Microsoft Active Directory 2003 Lockdown Through Group Policies Proposal Document

Microsoft Active Directory 2003 Lockdown through
Group Policies Proposal Document
GATI Pvt Ltd
DOCUMENT DETAILS
Status: Draft
Owner: PS. Chaitanya
Date: Wednesday, 02 December 2009
Version: Microsoft Active Directory 2003
Location: Hyderabad
CHANGE HISTORY
Version Date Changed By Change Description
Window PS. Chaitanya
s 2003
REVIEW PANEL
Version Date Name Designation
Window B.Ravi Shanker Business Head
s 2003
DISTRIBUTION LIST
Name Designation
Abinash Team Leader
APPROVAL PAGE
Designation Name Signed & Date
Stamped
GATI Pvt Ltd.
Customer
Representative (IT )
GATI Pvt Ltd.

IT Head
Veeras Infotek Pvt. Ltd,
IIB Groups,
Plot No .138, Keshav
Nagar, Srinagar,
Colony, Opp. SBI Bank,
Hyderabad -500073
IIB Groups, Plot No .138,
Keshav Nagar, Srinagar ,
Colony, Opp. SBI Bank ,
Hyderabad -500073
Table of Contents
Objective of the document……………………….

………………………………….05
Intended
audience……………………………………………………………………05
Statement of
work……………………………………………………………………06
Resource requirements..…………………………………………………………..
…07
Project
Documantation………………………………………………………………08
How to lock down a Windows Server 2003 Terminal Server
session..................11
How to Lock Down a User Profile Using Group
Policy………………………….15
Present Scenario in GATI Pvt Ltd.……………………………………………12

Proposed Scenario in GATI Pvt
Ltd....................................................................14
------------------------------------------------------------------------------------------------------- 4
Confidential
Prepared By: PS. Chaitanya
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
------------------------------------------------------------------------------------------------------- 5
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Objective of the document
This document provides an insight into the design and Implementation

of end point security in accordance with the proposed secure network
architecture towards securing the IT and Network Infrastructure of
GATI Ltd (hereon referred to as GATI). The design and the proposed
model of domain structure has been arrived at by analyzing the flaws
and loopholes in the present networking and end user environment at
GATI Ltd. Further to this, the document has been arrived at based on
the discussions with the IT team of GATI.
End Point Security has been a major area of concern for the
management and the IT Team of GATI.
The purpose of this document is to provide an overview of the

proposed model of domain structure for GATI to ensure the controlled
environment in accordance to the IT security policy of GATI. This
------------------------------------------------------------------------------------------------------- 6
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
document is in reference to the “Network Architecture Report”
submitted to GATI.
Intended audience
This document is primarily meant for the Management of GATI. Further

distribution of this document entirely lies to the discretion of the
Management GATI.
Scope of the Solution
Current scope of analyzing the end point security and introducing the
domain environment t at GATI is not only limited to control the user
actins while accessing the information processing facilities but also to
create an architecture with the enhanced support for centralizing the
access control procedures as per the IT security policy rolled out by
GATI Management. Efforts have been made to control the end user
actions to mitigate invasive activities arising from within the local
network and the WAN locations also.
------------------------------------------------------------------------------------------------------- 7
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Statement of work
Based on the preliminary discussions and study we had with the

officials of GATI Pvt Ltd. our understandings of the objectives of this
assignment are:
• Insecure Logon Procedures to the machines

• Password Management
• Inter Department Information Access
• Administrative Privileges
• Malwares, Malicious Code, Unwanted Program Installation
• Controlled User Actions
• Single Sign on for Applications
------------------------------------------------------------------------------------------------------- 8
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
• Controlled Access of Physical Ports such as USB, CD-ROMs
• No changes to registry settings
• Department wise identified account policies
• Software Restriction Policies
• Windows Update Services
• On-the-Fly Functions
• File Level Encryption for the data
• Roaming User Profiles.
NOTE: All components indicated in this proposal are based on the
inputs provided by GATI Pvt Ltd.
------------------------------------------------------------------------------------------------------- 9
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Resource Requirements
As with any large technology project, having the right resources for
planning and deployment is essential. The resources that you will
require for an Active Directory branch office deployment fall into three
categories:
Software Requirements
• Personnel Requirements
Your specific resource requirements will depend on a number of
factors, including project scope, solution features, implementation
schedule, and budget.
Software Requirements
Windows Server 2003 Active Directory.
------------------------------------------------------------------------------------------------------- 10
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Personnel Requirements
Active Directory affects your entire organization. It is necessary to

establish typical roles within an Active Directory environment and
within a project team.
Typical roles within the Active Directory environment are:
• Service administrators
• Data administrators
• Active Directory DNS owner
• OU owner
------------------------------------------------------------------------------------------------------- 11
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Project Documentation
Many organizations struggle with implementing the proper security

features on a new Windows Server 2003 installation, and some just
add security as needed. However, rather than reading through
hundreds of pages of documentation and creating custom security
templates, there's an easier way—the Security Configuration Wizard.
This wizard contains an XML database that includes every service,

feature, and administration option for every different server
deployment type. Regardless of whether you're deploying a DNS,
Exchange, File and Print, Domain Controller, or any other Windows
server, this tool has the settings you need to lock it down.
------------------------------------------------------------------------------------------------------- 12
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Run the wizard
The main purpose of this wizard is to implement role-based security on

