certificate. See Appendix below for how to obtain a
certificate and digitally sign files.
Manage Software Installation
You can configure your organization's machines so that only approved
software can be installed. For software that uses Windows Installer
technology, this can be accomplished by the policy shown in Table 5.
Table 5 Rules for Managing Software Installation
------------------------------------------------------------------------------------------------------- 51
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Certificate Rules
IT Department Certificate Unrestricte
d
This policy prevents all Windows Installer packages from installing. It
allows MSI files digitally signed by the IT department certificate and
the OWC10.MSI package located at \\products\install to be installed.
See the Appendix below for how to obtain a certificate and digitally
sign files.
This policy also shows how you can use the precedence of the path and
certificate rules to allow just the software you want. For any other
package that your organization cannot or does not want to digitally
sign, you can create hash rules, or fully qualified path rules, to make
exceptions for them.
Line-of-Business PC
In some cases an administrator may want to manage all of the
software that runs on a machine. This is because even when users
have insufficient rights to replace system files or files in shared folders
such as Program Files, if they have a place on the file system they can
write to, then they can also copy a program there and start it up.
------------------------------------------------------------------------------------------------------- 52
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Viruses contracted this way can damage the system by modifying
operating system settings and files; they can also cause great damage
by misusing the user's privileges. For example, mass-mailer worms can
be spread by accessing the user's address book and sending mail.
Even normal users on a system are vulnerable to this kind of attack.
As long as users are not administrators on their local machines, the
policy in Table 6 protects them from accidentally running malicious
code. Because users cannot modify the contents of the Program Files
or Windows folders, they can only run software installed by an
administrator.
Table 6 Policy for Managing all Software on a Machine
------------------------------------------------------------------------------------------------------- 53
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
d
%PROGRAMFILES% Unrestricte
d
This policy disallows all software on the user's machine, except that
installed in the Windows directory, Program Files directory, or their
respective subfolders. It does not apply to administrators.
If a user receives a virus attachment in an e-mail, for example
WORM.vbs, the mail program will copy it to the profile directory
(%USERPROFILE%) and launch it from there. Because the profile
directory is not a subfolder of the Windows folder or the Program Files
folder, programs launched from there will not run.
If all the programs a user needs are not installed in %WINDIR% or
%PROGRAMFILES%, or there are programs in those folders that the
administrator does not want the user running, the administrator can
make additional exceptions as shown in Table 7.
Table 7 Exceptions for Managing all Software on a Machine
Path Rules
%WINDIR%\regedit.exe Disallowed
------------------------------------------------------------------------------------------------------- 54
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
%WINDIR%\system32\cmd.exe Disallowed
\\CORP_DC_??\scripts Unrestricte
d
%HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates \ Unrestricte
InoculateIT\6.0\Path\HOME% d
The effects of these exceptions are:
Both the command prompt (cmd.exe) and the registry editor
(regedit.exe) are disallowed.
An exception is created to allow login scripts to run on the user's
machine.
The use of the "?" wildcard allows the rule to match \\CORP_DC_01,
\\CORP_DC_02, and others.
A registry path rule is added that allows the anti-virus software on the
machine to run.
Different Policies for Different Users
In this scenario, there are machines that are shared by many users.
The machines have the same software installed on them, but the
administrator wants to grant a certain group of users access to some
software, and a different group of users access to other software.
There also will be software that is shared between the groups.
------------------------------------------------------------------------------------------------------- 55
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Control which programs can run on your computer. For example, you
can apply a policy that does not allow certain file types to run in the e-
mail attachment folder of your e-mail program if you are concerned
about users receiving viruses through e-mail.
Permit users to run only specific files on multiple-user computers. For
example, if you have multiple users on your computers, you can set up
software restriction policies in such a way that users do not have
access to any software except for those specific files that they must
use for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or just
certain users on a computer.
Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there is a
known virus, you can use software restriction policies to stop the
computer from opening the file that contains the virus. IMPORTANT:
------------------------------------------------------------------------------------------------------- 56
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Microsoft recommends that you do not use software restriction policies
as a replacement for antivirus software.
Alternatively, you can create a new GPO, and then click Finish.
------------------------------------------------------------------------------------------------------- 57
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Click Close, and then click OK.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User/Configuration/Windows Settings/Security Settings/Software
Restriction Policies
For an Organizational Unit or a Domain on a Domain Controller
or a Workstation That Has the Administration Tools Pack
Installed
Click Start, point to All Programs, point to Administrative Tools,
and then click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit that
you want to set Group Policy for.
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing
GPO, and then click Edit.
Alternatively, you can click New to create a new GPO, and then click
Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
------------------------------------------------------------------------------------------------------- 58
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
For Your Site and on a Domain Controller or a Workstation That
Has the Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools,
and then click Active Directory Sites and Services.
In the console tree, right-click the site that you want to set Group
Policy for:
Active Directory Sites and Services [ Domain_Controller_Name.
Domain_Name]
Sites
Site
Alternatively, click New to create a new GPO, and then click Edit.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User Configuration/Windows Settings/Security Settings/Software
Restriction Policies
IMPORTANT: Click User Configuration to set policies that will be
applied to users, regardless of the computer to which they log on. Click
------------------------------------------------------------------------------------------------------- 59
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Computer Configuration to set policies that will be applied to
computers, regardless of the users who log on to them.
