You are on page 1of 58

How to Use the GPOAccelerator

Version 3.0
Published: November 2007 | Updated: February 2008
For the latest information, please see
microsoft.com/solutionaccelerators
Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual
Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Contents
Overview ........................................................................................................ 1
What the GPOAccelerator Does ...................................................................... 1
Who Should Read This Guide ......................................................................... 1
How to Use the GPOAccelerator in Your Environment ........................................ 2
Prescribed Security Baseline Environments ................................................ 2
Using the /LAB Option to Evaluate the Security Guide Settings ..................... 3
Chapter Descriptions..................................................................................... 3
Acknowledgments ........................................................................................ 4
Chapter 1: GPOAccelerator Command-Line Options and User Interface .......... 7
The Group Policy Management Console ........................................................... 7
Two Different Security Environments .............................................................. 7
Options for the GPOAccelerator ...................................................................... 8
Common GPOAccelerator Commands .............................................................. 9
GPOAccelerator User Interface ......................................................................12
Chapter 2: Using the GPOAccelerator with Windows Server 2008................. 15
Implementing the Security Policies ................................................................15
Implementation Tasks ............................................................................15
The GPOAccelerator Tool ........................................................................16
Security Templates ................................................................................24
Subdirectories and Files ..........................................................................25
More Information ........................................................................................26
Chapter 3: Using the GPOAccelerator with Windows Vista ............................ 27
Implementing the Security Policies ................................................................27
Implementation Tasks ............................................................................27
The GPOAccelerator Tool ........................................................................28
Security Templates ................................................................................35
Subdirectories and Files ..........................................................................37
More Information ........................................................................................37
Chapter 4: Using the GPOAccelerator with Windows XP ............................... 39
Implementing the Security Policies ................................................................39
Implementation Tasks ............................................................................39
The GPOAccelerator Tool ........................................................................40
ii How To Use the GPOAccelerator

Security Templates ................................................................................47


Subdirectories and Files ..........................................................................48
More Information ........................................................................................48
Chapter 5: Using the GPOAccelerator with the 2007 Microsoft Office
Release ......................................................................................................... 49
Using the GPOAccelerator to Test and Deploy Your Office Security Guide
GPO Design ................................................................................................50
Design Test Tasks ..................................................................................50
Deploying the Design in a Production Environment ..........................................52
Index ............................................................................................................ 53
Overview
This guide will help you test and deploy the security settings that are defined in the
following security guides:
Windows XP
Windows Vista
Windows Server 2008 Security Guide
2007 Microsoft Office Security Guide
Each security guide provides recommendations and a methodology to help secure
computers that run these Microsoft products. The methodology involves the use of Group
Policy in an environment that uses Active Directory® Domain Services (AD DS). Group
Policy objects (GPOs) are collections of settings that you can apply to computers and
users.
The security guidance also describes recommended settings for different security
environments. The easiest way to deploy these recommended settings is by using the
GPOAccelerator, a tool created by Microsoft to deploy the settings.
This guide provides instructions for using the GPOAccelerator that you can use to test
and deploy the recommended settings in the referenced security guidance. The settings
you deploy with the GPOAccelerator depend on which guide you are using.
Microsoft recommends to secure the operating system(s) that run on your client
computers, as well as the 2007 Microsoft® Office release. To do so, read this Overview,
then Chapter 1, "GPOAccelerator Command-Line Options and User Interface," and finally
the relevant chapter or chapters for the products that you want to secure.
Important It is important that you read the appropriate security guide to design your security
strategy before you use the GPOAccelerator.

What the GPOAccelerator Does


The GPOAccelerator creates all the GPOs that you need to deploy the recommended
security settings for your environment. This functionality saves many hours of work that
would otherwise be needed to configure and deploy security settings manually.

Who Should Read This Guide


This guide supplements the security guides for Windows® XP, Windows Vista®,
Windows Server® 2008, and the 2007 Microsoft Office release. It is primarily intended for
IT generalists, security specialists, network architects, and other IT professionals and
consultants who plan application or infrastructure development for both desktop and
laptop client computers in an enterprise environment. This guidance is not intended for
home users. Microsoft recommends to only use this guidance after reading one of the
referenced security guides.
2 How To Use the GPOAccelerator

This guidance assumes the following knowledge and skills:


MCSE on Windows Server® 2003 or a later certification and two or more years of
security-related experience, or equivalent knowledge.
In-depth knowledge of the organization’s domain and Active Directory environments.
Experience in the administration of Group Policy using the Group Policy Management
Console (GPMC), Gpupdate, and Gpresult.