Windows Server 2003. By defining the server's role on the network,
you can disable unnecessary services, block unused ports, implement
additional address or security restrictions for ports necessary for
operation, disable unnecessary IIS Web extensions, and restrict access
to server message block (SMB), LanMan, and Lightweight Directory
Access Protocol (LDAP) services.
You must have Windows Server 2003 Service Pack 1 installed to run
this wizard. To access the wizard, go to Start | All Programs |
Administrative Tools | Security Configuration Wizard (Scw.exe).
When you first run the tool, it will prompt you to start or install any
network applications (e.g., IIS, Exchange, SQL, etc.) that the server will
use, so it can define the server role and apply the proper security
settings. The wizard will also ask whether you want to create a new
security policy, edit an existing policy, apply a policy, or roll back a
policy. For this example, we're using this tool after initial installation,
so select Create A New Security Policy.
------------------------------------------------------------------------------------------------------- 13
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Define the role
At this point, you can select a predefined role for your server from the
wizard's security configuration database. After you select the server
role, the wizard will prompt you to select the client features, additional
administrative options, additional services (for non-Microsoft
applications), and any special handling for these services.
Now, let's take a look at the different sections of the Security

Configuration Wizard.
Network security
This section configures inbound ports using the built-in Windows

Firewall. The tool bases the displayed settings on the roles and
administration options that you've selected. If your organization uses
IPSec, you can add further restrictions to access IP services and ports
as well as configure encryption for port traffic using IPSec.
------------------------------------------------------------------------------------------------------- 14
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Registry settings
This section configures protocols used to communicate with computers

on the network. If you have legacy Windows systems operating on your
network (pre-Windows 2000), these systems create an additional
vulnerability to password-cracking and man-in-the-middle attacks, and
they require special configuration to interoperate with Windows Server
2003. You can adjust the security settings of SMB and LDAP services as
well as inbound/outbound authentication protocols for these legacy
systems.
Audit policy
This section configures the auditing of the server based on your

organization's auditing policy. The Audit Policy Editor allows you to
configure the server to not audit any events, audit only successful
events, or audit both successful and unsuccessful events.
Warning: If you use the wizard to apply the built-in audit security
template to set the System Access Control Lists (SACLs), you cannot
remove these settings through the rollback feature.
------------------------------------------------------------------------------------------------------- 15
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Internet Information Services
If this server will function as an IIS server, the wizard will prompt you to
configure the security for the Web server. You can select the Web
service extensions used for dynamic content, virtual directories used
for your Web server, and allow or deny anonymous users from
accessing Web site content.
Final thoughts
While some people might still prefer the pre-Windows Server 2003
method of securing their servers, the Security Configuration Wizard
provides a powerful and easy opportunity to create a role-based
security template that you can apply consistently to every server you
own. If you've been looking for a way to standardize and simplify
security settings for your Windows Server 2003 servers, don't overlook
the Security Configuration Wizard.
------------------------------------------------------------------------------------------------------- 16
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
According windows Active Directory Policy implement,
The table below shows the common Operating Systems and

their domain Compatibility:
Windows 95/98/98Se No
Windows ME No
Windows NT4 Server/Workstation Yes
Windows 2000 All versions Yes
Windows XP Home Ed No
Windows XP Prof. Ed. Yes
Windows 2003 All Versions Yes
------------------------------------------------------------------------------------------------------- 17
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
How to lock down a Windows Server 2003 Terminal
Server session
You can use Group Policies to lock down a Terminal Server session on a
Microsoft Windows Server 2003-based or Microsoft Windows 2000-
based computer. With the following settings, even the administrator
account will have restricted access. It is highly recommended that you
create a new organizational unit instead of modifying the policies on an
existing one.
Note The use of these policies does not guarantee a secure computer,
and you should use them only as a guideline.
Use Active Directory Users and Computers to create a new

organizational unit (OU). Right-click the OU, click Properties, and then
------------------------------------------------------------------------------------------------------- 18
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
on the Group Policy tab, click New Policy. Edit this policy with the
following settings:
• [Computer Configuration\Admin Templates\System\Group Policy]
Enable the following setting:
User Group Policy loopback processing mode
• [Computer Configuration\Windows Settings\Security

Settings\Local Policies\Security Options]
Enable the following settings:
Do not display last user name in logon screen

Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only
------------------------------------------------------------------------------------------------------- 19
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
• [Computer Configuration\Administrative Templates\Windows
Components\Windows Installer]
Enable the following setting, and set it to Always:
Disable Windows Installer
Note The default setting for Disable Windows Installer

prevents any non-managed applications from being installed by
a non-administrator. Setting Disable Windows Installer to
Always may prevent some of the newer updates from Windows
Update from being applied. Therefore, we recommend that you
only set Disable Windows Installer to Always if there is a
specific need or an identified threat that you must address.
------------------------------------------------------------------------------------------------------- 20
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
• [User Configuration\Windows Settings\Folder Redirection]
Application Data
Desktop
My Documents
Start Menu
• [User Configuration\Administrative Templates\Windows

Components\Windows Explorer]
Remove Map Network Drive and Disconnect Network

Drive
Remove Search button from Windows Explorer
------------------------------------------------------------------------------------------------------- 21
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context
menu
Hide these specified drives in My Computer (Enable this
setting for A through D.)
Prevent access to drives from My Computer (Enable this
setting for A through D.)
Hide Hardware Tab
• [User Configuration\Administrative Templates\Windows

Components\Task Scheduler]
Prevent Task Run or End

Disable New Task Creation
------------------------------------------------------------------------------------------------------- 22
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
• [User Configuration\Administrative Templates\Start Menu &
Taskbar]

Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable changes to Taskbar and Start Menu Settings
Disable and remove the Shut Down command or Remove
and prevent access to the Shut Down command
Note In Windows 2000, this setting is named Disable and

------------------------------------------------------------------------------------------------------- 23
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
remove the Shut Down command. In Windows Server 2003,
this setting is named Remove and prevent access to the
Shut Down command.
• [User Configuration\Administrative Templates\Desktop]
Hide My Network Places icon on desktop

Prohibit user from changing My Documents path
• [User Configuration\Administrative Templates\Control Panel]
Enable the following setting:
Disable Control Panel
Important When you enable this setting, you prevent

administrators from installing any MSI package on to the
------------------------------------------------------------------------------------------------------- 24
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Terminal Server, even if the explicit Deny is set for the
Administrator account.
• [User Configuration\Administrative Templates\System]
Disable the command prompt (Set Disable scripts to No)