You can also apply software restriction policies to specific users when
they log on to specific computer by using an advanced Group Policy
setting named loopback.
How to Prevent Software Restriction Policies from Applying to
Local Administrators
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Enforcement.
Under Apply software restriction policies to the following users,
click All users except local administrators.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Typically, users are members of the local administrator group on their
computers in your organization; therefore, you may not want to turn on
this setting. Software restriction policies do not apply to any users who
are members of their local administrator group.
If you are defining a software restriction policy setting for your local
computer, use this procedure to prevent local administrators from
------------------------------------------------------------------------------------------------------- 60
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
having software restriction policies applied to them. If you are defining
a software restriction policy setting for your network, filter user policy
settings based on membership in security groups by using Group
Policy.
How to Create a Certificate Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Certificate Rule.
Click Browse, and then select a certificate.
Select a security level.
In the Description box, type a description for this rule, and then click
OK.
NOTES:
For information about how to start software restriction policies in MMC,
see "Start software restriction policies" in Related Topics in the
Windows Server 2003 Help file.
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
By default, certificate rules are not turned on. To turn on certificate
rules:
Click Start, click Run, type regedit, and then click OK.
------------------------------------------------------------------------------------------------------- 61
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
Safer\CodeIdentifiers
In the details pane, double-click AuthenticodeEnabled, and then
change the value data from 0 to 1.
The only file types that are affected by certificate rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
How to Create a Hash Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Hash Rule.
Click Browse to find a file, or paste a precalculated hash in the File
hash box.
In the Security level box, click either Disallowed or Unrestricted.
------------------------------------------------------------------------------------------------------- 62
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
In the Description box, type a description for this rule, and then click
OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You can create a hash rule for a virus or a Trojan horse to prevent the
malicious software from running.
If you want other users to use a hash rule so that a virus cannot run,
calculate the hash of the virus by using software restriction policies,
and then e-mail the hash value to other users. Never e-mail the virus
itself.
If a virus has been sent through e-mail, you can also create a path rule
to prevent users from running mail attachments.
A file that is renamed or moved to another folder still results in the
same hash.
Any change to a file results in a different hash.
The only file types that are affected by hash rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
------------------------------------------------------------------------------------------------------- 63
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
How to Create an Internet Zone Rule
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the console tree, click Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Internet Zone Rule.
In Internet zone, click an Internet zone.
In the Security Level box, click either Disallowed or Unrestricted,
and then click OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Zone rules apply to Windows Installer packages only.
The only file types that are affected by zone rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
------------------------------------------------------------------------------------------------------- 64
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
Hyderabad -500073
The wildcard characters that are supported by the path rule are the
asterisk (*) and the question mark (?).
You can use environment variables, such as %programfiles% or
%systemroot%, in your path rule.
To create a path rule for software when you do not know where it is
stored on a computer but you have its registry key, you can create a
registry path rule.
To prevent users from running e-mail attachments, you can create a
path rule for your mail program's attachment folder that prevents
users from running e-mail attachments.
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
How to Create a Registry Path Rule
Click Start, click Run, type regedit, and then click OK.
In the console tree, right-click the registry key that you want to create
a rule for, and then click Copy Key Name.
------------------------------------------------------------------------------------------------------- 66
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
Note the value name in the details pane.
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional
Rules, and then click New Path Rule.
In Path, paste the registry key name and the value name.
Enclose the registry path in percent signs (%), for example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Dir
ectories\InstallDir%
In the Security level box, click either Disallowed or Unrestricted.
In the Description box, type a description for this rule, and then click
OK.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
You must be a member of the Administrators group to perform this
procedure.
------------------------------------------------------------------------------------------------------- 67
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
You must write out the name of the registry hive; you cannot use
abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing percent
sign (%). Do not use a backslash (\) in the suffix. For example, you can
use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe
rsion\Explorer\Shell Folders\Cache%OLK*
The only file types that are affected by path rules are those that are
listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
How to Add or Delete a Designated File Type
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Designated File Types.
Perform one of the following steps as appropriate:
------------------------------------------------------------------------------------------------------- 68
Confidential
Prepared By: PS. Chaitanya
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
Hyderabad -500073
To add a file type, type the file name extension in the File extension
box, and then click Add.
To delete a file type, click the file type in the Designated file types
box, and then click Remove.
.
How to Change the Default Security Level of Software
Restriction Policies
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Security Levels.
Right-click the security level that you want to set as the default, and
then click Set as default.
Hyderabad -500073
Rules are created to specify exceptions to the default security level.
When the default security level is set to Unrestricted, rules specify
software that is not allowed to run. When the default security level is
set to Disallowed, rules specify software that is allowed to run.
If you change the default level, you affect all files on the computers
that have software restriction policies applied to them.
At installation, the default security level of software restriction policies
on all files on your computer is set to Unrestricted.
How to Set Trusted Publisher Options
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
Double-click Trusted Publishers.
Click the users who you want to decide which certificates will be
trusted, and then click OK.
------------------------------------------------------------------------------------------------------- 70
Confidential
Prepared By: PS. Chaitanya