How to Use the GPOAccelerator in Your


Environment
The GPOAccelerator helps you deploy GPOs in your environment, which requires careful
planning and testing. This section describes a way to test and deploy the GPOs
described in the Windows XP Security Guide, the Windows Vista Security Guide, the
Windows Server 2008 Security Guide, and the 2007 Microsoft Office Security Guide.
If you want to use the GPOAccelerator to harden Office applications in your environment,
be sure to first use the tool to harden the operating system environment with the
information specified in Chapter 1, "GPOAccelerator Command-Line Options and User
Interface." Using these commands and options enables you to establish one of the
prescribed security baselines defined in the following section. Then you can use the tool
to apply the guidance for the 2007 Office Security Guide GPOs, which is described in
Chapter 5, "Using the GPOAccelerator with the 2007 Microsoft Office System."

Prescribed Security Baseline Environments


The baseline GPOs that the GPOAccelerator helps you to deploy provide a combination
of tested settings that enhance security for computers running these operating systems
and applications in the following two distinct environments:
Enterprise Client (EC)
Specialized Security – Limited Functionality (SSLF)

The Enterprise Client (EC) Environment


The Enterprise Client (EC) environment referred to in this guidance consists of a domain
using AD DS in which computers running Windows Server 2008 with Active Directory
manage client computers that can run either Windows Vista or Windows XP, and
member servers running Windows Server 2008 or Windows Server 2003 R2.
The domain controllers, member servers, and client computers are managed in this
environment through Group Policy, which is applied to sites, domains, and OUs. Group
Policy provides a centralized infrastructure within AD DS that enables directory-based
change and configuration management of user and computer settings, including security
and user data. The Group Policy this guide prescribes does not support client computers
running Windows® 2000.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 3

The Specialized Security – Limited Functionality (SSLF) Environment


The Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses
the demand to help create highly secure environments for computers running Windows
Server® 2008. Concern for security is so great in these environments that a significant
loss of functionality and manageability is acceptable. The Enterprise Client (EC) security
baseline helps provide enhanced security that allows sufficient functionality of the
operating system and applications for the majority of organizations.
Caution The SSLF security settings are not intended for the majority of enterprise
organizations. To successfully implement the SSLF settings, organizations must thoroughly test
the settings in their environment to ensure that the prescribed security configurations do not limit
required functionality.

If you decide to test and deploy the SSLF configuration settings to servers in your
environment, the IT resources in your organization may experience an increase in help
desk calls related to the limited functionality that the settings impose. Although the
configuration for this environment provides a higher level of security for data and the
network, it also prevents some services from running that your organization may require.
Examples of this include Remote Desktop, which allows users to connect interactively to
desktops and applications on remote computers.

Using the /LAB Option to Evaluate the Security Guide


Settings
The GPOAccelerator /LAB option creates the OUs and GPOs that are discussed in the
referenced security guides, and then links the GPOs to the OUs. Microsoft recommends
that you first use the GPOAccelerator /LAB option in a test environment that uses
AD DS.

Chapter Descriptions
In addition to this Overview, the How to Use the GPOAccelerator guidance consists of
the following five chapters:
Chapter 1: GPOAccelerator Command-Line Options and User Interface.
This chapter describes how to use the tool to create and deploy GPOs in your
organization, the tool's functional capabilities, and the wizard for the tool.
Chapter 2: Using the GPOAccelerator with Windows Server 2008.
This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for Windows Server 2008. It describes how to use the /LAB option, test
a customized Windows Server 2008 GPO design in a lab environment, and deploy a
customized Windows Server 2008 GPO design in a production environment.
Chapter 3: Using the GPOAccelerator with Windows Vista.
This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for Windows Vista. It describes how to use the /LAB option, test a
customized Windows Vista GPO design in a lab environment, and deploy a
customized Windows Vista GPO design in a production environment.
4 How To Use the GPOAccelerator

Chapter 4: Using the GPOAccelerator with Windows XP.


This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for Windows XP. It describes how to use the /LAB option, test a
customized Windows XP GPO design in a lab environment, and deploy a customized
Windows XP GPO design in a production environment.
Chapter 5: Using the GPOAccelerator with the 2007 Microsoft Office System.
This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for the following six applications in the 2007 Office release:
Microsoft Office Access™ 2007
Microsoft Office Excel® 2007
Microsoft Office InfoPath® 2007
Microsoft Office Outlook® 2007
Microsoft Office PowerPoint® 2007
Microsoft Office Word 2007
It describes how to test a customized 2007 Office GPO design in a lab environment
and deploy a customized 2007 Office GPO design in a production environment.