Disable registry editing tools
• [User Configuration\Administrative
Templates\System\Logon/Logoff]
Disable Task Manager

Disable Lock Computer
------------------------------------------------------------------------------------------------------- 25
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
For more information about how to lock down Windows Server 2003
Terminal Server Sessions, visit the following Web site:
How to Lock Down a User Profile Using Group Policy
Group Policy Settings
 Open up Active Directory Users and Computers

 Select the OU where the user account resides
 Right click and select properties
 Click the Group Policy tab
 Click the New button to create a new policy
 Give the policy a name and click the edit button
 Navigate to Computer Configuration\Windows Settings\Restricted
Groups. Right click and select Add Group. Click the Browse
button. Type in Administrators and click OK. Click OK again. Click
the Add button next to Members for this group. Type in the user
account name to be locked down and click OK. Click OK again.
Repeat if necessary. Click OK when finished. The reason I do this
------------------------------------------------------------------------------------------------------- 26
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
is to avoid any issues with running applications. This is not a
mandatory step.
 From here on out I will list the policies that need to be enabled or
disabled.
 User Configuration\Administrative Templates\Windows
Components\Windows Explorer
 Remove the Folder Options menu item from the Tools menu -
Enabled
 Remove File menu from Windows Explorer - Enabled
 Remove "Map Network Drive" and "Disconnect Network Drive -
Enabled
 Remove Search button from Windows Eplorer - Enabled
 Remove Windows Explorer's default context menu - enabled
 Hides the Manage item on the Windows Explorer context menu -
Enabled
 Hide these specified drives in My Computer - Enabled
 This option is configurable to your needs. You can restrict all
drives, some drives or whatever you may need.
 User Configuration\Administrative Templates\Windows
Components\Windows Messenger
 Do not allow Windows Messenger to run - Enabled
------------------------------------------------------------------------------------------------------- 27
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
 User Configuration\Administrative Templates\Start Menu and
Task Bar
 Remove user's folder from the Start Menu - Enabled
 Remove links and access to Windows Update - Enabled
 Remove My Documents from Start Menu - Enabled
 Remove Documents menu from Start Menu - Enabled
 Remove programs on Settings menu - Enabled
 Remove Network Connections from Start Menu - Enabled
 Remove Favorites from Start Menu - Enabled
 Remove Search from Start Menu - Enabled
 Remove Help from Start Menu - Enabled
 Remove Run from Start Menu - Enabled
 Remove My Pictures icon from Start Menu - Enabled
 Remove My Music icon from Start Menu - Enabled
 Remove My Network Places icon from Start Menu - Enabled
 Add logoff to the Start Menu - Enabled
 Remove Drag-and-Drop context menus on the Start Menu -
Enabled
 Prevent changes to Taskbar and Start Menu Setting - Enabled
 Remove access to the context menus for the taskbar - Enabled
------------------------------------------------------------------------------------------------------- 28
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
 Do not keep history of recently opened documents - Enabled
 Clear history of recently opened documents on exit - Enabled
 Lock the taskbar - Enabled
 Remove Balloon Tips on Start Menu items - Enabled
 Remove All Programs list from the Start Menu - Enabled
 Remove user name from Start Menu - Enabled
 Hide the notification area - Enabled
 Do not display any custom toolbars in the taskbar - Enabled
 Remove Set Program Access and Defaults from the Start Menu -
Enabled
 User Configuration\Administrative Templates\Desktop
 Remove My Documents icon on the desktop - Enabled
 Remove Recycle Bin icon from desktop - Enabled
 Remove Properties from the My Documents context menu -
Enabled
 Remove Properties from the Recycle Bin context menu - Enabled
 Hide My Network Places on the desktop - Enabled
 Hide Internet Explorer icon on desktop - Enabled
 Do not add shares of recently opened documents to My Network
Places - Enabled
------------------------------------------------------------------------------------------------------- 29
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
 Prevent adding, dragging, dropping and closing the Taskbar's
toolbars - Enabled
 Prohibit adjusting desktop toolbars - Enabled
 User Configuration\Administrative Templates\Control Panel
 Prohibit access to the Control Panel
 User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options
 Remove Task Manager - Enabled
 Remove Change Password - Enabled
 You may have noticed there were no changes made to Internet
Explorer settings. My environment does not have internet access
so these settings are unnecessary but your environment may
have access to the internet and you should explore those
settings. I have a list of policy changes for IE and if you need
them send me a message and I will fill you in.
 Don't be afraid to try different settings out. This works for my
environment and it may not be suitable for you.
 Once these policies are changed run gpupdate /force from the
command line and reboot the Windows XP computer. Log in as
the user you created and check out what little access this user
has.
------------------------------------------------------------------------------------------------------- 30
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
------------------------------------------------------------------------------------------------------- 31
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Prevent unauthorized software on network with

software restriction policies
Software restriction policies are a part of Microsoft's security and

management strategy to assist enterprises in increasing the reliability,
integrity, and manageability of their computers. Software restriction
policies are one of many new management features in Windows XP
and Windows Server 2003.
This article provides an in-depth look at how software restriction
policies can be used to:
• Fight viruses
• Regulate which ActiveX controls can be downloaded
• Run only digitally signed scripts
------------------------------------------------------------------------------------------------------- 32
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
• Enforce that only approved software is installed on system
computers
• Lockdown a machine
Software Restriction Policy Architecture
In SRP there are three components of a software restriction policy:

An administrator creates the policy by using the Group Policy Microsoft
Management Console (MMC) snap-in for a particular Active Directory
container site, domain, or organizational unit.
The policy is downloaded from Domain Controller to Client Machine’s
policy and overrides the local policy and applied to a machine. User
policies apply the next time a user logs on. Machine policies apply
when a machine starts up.
When a user starts a program or script, the operating system or
scripting host checks the policy and enforces it.
The Software Restriction Policy contains by default Security Levels

types:
Unrestricted or Disallowed
------------------------------------------------------------------------------------------------------- 33
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
A software restriction policy is created using the MMC Group Policy

snap-in. A policy consists of a default rule about whether programs are
allowed to run, and exceptions to that rule. The default rule can be set
to Unrestricted or Disallowed—essentially run or don't run.
Setting the default rule to Unrestricted allows an administrator to
define exceptions; for example, the set of programs that are not
allowed to run. A more secure approach is to set the default rule to
Disallowed and specify only the programs that are known and trusted
to run.
Default Security Level
There are two ways to use software restriction policies:
If an administrator knows all of the software that should run,
then a software restriction policy can be applied to control execution to
only this list of trusted applications.
If all the applications that users might run are not known, then
administrators can step in and disallow undesired applications or file
types as needed.
Four Rules Identify Software
The purpose of a rule is to identify one or more software applications,
and specify whether or not they are allowed to run. Creating rules
largely consists of identifying software that is an exception to the
------------------------------------------------------------------------------------------------------- 34
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
default rule. Each rule can include descriptive text to help
communicate why the rule was created.
A software restriction policy supports the following four ways to
identify software:
Hash—A cryptographic fingerprint of the file.
Certificate—A software publisher certificate used to digitally sign a
file.
Path—The local or universal naming convention (UNC) path of where
the file is stored.
Zone—Internet Zone
Software Restriction Policy Options

This section discusses the various options that influence the behavior
of a software restriction policy. These options alter the scope of
enforcement behavior or the Authenticode trust settings for digitally
signed files.
Enforcement Options
There are two enforcement options: DLL checking and Skip
Administrators.
DLL Checking
------------------------------------------------------------------------------------------------------- 35
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
A program, such as Internet Explorer consists of an executable file,
iexplore.exe, and many supporting dynamic link libraries (DLL). By
default, software restriction policy rules are not enforced against DLLs.
This is the recommended option for most customers for three reasons.
Disallowing the main executable file prevents the program from
running, so there is no need to disallow all of the constituent dynamic
link libraries.
DLL checking results in performance degradation. If a user runs 10
programs during a logon session, the software restriction policy is
evaluated 10 times. If DLL checking is turned on, the software
restriction policy is evaluated for each DLL load within each program. If
each program uses 20 DLLs, this results in 10 executable program
checks plus 200 DLL checks, so the software restriction policy is
evaluated 210 times.
If the default security level is set to Disallowed, then not only does the
main executable file have to be identified to allow it to run, but all of
its constituent DLLs also must be identified, which can be burdensome.
DLL checking is provided as an option for environments that want the
highest assurance possible when running programs. While viruses
primarily target executables for infection, some target DLLs. To ensure
that a program has not been infected by a virus, you can use a set of
hash rules that identify the executable and all of its required DLLs.
------------------------------------------------------------------------------------------------------- 36
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
To turn on DLL checking:
Select the following option in the Enforcement Properties dialog
box,
Apply software restriction policies to the following > All
software files
Skip Administrators
An administrator may want to disallow the running of programs for
most users, but allow administrators to run anything. For example, a
customer may have a shared machine that multiple users connect to
using Terminal Server. The administrator may want users to be able to
run only specific applications on the machine, but allow members of
the local administrators group to run anything. To do this, use the Skip
Administrators option.
If the software restriction policy is created in a GPO attached to an
object in Active Directory, the preferred way to skip administrators is
to deny the Apply Group Policy permission on the GPO to a group
containing the administrators. This way less network traffic is
consumed downloading GPO settings that do not apply to
administrators. However, software restriction policies defined in Local
Security Policy objects have no way to filter based on users. In this
case the Skip Administrators option should be used.
To turn on Skip Administrators:
------------------------------------------------------------------------------------------------------- 37
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Select the following option in the Enforcement Properties dialog box
as shown in Figure 2 above:
Apply software restriction policies to the following users > All
users except local administrators
Note: Setting the Skip Administrators option is only valid for machine
policies.
Defining Executables
The Designated File Types dialog box shown in Figure 3 below lists
the file types to which the software restriction policy applies. The
designated file types are file types that are considered executable. For
example, a screen saver file (SCR), is considered executable because
when double-clicked in Windows Explorer it is loaded as a program.
The rules in a software restriction policy only apply to the file types
listed in the Designated File Types dialog box. If your environment uses
a file type that you want to be able to set rules on, add it to the list. For
example, if you use Perl scripting files, you may choose to add .pl and
other file types associated with the Perl engine to the Designated File
Types list.
Trusted Publishers
------------------------------------------------------------------------------------------------------- 38
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
The Trusted Publishers options shown in Figure 4 below allow you to
configure settings related to ActiveX® controls and other signed
content.
Table 3 shows Trusted Publisher options related to the use of ActiveX

controls and other signed content.
Table 3 Trusted Publisher Tasks and Settings
Task Setting
To allow only domain administrators to make Enterprise
decisions regarding signed active content Administrators
To allow local machine administrators to make all Local computer
decisions regarding signed active content Administrators
To allow any user to make decisions regarding End Users
signed active content
To ensure that the certificate used by the Publisher
software publisher has not been revoked.
To ensure that the certificate used by the Timestamp
organization that time-stamped the active
------------------------------------------------------------------------------------------------------- 39
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
content has not been revoked.
Scope of Software Restriction Policies
Software restriction policies do not apply to the following:
Drivers or other kernel mode software.
Any program run by the SYSTEM account.
Macros inside of Microsoft Office 2000 or Office XP documents.
Programs written for the common language runtime. (These programs
use the Code Access Security Policy.)
Software Restriction Policy Design