Acknowledgments
The SA-SC team would like to acknowledge and thank the group of people who produced
How to Use the GPOAccelerator. The following individuals were either directly
responsible or made a substantial contribution to the writing, development, and testing of
this guide.
Content Developers
Bill Gruber – Microsoft
Bill Wade – Wadeware LLC
Edgar Brovick – Wadeware LLC
Ethan Casey – Wadeware LLC
Paul Slater – Wadeware LLC
Developers
José Maldonado – Microsoft
Ross Carter – Microsoft
Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd.
Editors
Jennifer Kerns – Wadeware LLC
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 5

Reviewers
Derick Campbell – Microsoft
Chase Carpenter – Microsoft
Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Program Managers
Flicka Enloe – Microsoft
Kelly Hengesteg – Microsoft
Vlad Pigin – Microsoft
Release Manager
Karina Larson – Microsoft
Test Manager
Gaurav Singh Bora – Microsoft
Testers
Beenu Venugopal – Infosys Technologies Ltd.
Bhakti Bhalerao – Infosys Technologies Ltd.
Harish Ananthapadmaanabhan – Infosys Technologies Ltd.
IndiraDevi Chandran – Infosys Technologies Ltd.
RaxitKumar Gajjar – Infosys Technologies Ltd.
Sumit Parikh – Infosys Technologies Ltd.
Swaminathan Viswanathan – Infosys Technologies Ltd.
Chapter 1: GPOAccelerator Command-
Line Options and User Interface
This chapter documents the GPOAccelerator commands and options that you will use to
deploy Group Policy objects (GPOs) in an environment that uses Active Directory®
Domain Services (AD DS). After you deploy the GPOs, you will use the Group Policy
Management Console (GPMC) to manage them.

The Group Policy Management Console


The GPMC helps you manage your enterprise more efficiently by combining the
functionality of multiple tools: the snap-ins for Active Directory Users and Computers,
Active Directory Sites and Services, and Resultant Set of Policy. It consists of a Microsoft
Management Console (MMC) snap-in and a set of scriptable interfaces. This guide
provides instructions for using the GPMC to manage the GPOs that the security guides
install.
For detailed instructions about how to use the GPMC, see the Step-by-Step Guide to
Using the Group Policy.

Two Different Security Environments


The security guides describe setting recommendations for two different security
environments: the Enterprise Client (EC) environment and the Specialized Security –
Limited Functionality (SSLF) environment. The GPOs for each environment are different
because they have different security requirements.
The EC environment represents an organization with typical security needs. It is suitable
for midsize and large organizations that seek to balance security and functionality.
The SSLF environment represents a less typical organization, one in which security is
paramount. It is suitable only for midsize and large organizations that have stringent
security standards, and for which security is more important than application functionality.
Caution The SSLF security settings are not intended for the majority of enterprise
organizations. To successfully implement the SSLF settings, organizations must thoroughly test
the settings in their environment to ensure that the prescribed security configurations do not limit
required functionality.

More information about these two types of environments is provided in the respective
security guides for Windows® XP, Windows Vista®, Windows Server® 2008, and the
2007 Microsoft Office release.
8 How To Use the GPOAccelerator

Options for the GPOAccelerator


The GPOAccelerator is a Windows shell script that runs from a command shell. If you run
the GPOAccelerator without any options, the tool displays a list of all options as shown in
the following screen shot:

Figure 1.1. GPOAccelerator options


Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 9

The following table provides definitions for GPOAccelerator options.


Table 1.1. GPOAccelerator Options and Definitions
Option Definition
/Vista Creates Windows Vista Security Guide GPOs.
/XP Creates Windows XP Security Guide GPOs.
/Office Creates 2007 Office Security Guide GPOs.
/WSSG Creates Windows Server 2008 Security Guide GPOs.
/Enterprise Creates Enterprise Client (EC) GPOs.
/SSLF Creates Specialized Security – Limited Functionality (SSLF) GPOs.
/Desktop Modifies security settings on your local desktop.
/Laptop Modifies security settings on your local laptop.
/LAB Creates the OU structure for the lab environment described in the
corresponding security guide, and links the GPOs to the OUs. You must
manually link the Domain Policy GPO.
/ConfigSCE Configures the Security Configuration Editor (SCE) to display MSS
settings.
/ResetSCE Restores the SCE to its default settings.
/Restore Restores all settings to their default configuration only on the computer
where you run this option.

Common GPOAccelerator Commands


The following five tables show commands and options that are commonly used when
creating and deploying GPOs and OUs with the GPOAccelerator.
Table 1.2. Common Commands When Deploying Windows XP Security Guide
GPOs
Command Results
GPOAccelerator.wsf Creates the EC GPOs described in the Windows XP Security
/Enterprise /XP Guide. You must then link the GPOs to the appropriate OUs to
make this Group Policy configuration effective.
GPOAccelerator.wsf Creates the SSLF GPOs described in the Windows XP Security
/SSLF /XP Guide. You must then link the GPOs to the appropriate OUs to
make this Group Policy configuration effective.
GPOAccelerator.wsf Creates and links the EC GPOs and OUs according to the
/Enterprise /LAB /XP sample OU structure prescribed in the Windows XP Security
Guide.
10 How To Use the GPOAccelerator

Command Results
GPOAccelerator.wsf Applies the desktop SSLF security settings to the local
/SSLF /XP /Desktop Windows XP–based computer.
GPOAccelerator.wsf Applies the laptop SSLF security settings to a local Windows XP–
/SSLF /XP /Laptop based computer.

Table 1.3. Common Commands When Deploying Windows Vista Security Guide
GPOs
Command Results
GPOAccelerator.wsf Creates the EC GPOs described in the Windows Vista Security
/Enterprise /Vista Guide. You must then link the GPOs to the appropriate OUs to
make this Group Policy configuration effective.
GPOAccelerator.wsf Creates the SSLF GPOs described in the Windows Vista
/SSLF /Vista Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates and links the EC GPOs and OUs according to the
/Enterprise /LAB sample OU structure prescribed in the Windows Vista Security
/Vista Guide.
GPOAccelerator.wsf Applies the desktop SSLF security settings to a local
/SSLF /Vista /Desktop Windows Vista–based computer.
GPOAccelerator.wsf Applies the laptop SSLF security settings to a local
/SSLF /Vista /Laptop Windows Vista–based computer.

Table 1.4. Common Commands When Deploying Windows Server 2008 Security
Guide GPOs
Command Results
GPOAccelerator.wsf Creates the EC GPOs described in the Windows Server 2008
/Enterprise /WSSG Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates the SSLF GPOs described in the Windows Server 2008
/SSLF /WSSG Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates and links the EC GPOs according to the sample OU
/Enterprise /LAB structure prescribed in the Windows Server 2008 Security Guide.
/WSSG
GPOAccelerator.wsf Creates and links the SSLF GPOs according to the sample OU
/SSLF /LAB /WSSG structure prescribed in the Windows Server 2008 Security Guide.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 11

Table 1.5. Common Commands When Deploying 2007 Microsoft Office Security
Guide GPOs
Command Results
GPOAccelerator Creates the 2007 Office Security Guide GPOs (/Office) for an EC
/Enterprise /Office (/Enterprise) environment. You must then link the GPOs to the
OUs to make this Group Policy configuration effective.
GPOAccelerator Creates the 2007 Office Security Guide GPOs (/Office) for an
/SSLF /Office SSLF (/SSLF) configuration in a production environment. You
must then link the GPOs to the OUs to make this Group Policy
configuration effective.

Table 1.6. Other Common Commands When Deploying GPOs


Command Results
GPOAccelerator.wsf Changes the settings on the local computer so that all the GPO
/ConfigSCE settings are visible in the Group Policy Editor.
GPOAccelerator.wsf Reverts the local computer to display the default settings in the
/ResetSCE Group Policy Editor. If your organization has customized these
settings and you run this command, the customizations will be
lost.
GPOAccelerator.wsf Restores the default settings for Windows Vista or Windows XP
/Restore {/Vista | /XP} to their default values on a local computer for .inf based security
settings. This command is useful when preparing customized
workstation settings. For example, after running a test you might
want to restore to the default settings and try different settings.
12 How To Use the GPOAccelerator

GPOAccelerator User Interface


The previous sections in this chapter provide commands and options that you can use at
a command prompt to run the GPOAccelerator tool. This section provides information
about how to use the GPOAccelerator Wizard, which provides all of the same
functionality.
You can use this wizard to establish and deploy baseline security settings that Microsoft
prescribes for either the EC environment or the SSLF environment. The wizard provides
you with the same set of options to define a configuration to meet the security needs of
your environment.

Figure 1.2. The GPOAccelerator Wizard

The following figure displays the Tool Options page in the wizard that you can use to
define how you want to establish and deploy your security baseline. On the Welcome
page, click Next to access this page.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 13

Figure 1.3. The Tool Options page

The Tool Options page provides you with the following choices:
Domain. Use this option to implement a security baseline and create Group Policy
objects (GPOs) for a domain-based environment. This option provides you with other
options on subsequent pages in the wizard to run a combination of options, such as
/Enterprise, /SSLF, and /Lab to establish and test your security baseline.
Note You must be a domain administrator to use this option.

Local. Use this option to implement a security baseline and modify the default
security settings on a client computer. This option provides you with other options on
subsequent pages in the wizard to run the /Desktop, /Laptop, and /Restore
command-line options that are defined in the security guides for Windows XP and
Windows Vista.
Note You must be an administrator to use this option.