This section covers how software restriction policies are administered
using Group Policy snap-ins, things to be concerned about when
editing a policy for the first time, and what's involved in applying a
software restriction policy to a group of users.
Integration with Group Policy
Software restriction policies are administered using the following Group
Policy snap-ins:
Domain Policy
To set up a domain policy
Click Start, then Run; type dsa.msc and click OK.
------------------------------------------------------------------------------------------------------- 40
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Right-click on domain or OU, then click Properties > Group Policy tab
>New/Edit.
Local Security Policy
To set up a security policy
Click Start, then Run.
Type secpol.msc, then click OK.
To create a policy:
Select Create New Policies from the Action menu.
Applying a Software Restriction Policy to a Group of Users
A software restriction policy is delivered through Group Policy to a site,
domain, or organizational unit. However, an administrator may want to
apply a software restriction policy to a group of users within a domain.
To do this, the administrator can use GPO filtering.
Designing a Software Restriction Policy

This section outlines the steps to follow when designing a software
restriction policy.
Items to Address
When designing a policy, decisions need to be made regarding the
following items:
GPO or local security policy
User or machine policy
------------------------------------------------------------------------------------------------------- 41
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Default security level
Additional rules
Policy options
Linking the policy to a site, domain, or organizational unit
Stepping Through the Process
Step 1. GPO or Local Security Policy
Should the policy apply to many machines or users in a domain or
organizational unit, or should it only apply to the local machine?
If the policy should apply to many machines or users in a domain or
other Active Directory container, use a GPO.
If your policy should only apply to the local machine, use the Local
Security Policy.
Step 2. User or Machine Policy
Should the policy apply to users regardless of where they log in, or to a
machine regardless of who logs in?
If you want the policy to apply to a specific group of users, for example
the Marketing Department domain group, then you need a user policy.
If you want the policy to apply to a set of machines and all the users
that log on to those machines, then you need a machine policy.
Step 3. Default Security Level
Do you know all of the software your users will be running, or can they
install any software they choose?
------------------------------------------------------------------------------------------------------- 42
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
If you know all of the software your users will be running, you should
set the default security level to Disallowed.
If users can install any software they want, set the default security
level to Unrestricted.
Step 4. Additional Rules
Identify the applications you choose to allow or disallow using the four
rule types outlined in the Software Restriction Policy Architecture
section above.
To see which rules make sense for your policy, refer to Table 1. When
to Use Each Rule, above.
To create additional rules, refer to the Step-by-step Guide for Creating
Additional Rules, below.
Step 5. Policy Options
There are several policy options:
If you are using a local security policy, and do not want the policy to
apply to administrators on the machine, set the Skip Administrators
option.
If you want to check DLLs in addition to executables and scripts, turn
on the DLL checking option.
If you want to set rules on file types that are not in the default list of
designated file types, then add additional file types.
------------------------------------------------------------------------------------------------------- 43
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
If you want to change who can make decisions about downloading
ActiveX controls and other signed content, set Trusted Publishers
options.
Step 6. Linking the Policy to a Site, Domain, or Organizational
Unit
To link a GPO to a site.
Use the Active Directory Sites and Services snap-in.
Right-click the site, domain, or OU to which you want to link the GPO,
and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.
To link a GPO to a domain or OU,
Use the Active Directory Users and Computers snap-in.
Right-click the site, domain, or OU to which you want to link the GPO,
and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.
Filtering
GPO filtering can be done at this stage. You can have a portion of an
OU receive a GPO by filtering based on group membership. You can
also filter based on a WMI query.
Testing A Policy
------------------------------------------------------------------------------------------------------- 44
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
If you want to test your policy immediately, instead of waiting for the
next Group Policy refresh interval, run gpupdate.exe and log on again
to test your policy.
Step-by-Step Guide for Creating Additional Rules

The following steps are helpful when creating additional rules. To
illustrate the principles behind the steps, each one illustrates an
example of creating rules for Microsoft Office XP.
Step 1. List the Software Applications
List the software you are trying to identify. For our Office XP example,
the software consists of Microsoft Word, Excel, PowerPoint®, and
Outlook®.
Step 2. Decide Rule Type
Refer to Table 1. When to Use Each Rule, above, to decide which rule
type to use. Also determine the security level for your rule. For our
example, we use path rules set to the Unrestricted security level.
Step 3. Record the Folders Where the Software is Installed
List the paths where the software is installed. Three ways to do this
include:
You can look at the Target property of a shortcut to the file.
------------------------------------------------------------------------------------------------------- 45
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
You can start each program by clicking Start, Run, and then typing
msinfo32.exe. From msinfo32, select Software Environment and then
Running Tasks.
You can use the following command: wmic.exe process get
"ExecutablePath, ProcessID"
For our example, you will see the following tasks running:
"C:\Program Files\Microsoft Office\Office10\WINWORD.EXE"
"C:\Program Files\Microsoft Office\Office10\EXCEL.EXE"
"C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE"
"C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE"
Step 4. Identify Dependent Programs
Some programs launch other programs to perform tasks. Your software
application may depend on one or more supporting programs. For
example, Microsoft Word launches the Microsoft Clip Organizer to
manage clipart. The Microsoft Clip Organizer uses the following
programs:
C:\Program Files\Microsoft Office\Office10\MSTORDB.EXE
C:\Program Files\Microsoft Office\Office10\MSTORE.EXE
Microsoft Office also uses files in the C:\Program Files\Common Files
folder
Step 5. Generalize the Rules
------------------------------------------------------------------------------------------------------- 46
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
In this step you should group related rules together to create a more
general rule. Consider using environment variables, wild cards, and
registry path rules.
Continuing our example, each program is stored in C:\Program
Files\Microsoft Office\Office10, so it is sufficient to use one path rule for
that folder instead of four separate path rules. Also, if Office is always
installed in the Program Files folder on your machines, use an
environment variable instead of an explicit path. Thus, our proposed
rules are:
%ProgramFiles%\Microsoft Office\Office10
%ProgramFiles%\Common Files
Step 6. Have You Allowed Too Much?
This is the step where you look at what else is allowed by the rules you
have proposed. Creating a rule that is too general may allow programs
to run that you did not intend. The Office10 folder in our example also
contains:
FINDER.EXE
OSA.EXE
MCDLC.EXE
WAVTOASF.EXE
Because these programs are acceptable to run, we do not have to
change our rules.
------------------------------------------------------------------------------------------------------- 47
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Commonly Overlooked Rules