Update SCE. Use this option to update the Security Configuration Editor (SCE) to
display MSS security settings. You can use this option to execute the /ConfigSCE
and /ResetSCE command-line options discussed in the security guides.
Note You must be an administrator to use this option.
Chapter 2: Using the GPOAccelerator
with Windows Server 2008
After reading the Windows Server 2008 Security Guide, you can use the tasks and
procedures in this chapter with the GPOAccelerator to create GPOs and OUs to create,
test, and deploy the Enterprise Client (EC) environment that the guide prescribes in your
production environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."

The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the Windows Server® 2008 security guidance. You do not need to spend time editing
policy settings and applying templates manually.

Implementing the Security Policies


Implementing the security design for the two environments described in this guidance
requires you to use the Group Policy Management Console (GPMC), and GPMC-based
scripts. The GPMC is integrated into the Windows Server 2008 operating system, so you
do not have to download the console each time you need to manage GPOs on a different
computer. To use the GPMC, start Server Manager, and then select the "Group Policy
Management" feature.
Important You must perform all of the procedures in this chapter on a client computer running
Windows Vista® or Windows Server 2008 that is joined to domain that uses Active Directory®
Domain Services (AD DS). In addition, the user who performs the procedures must be a member
of the Domain Administrators group or have been delegated equivalent privileges. If you use the
Windows® XP or Windows Server® 2003 operating systems, many security settings for
Windows Server 2008 will not be visible in the GPMC.

Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the WSSG EC Domain Policy to the domain.
3. Use the GPMC to link the WSSG EC Domain Controllers Baseline Policy to the
Domain Controllers OU.
4. Use the GPMC to check your results.
Similarly, you also use these steps to configure security for each server role in your
environment.
16 How To Use the GPOAccelerator

The GPOAccelerator Tool


This section of the chapter describes these tasks and procedures and the functionality of
the GPOAccelerator, which automatically creates the prescribed GPOs. This section also
includes information about how to use the GPMC to check the GPOs created by the tool.
The Windows Server 2008 Security Guide Settings workbook that also accompanies this
guide provides another resource that you can use to compare setting values.

The GPOAccelerator
The main feature of this tool automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For servers in the EC environment, the script creates the following
GPOs:
WSSG EC Domain Policy for the domain.
WSSG EC Domain Controller Baseline Policy for domain controllers.
WSSG EC Member Server Baseline Policy for all servers.
WSSG EC <Server Role> Policy for individual server roles.
Use the GPOAccelerator to:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.

Test the Design in a Lab Environment


The GPOs that the GPOAccelerator creates have been thoroughly tested. However, it is
important to perform your own testing in your own environment. To save time, you can
use the GPOAccelerator to create the prescribed GPOs and the recommended OU
structure, and then automatically link the GPOs to the OUs.

Design Test Tasks


To test the design in a lab environment, complete the following key tasks:
1. Create the EC environment.
2. Use the GPMC to link the WSSG EC Domain Policy to the domain.
3. Use the GPMC to link the WSSG EC Domain Controller Baseline Policy to the
Domain Controllers OU
4. Use the GPMC to check your results.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 17

Task 1: Create the EC Environment


The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates in the Program Files folder.
Note The GPOAccelerator folder and subfolders for it must be present on the local computer for
the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows Server 2008 that
is joined to the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name, password, and press ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise /LAB and
then press ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

6. In The Enterprise Lab Environment is created message box, click OK.


7. In the Make sure to link the Enterprise Domain GPO to your domain message box, click
OK, and then complete the steps in the next task to link the WSSG EC Domain Policy
and the WSSG EC Domain Controllers Policy.
Note The domain level Group Policy includes settings that apply to all computers and users
in the domain. It is important to be able to decide when to link the domain GPO, as this GPO
applies to all users and computers. For this reason, the GPOAccelerator does not
automatically link the domain GPO to the domain.
Similarly, the domain controllers GPO will immediately start to modify the configuration of all
domain controllers in your environment. For this reason, the GPOAccelerator does not
automatically link the Domain Controllers GPO to the domain controllers OU.

Task 2: Use the GPMC to Link the WSSG EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows Server 2008 to link the
WSSG EC Domain Policy to the domain.
To link the WSSG EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click
OK.
5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link
to top button.
18 How To Use the GPOAccelerator

Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure
to do this will cause other GPOs linked to the domain, such as the Default Domain Policy
GPO, to overwrite the WSSG EC Domain Policy settings.

Task 3: Use the GPMC to Link the WSSG EC Domain Controller Baseline Policy to
the Domain Controllers OU
You are now ready to link the domain controllers GPO to the domain controllers OU. The
following instructions describe how to use the GPMC to link the WSSG EC Domain
Controllers Baseline Policy to the domain controllers OU.
To link the WSSG EC Domain Controller Baseline Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the Domain Controllers OU, and then click Link an
existing GPO.
4. In the Select GPO dialog box, click the WSSG EC Domain Controller Baseline Policy
GPO, and then click Yes.
5. In the details pane, select the WSSG EC Domain Controller Baseline Policy, and then
click the Move link to top button.
Important Ensure that the WSSG EC Domain Controller Baseline Policy has its Link
Order set to 1. Failure to do this will cause other GPOs linked to the domain controllers OU,
such as the Default Domain Controller Policy GPO, to overwrite the WSSG EC Domain
Controllers Policysettings.

Task 4: Use the GPMC to Check Your Results


You can use the GPMC to check the results of the script. The following procedure
describes how to use the GPMC on a computer running Windows Server 2008 to verify
the GPOs and OU structure that the GPOAccelerator creates for you.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand the WSSG Member Servers OU, and then click each of the child OUs
below it to open them.
5. Verify your OU structure and GPO links match the following figure.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 19

Figure 2.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving servers into their respective OUs, and making sure each server
functions as expected. Many of the settings contained in the GPOs will take effect
immediately, but many will not take effect until the server is restarted.
For details about the settings contained in each GPO, see "Appendix A: Security Group
Policy Settings," which accompanies the Windows Server 2008 Security Guide.
20 How To Use the GPOAccelerator

Deploy the Design in a Production Environment


To save time, you can use the GPOAccelerator to create the GPOs for the EC
environment. Then you can link the GPOs to the appropriate OUs in your existing
structure. In larger domains with a large number of OUs, you will need to consider how to
use your existing OU structure to deploy the GPOs.
Microsoft recommends to keep computer OUs distinct from user OUs. Client
workstations, such as laptop and desktop computers also should be organized in their
own OUs. If such a structure is not possible in your environment, you may need to modify
the GPOs. You can use the settings reference in "Appendix A: Security Group Policy
Settings," which accompanies the Windows Server 2008 Security Guide, to help you
decide what modifications may be necessary.
Note As discussed in the previous section, you can use the GPOAccelerator with the /LAB
option in a test environment to create the sample OU structure. However, environments with a
flexible OU structure can also use this option in a production environment to create a basic OU
structure, and automatically link the GPOs. Then you can manually modify the OU structure to
meet the requirements of your environment.

Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.

Task 1: Create the GPOs


You create the EC GPOs described in this guide using the GPOAccelerator. The
GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates for you in the Documents folder.
Note You can also simply copy the GPOAccelerator folder from a computer where the folder is
installed to another computer that you want to use to run the script. The GPOAccelerator folder
and subfolders for it must be present on the local computer for the script to run as described in
the following procedure.

To create the GPOs in a production environment


1. Log on as a domain administrator to a computer running Windows Server 2008 that
is joined to the AD DS domain in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Open the GPOAccelerator Tool folder.
4. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise and then
press ENTER.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 21

6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

7. In The Enterprise GPOs are created message box, click OK.


8. In the Make sure to link the Enterprise GPOs to the appropriate OUs message box,
click OK.

Task 2: Use the GPMC to Check Your Results


You can use the GPMC to ensure that the script has successfully created all of the
GPOs. The following procedure describes how to use the GPMC on a computer running
Windows Server 2008 to verify the GPOs that the GPOAccelerator creates.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand Group Policy Objects, and then verify that the WSSG EC GPOs
have been created according to those listed in the following figure.

Figure 2.2. The GPMC view of the EC GPOs that the GPOAccelerator creates
22 How To Use the GPOAccelerator

You can now use GPMC to link each GPO to the appropriate OU. The final task in this
process explains how to do this.

Task 3: Use the GPMC to Link the GPOs to the OUs


The following procedure describes how to use the GPMC on a computer running
Windows Server 2008 to accomplish this task.
To link the GPOs in a production environment
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
Note You also can drag a GPO from under the Group Policy objects node to an OU.
However, you can only perform this drag-and-drop operation within the same domain.

4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click
OK.
5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link
to top button.
Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure
to do this will cause other GPOs linked to the domain, such as the Default Domain Policy
GPO, to overwrite the WSSG EC Domain Policy settings.

6. Under the Domains tree, right-click the Domain Controllers OU, and then choose the
Link an existing GPO option.
7. In the Select GPO dialog box, click the WSSG EC Domain Controllers Baseline Policy
GPO, and then click OK.
8. In the details pane, select the WSSG EC Domain Controllers Baseline Policy GPO, and
then click the Move link to top button.
Important Ensure that the WSSG EC Domain Controllers Policy has its Link Order set
to 1. Failure to do this will cause other GPOs linked to the OU, such as the Default Domain
Controllers Policy GPO, to overwrite the WSSG EC Domain Controllers Policy settings.