When designing a policy, consider the following areas when creating
rules.
Login Scripts
Login scripts are stored on a central server. Often this central server
can change with each login. If your default rule is Disallowed, be sure
to create rules that identify the locations of your log on scripts.
Consider using wildcards to identify these locations if the log on
servers have similar names.
System File Protection
System File Protection contains backup copies of many system
programs in a folder named dllcache. These programs can be started
by a user who knows the full path to the backup copy. If you want to
disallow users running programs contained in the backup folder, you
may want to create the following rule: %WINDIR
%\system32\dllcache, Disallowed
Common Startup Locations
Windows has many locations that contain links to programs that run at
start up. If you don't make provisions for these programs, users will
receive error messages when they log in.
Common startup locations include:
------------------------------------------------------------------------------------------------------- 48
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
%USERPROFILE%\Start Menu\Programs\Startup
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Win.ini, System.ini lines beginning with "run=" and "load="
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Once
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
n
Virus Scanning Programs
Most anti-virus software has a real-time scanner program that starts
when the user logs in and scans all files accessed by the user, looking
for possible virus contamination. Make sure your rules allow your virus
scanning programs to run.
Scenarios
This section examines some typical problems and how software
restriction policies can be used to solve them.
Block Malicious Scripts
An organization wants to be protected from script-based viruses.
However, many organizations use VBS files for systems management

and logon scripts. Blocking all VBS files from running protects an
------------------------------------------------------------------------------------------------------- 49
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
organization, but a VBS can no longer be used for legitimate purposes.
A software restriction policy overcomes this handicap by blocking the
undesirable VBS, while allowing legitimate ones to run.
This policy can be created using the rules in Table 4.
Table 4 Rules for Blocking Malicious Scripts
Default Security Level:

Unrestricted
Path Rules
*.VBS Disallowed
*.VBE Disallowed
*.JS Disallowed
*.JSE Disallowed
*.WSF Disallowed
*.WSH Disallowed
Certificate Rules
------------------------------------------------------------------------------------------------------- 50
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
IT Department Certificate Unrestricte
d
This policy prevents all scripting files associated with the Windows
Scripting Host from running, except those that are digitally signed by
the IT Department certificate. See Appendix below for how to obtain a
certificate and digitally sign files.
Manage Software Installation
You can configure your organization's machines so that only approved
software can be installed. For software that uses Windows Installer
technology, this can be accomplished by the policy shown in Table 5.
Table 5 Rules for Managing Software Installation
Default Security Level:

Unrestricted
Path Rules
*.MSI Disallowed
\\products\install\PROPLUS.MSI Unrestricte
d
------------------------------------------------------------------------------------------------------- 51
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Certificate Rules
IT Department Certificate Unrestricte
d
This policy prevents all Windows Installer packages from installing. It
allows MSI files digitally signed by the IT department certificate and
the OWC10.MSI package located at \\products\install to be installed.
See the Appendix below for how to obtain a certificate and digitally
sign files.
This policy also shows how you can use the precedence of the path and
certificate rules to allow just the software you want. For any other
package that your organization cannot or does not want to digitally
sign, you can create hash rules, or fully qualified path rules, to make
exceptions for them.
Line-of-Business PC
In some cases an administrator may want to manage all of the
software that runs on a machine. This is because even when users
have insufficient rights to replace system files or files in shared folders
such as Program Files, if they have a place on the file system they can
write to, then they can also copy a program there and start it up.
------------------------------------------------------------------------------------------------------- 52
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Viruses contracted this way can damage the system by modifying
operating system settings and files; they can also cause great damage
by misusing the user's privileges. For example, mass-mailer worms can
be spread by accessing the user's address book and sending mail.
Even normal users on a system are vulnerable to this kind of attack.
As long as users are not administrators on their local machines, the
policy in Table 6 protects them from accidentally running malicious
code. Because users cannot modify the contents of the Program Files
or Windows folders, they can only run software installed by an
administrator.
Table 6 Policy for Managing all Software on a Machine
Default Security Level: Disallowed

Apply software restriction policies to the following
users:
All users except administrators
Path Rules
%WINDIR% Unrestricte
------------------------------------------------------------------------------------------------------- 53
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
d
%PROGRAMFILES% Unrestricte
d
This policy disallows all software on the user's machine, except that
installed in the Windows directory, Program Files directory, or their
respective subfolders. It does not apply to administrators.
If a user receives a virus attachment in an e-mail, for example
WORM.vbs, the mail program will copy it to the profile directory
(%USERPROFILE%) and launch it from there. Because the profile
directory is not a subfolder of the Windows folder or the Program Files
folder, programs launched from there will not run.
If all the programs a user needs are not installed in %WINDIR% or
%PROGRAMFILES%, or there are programs in those folders that the
administrator does not want the user running, the administrator can
make additional exceptions as shown in Table 7.
Table 7 Exceptions for Managing all Software on a Machine
Path Rules
%WINDIR%\regedit.exe Disallowed
------------------------------------------------------------------------------------------------------- 54
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
%WINDIR%\system32\cmd.exe Disallowed
\\CORP_DC_??\scripts Unrestricte
d
%HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates \ Unrestricte
InoculateIT\6.0\Path\HOME% d
The effects of these exceptions are:
Both the command prompt (cmd.exe) and the registry editor
(regedit.exe) are disallowed.
An exception is created to allow login scripts to run on the user's
machine.
The use of the "?" wildcard allows the rule to match \\CORP_DC_01,
\\CORP_DC_02, and others.
A registry path rule is added that allows the anti-virus software on the
machine to run.
Different Policies for Different Users
In this scenario, there are machines that are shared by many users.
The machines have the same software installed on them, but the
administrator wants to grant a certain group of users access to some
software, and a different group of users access to other software.
There also will be software that is shared between the groups.
------------------------------------------------------------------------------------------------------- 55
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
With software restriction policies, you can perform

the following tasks:
Control which programs can run on your computer. For example, you
can apply a policy that does not allow certain file types to run in the e-
mail attachment folder of your e-mail program if you are concerned
about users receiving viruses through e-mail.
Permit users to run only specific files on multiple-user computers. For
example, if you have multiple users on your computers, you can set up
software restriction policies in such a way that users do not have
access to any software except for those specific files that they must
use for their work.
Decide who can add trusted publishers to your computer.
Control whether software restriction policies affect all users or just
certain users on a computer.
Prevent any files from running on your local computer, your
organizational unit, your site, or your domain. For example, if there is a
known virus, you can use software restriction policies to stop the
computer from opening the file that contains the virus. IMPORTANT:
------------------------------------------------------------------------------------------------------- 56
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Microsoft recommends that you do not use software restriction policies
as a replacement for antivirus software.
How to Start Software Restriction Policies
For the Local Computer Only

Click Start, point to Programs, point to Administrative Tools, and
then click Local Security Policy.
In the console tree, expand Security Settings, and then expand
Software Restriction Policies.
For a Domain, a Site, or an Organizational Unit on a Member
Server or a Workstation That Is Joined to a Domain
Open Microsoft Management Console (MMC). To do so, click Start,
click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
In Select Group Policy Object, click Browse.
In Browse for a Group Policy Object, either select a Group Policy
object (GPO) in the appropriate domain, site, or organizational unit,
and then click Finish.
Alternatively, you can create a new GPO, and then click Finish.
------------------------------------------------------------------------------------------------------- 57
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Click Close, and then click OK.
In the console tree, go to the following location:
Group Policy Object Computer_name Policy/Computer Configuration or
User/Configuration/Windows Settings/Security Settings/Software
Restriction Policies
For an Organizational Unit or a Domain on a Domain Controller
or a Workstation That Has the Administration Tools Pack
Installed
Click Start, point to All Programs, point to Administrative Tools,
and then click Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit that
you want to set Group Policy for.
Click Properties, and then click the Group Policy tab.
Click an entry in Group Policy Object Links to select an existing
GPO, and then click Edit.
Alternatively, you can click New to create a new GPO, and then click
Edit.
User Configuration/Windows Settings/Security Settings/Software
------------------------------------------------------------------------------------------------------- 58
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
For Your Site and on a Domain Controller or a Workstation That
Has the Administration Tools Pack Installed
Click Start, point to All Programs, point to Administrative Tools,
and then click Active Directory Sites and Services.
In the console tree, right-click the site that you want to set Group
Policy for:
Active Directory Sites and Services [ Domain_Controller_Name.
Domain_Name]
Sites
Site
Click Properties, and then click the Group Policy tab.

Click an entry in Group Policy Object Links to select an existing
Group Policy object (GPO), and then click Edit.
Alternatively, click New to create a new GPO, and then click Edit.
User Configuration/Windows Settings/Security Settings/Software
IMPORTANT: Click User Configuration to set policies that will be
applied to users, regardless of the computer to which they log on. Click
------------------------------------------------------------------------------------------------------- 59
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Computer Configuration to set policies that will be applied to
computers, regardless of the users who log on to them.
You can also apply software restriction policies to specific users when
they log on to specific computer by using an advanced Group Policy
setting named loopback.
How to Prevent Software Restriction Policies from Applying to
Local Administrators
Click Start, click Run, type mmc, and then click OK.
Open Software Restriction Policies.
In the details pane, double-click Enforcement.
Under Apply software restriction policies to the following users,
click All users except local administrators.
NOTES:
You may have to create a new software restriction policy setting for
this GPO if you have not already done so.
Typically, users are members of the local administrator group on their
computers in your organization; therefore, you may not want to turn on
this setting. Software restriction policies do not apply to any users who
are members of their local administrator group.
If you are defining a software restriction policy setting for your local
computer, use this procedure to prevent local administrators from
------------------------------------------------------------------------------------------------------- 60
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
having software restriction policies applied to them. If you are defining
a software restriction policy setting for your network, filter user policy
settings based on membership in security groups by using Group
Policy.
How to Create a Certificate Rule
In either the console tree or the details pane, right-click Additional
Rules, and then click New Certificate Rule.
Click Browse, and then select a certificate.
Select a security level.
In the Description box, type a description for this rule, and then click
OK.
NOTES:
For information about how to start software restriction policies in MMC,
see "Start software restriction policies" in Related Topics in the
Windows Server 2003 Help file.
By default, certificate rules are not turned on. To turn on certificate
rules:
Click Start, click Run, type regedit, and then click OK.
------------------------------------------------------------------------------------------------------- 61
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
Safer\CodeIdentifiers
In the details pane, double-click AuthenticodeEnabled, and then
change the value data from 0 to 1.
The only file types that are affected by certificate rules are those that
are listed in Designated file types. There is one list of designated file
types that is shared by all rules.
For software restriction policies to take effect, users must update
policy settings by logging off from and then logging on to their
computers.
When more than one rule is applied to policy settings, there is a
precedence of rules for handling conflicts.
How to Create a Hash Rule
Rules, and then click New Hash Rule.
Click Browse to find a file, or paste a precalculated hash in the File
hash box.
In the Security level box, click either Disallowed or Unrestricted.
------------------------------------------------------------------------------------------------------- 62
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
OK.
NOTES:
You can create a hash rule for a virus or a Trojan horse to prevent the
malicious software from running.
If you want other users to use a hash rule so that a virus cannot run,
calculate the hash of the virus by using software restriction policies,
and then e-mail the hash value to other users. Never e-mail the virus
itself.
If a virus has been sent through e-mail, you can also create a path rule
to prevent users from running mail attachments.
A file that is renamed or moved to another folder still results in the
same hash.
Any change to a file results in a different hash.
The only file types that are affected by hash rules are those that are
listed in Designated file types. There is one list of designated file
computers.
------------------------------------------------------------------------------------------------------- 63
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
How to Create an Internet Zone Rule
In the console tree, click Software Restriction Policies.
Rules, and then click New Internet Zone Rule.
In Internet zone, click an Internet zone.
In the Security Level box, click either Disallowed or Unrestricted,
and then click OK.
NOTES:
Zone rules apply to Windows Installer packages only.
The only file types that are affected by zone rules are those that are
computers.
------------------------------------------------------------------------------------------------------- 64
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
How to Create a Path Rule

Rules, and then click New Path Rule.
In the Path box, type a path or click Browse to find a file or folder.
OK.IMPORTANT: On certain folders, such as the Windows folder,
setting the security level to Disallowed can adversely affect the
operation of your operating system. Make sure that you do not disallow
a crucial component of the operating system or one of its dependent
programs.
NOTES:
If you create a path rule for a program with a security level of
Disallowed, a user can still run the software by copying it to another
location.
------------------------------------------------------------------------------------------------------- 65
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
The wildcard characters that are supported by the path rule are the
asterisk (*) and the question mark (?).
You can use environment variables, such as %programfiles% or
%systemroot%, in your path rule.
To create a path rule for software when you do not know where it is
stored on a computer but you have its registry key, you can create a
registry path rule.
To prevent users from running e-mail attachments, you can create a
path rule for your mail program's attachment folder that prevents
users from running e-mail attachments.
The only file types that are affected by path rules are those that are
computers.
How to Create a Registry Path Rule
Click Start, click Run, type regedit, and then click OK.
In the console tree, right-click the registry key that you want to create
a rule for, and then click Copy Key Name.
------------------------------------------------------------------------------------------------------- 66
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Note the value name in the details pane.
Rules, and then click New Path Rule.
In Path, paste the registry key name and the value name.
Enclose the registry path in percent signs (%), for example:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Dir
ectories\InstallDir%
OK.
NOTES:
You must be a member of the Administrators group to perform this
procedure.
Format the registry path as follows:

% Registry Hive\ Registry Key Name\ Value Name%
------------------------------------------------------------------------------------------------------- 67
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
You must write out the name of the registry hive; you cannot use
abbreviations. For example, you cannot substituted HKCU for
HKEY_CURRENT_USER.
The registry path rule can contain a suffix after the closing percent
sign (%). Do not use a backslash (\) in the suffix. For example, you can
use the following registry path rule:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe
rsion\Explorer\Shell Folders\Cache%OLK*
The only file types that are affected by path rules are those that are
computers.
How to Add or Delete a Designated File Type
In the details pane, double-click Designated File Types.
Perform one of the following steps as appropriate:
------------------------------------------------------------------------------------------------------- 68
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
To add a file type, type the file name extension in the File extension
box, and then click Add.
To delete a file type, click the file type in the Designated file types
box, and then click Remove.
.
How to Change the Default Security Level of Software
In the details pane, double-click Security Levels.
Right-click the security level that you want to set as the default, and
then click Set as default.
CAUTION: In certain folders, if you set the default security level to

Disallowed, you can adversely affect your operating system.
NOTES:
In the details pane, the current default security level is indicated by a
black circle with a check mark in it. If you right-click the current default
security level, the Set as default command does not appear in the
menu.
------------------------------------------------------------------------------------------------------- 69
Confidential
IIB Groups,
Nagar, Srinagar,
Hyderabad -500073
Hyderabad -500073
Rules are created to specify exceptions to the default security level.
When the default security level is set to Unrestricted, rules specify
software that is not allowed to run. When the default security level is
set to Disallowed, rules specify software that is allowed to run.
If you change the default level, you affect all files on the computers
that have software restriction policies applied to them.
At installation, the default security level of software restriction policies
on all files on your computer is set to Unrestricted.
How to Set Trusted Publisher Options
Double-click Trusted Publishers.
Click the users who you want to decide which certificates will be
trusted, and then click OK.
------------------------------------------------------------------------------------------------------- 70
Confidential

Microsoft Active Directory 2003 Lockdown Through Group Policies Proposal Document

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Active Directory 2003 Lockdown Through Group Policies Proposal Document

Uploaded by

Copyright:

Available Formats

Microsoft Active Directory 2003 Lockdown through

Group Policies Proposal Document

GATI Pvt Ltd

GATI Pvt Ltd.

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Objective of the document……………………….

Present Scenario in GATI Pvt Ltd.……………………………………………12

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Objective of the document

This document provides an insight into the design and Implementation

The purpose of this document is to provide an overview of the

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

This document is primarily meant for the Management of GATI. Further

Scope of the Solution

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Based on the preliminary discussions and study we had with the

• Insecure Logon Procedures to the machines

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Windows Server 2003 Active Directory.

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Active Directory affects your entire organization. It is necessary to

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Many organizations struggle with implementing the proper security

This wizard contains an XML database that includes every service,

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

The main purpose of this wizard is to implement role-based security on

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

Now, let's take a look at the different sections of the Security

This section configures inbound ports using the built-in Windows

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

This section configures protocols used to communicate with computers

This section configures the auditing of the server based on your

IIB Groups, Plot No .138,

Keshav Nagar, Srinagar ,

Colony, Opp. SBI Bank ,

IIB Groups, Plot No .138,