9. Right-click the appropriate member server OU node, and then choose the Link an
existing GPO option.
10. In the Select GPO dialog box, click the WSSG EC Member Server Baseline Policy, and
then click OK.
11. Right-click the first server role OU node, and then choose the Link an existing GPO
option.
12. In the Select GPO dialog box, click the appropriate WSSG <Server Role> Policy GPO,
and then click OK.
13. Repeat the last two steps in this procedure as needed to link each GPO to the
appropriate Server role OU.
Note The GPOAccelerator script will create GPOs for the server roles discussed in the guide.
However, Microsoft recommends creating these GPOs using the Security Configuration
Wizard (SCW) as described in Chapter 2, "Reducing the Attack Surface by Server Role" of the
Windows Server 2008 Security Guide. This will result in GPOs that take into consideration
services and applications specific to your environment.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 23

To confirm the GPO linkages using the GPMC


Expand the Group Policy Objects node, select the GPO, then in the details pane, click
the Scope tab and note the information in the Link Enabled and Path columns.
– Or –
Select the OU, and then in the details pane, click the Linked Group Policy Objects tab
and note the information in the Link Enabled and GPO columns.
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the
GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no
longer need. To completely undo all Active Directory modifications made by the
GPOAccelerator, you must manually delete the EC-WSSGAuditPolicy.cmd file, the EC-
WSSGApplyAuditPolicy.cmd, and the EC-WSSGAuditPolicy.txt file from the NETLOGON share
of one of your domain controllers. For additional details on how to completely remove the
implementation of the Audit policy, refer to the "Audit Policy" section in "Appendix A:
Security Group Policy Settings," which accompanies the Windows Server 2008 Security
Guide.

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving servers into their respective OUs, and making sure each server
functions as expected. Many of the settings contained in the GPOs will take effect
immediately, but many will not take effect until the server is restarted.
For details about the settings contained in each GPO, see "Appendix A: Security Group
Policy Settings," which accompanies the Windows Server 2008 Security Guide.

GPMC and SCE Extensions


The solution presented in this guidance uses GPO settings that do not display in the
standard user interface (UI) for the GPMC in Windows Server 2008 or the Security
Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were
developed by the Microsoft Solutions for Security group for previous security guidance.
For this reason, you need to extend these tools so that you can view the security settings
and edit them as required. To accomplish this, the GPOAccelerator automatically
updates your computer while it creates the GPOs. Use the following procedure to update
the SCE on a computer running Windows Server 2008.
To modify the SCE to display MSS settings
1. Ensure that you have met the following prerequisites:
The computer is joined to the domain using Active Directory where you created
the GPOs.
The GPOAccelerator tool is installed.
Note You can also simply copy the GPOAccelerator folder from a computer on which you
have installed the folder to another computer that you want to use to run the script. The
GPOAccelerator folder and subfolders must be present on the local computer for the script to
run as described in this procedure.

2. Log on to the computer as an administrator.


3. On the computer, click Start, click All Programs, and then click GPOAccelerator.
24 How To Use the GPOAccelerator

4. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press
ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
7. In The Security Configuration Editor is updated message box, click OK.
Note This script only modifies SCE to display MSS settings. This script does not create
GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets
the SCE tool to the default settings in Windows Server 2008.
To reset the SCE tool to the default settings in Windows Server 2008
1. Log on to the computer as an administrator.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows Server 2008. Any settings added to the default SCE will be removed. This will only
affect the ability to view the settings with the SCE. Configured Group Policy settings remain
in place.

6. In The Security Configuration Editor is updated message box, click OK.

Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies supplied with this guide, you can import the relevant security
settings. Security Templates are text files that contain security setting values. They are
subcomponents of the GPOs. You can modify the policy settings that are contained in the
Security Templates in the MMC Group Policy Object Editor snap-in. Unlike some
previous versions of the Windows operating system, Windows Server 2008 does not
come with predefined Security Templates.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\WSSG
folder:
WSSG EC Domain.inf
WSSG EC Domain Controller.inf
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 25

WSSG EC Member Server.inf


Important You do not need to use the Security Templates to deploy the solution described in
this guide. The templates provide an alternative to the GPMC-based solution, and only cover
computer security settings that appear under Computer Configuration\Windows
Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows
Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates


If you want to use the Security Templates you must first extend the SCE so that the
custom MSS security settings display in the UI. See the procedure in the previous
"GPMC and SCE Extensions" section in this chapter for details. When you can view the
templates, you can use the following procedure to import them into the GPOs that you
have created as needed.
To import a Security Template into a GPO
1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the
GPMC, right-click the GPO, and then click Edit.
2. In the Group Policy Object Editor, browse to the Windows Settings folder.
3. Expand the Windows Settings folder, and then select Security Settings.
4. Right-click the Security Settings folder, and then click Import Policy.
5. Browse to the WSSG folder in the Program Files\GPOAccelerator\Security Templates
folder.
6. Select the Security Template that you want to import, and then click Open.
The result of the last step in this procedure imports the settings from the file into the
GPO. You can also use the Security Templates supplied with the Windows Server
2008 Security Guide to modify the local security policy on stand-alone servers
running Windows Server 2008 (that is, servers that are not joined to an AD DS
domain).
Note The GPOAccelerator does not currently support applying Security Template inf files to the
local security policy on stand-alone servers running Windows Server 2008. You can use the Local
Security Policy snap-in (secpol.msc) to import Security Templates to the local security policy of
stand-alone servers in your environment.

Subdirectories and Files


When you run the Windows Installer (.msi) file, it creates the GPOAccelerator folder in
the Program Files folder on your computer. The .msi file also creates a subfolder
structure in the GPOAccelerator folder.
26 How To Use the GPOAccelerator

More Information
The following resources provide additional information about Windows Server 2008
security-related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows Server 2008 Security Guide.
Windows Server 2008 TechCenter.
Chapter 3: Using the GPOAccelerator
with Windows Vista
After you read the Windows Vista, you can use the tasks and procedures in this chapter
with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the
Enterprise Client (EC) environment that the guide prescribes in your production
environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."

The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the Windows Vista® security guidance. You do not need to spend time editing policy
settings and applying templates manually.

Implementing the Security Policies


Implementing the security design for the two environments described in this guidance
requires you to use the Group Policy Management Console (GPMC), and GPMC-based
scripts. The GPMC is integrated into the original version of the Windows Vista operating
system. However, GPMC is not integrated into Windows Vista with SP1 computers. To
use the GPOAccelerator on computers running Windows Vista with SP1, you must first
download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft
Web site.
Important You must perform all of the procedures in this chapter on a client computer running
Windows Vista or Windows Server® 2008 that is joined to a domain that uses Active Directory®
Domain Services (AD DS). In addition, the user who performs the procedures must be a member
of the Domain Administrators group or have been delegated equivalent privileges. If you use the
Windows XP® or Windows Server 2003 operating systems, many security settings for Windows
Server 2008 will not be visible in the GPMC.

Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the VSG EC Domain Policy to the domain.
3. Use the GPMC to check your results.
This section of the chapter describes these tasks and procedures and the functionality of
the GPOAccelerator, which automatically creates the prescribed GPOs.
28 How To Use the GPOAccelerator

The GPOAccelerator Tool


This section of the chapter describes these tasks and procedures and the functionality of
the GPOAccelerator, which automatically creates the prescribed GPOs. This section also
includes information about how to use the GPMC to check the GPOs created by the tool.
The Windows Vista Security Guide Settings workbook that also accompanies the
Windows Vista Security Guide provides another resource that you can use to compare
setting values.

The GPOAccelerator
The main feature of this script automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For computers in the EC environment, the script creates the following
four GPOs:
VSG EC Domain Policy for the domain.
VSG EC Users Policy for users.
VSG EC Desktop Policy for desktop computers.
VSG EC Laptop Policy for laptop computers.
Use the GPOAccelerator to complete the following tasks:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.

Test the Design in a Lab Environment


The GPOs that the GPOAccelerator creates have been thoroughly tested. However, it is
important to perform your own testing in your own environment. To save time, you can
use the GPOAccelerator to create the prescribed GPOs and the recommended OU
structure, and then automatically link the GPOs to the OUs.

Design Test Tasks


To test the design in a lab environment, complete the following key tasks:
1. Create the EC environment.
2. Use the GPMC to link the VSG EC Domain Policy to the domain.
3. Use the GPMC to check your results.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 29

Task 1: Create the EC Environment


The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates in the Program Files folder.
Note The GPOAccelerator folder and subfolders for it must be present on the local computer for
the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows Vista that is joined
to the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Open the GPOAccelerator Tool folder.
4. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name, password, and press ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise /LAB and
then press ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

7. In The Enterprise Lab Environment is created message box, click OK.


8. In the Make sure to link the Enterprise Domain GPO to your domain message box, click
OK, and then complete the steps in the next task to link the VSG EC Domain Policy.
Note The domain level Group Policy includes settings that apply to all computers and users
in the domain. It is important to be able to decide when to link the domain GPO, as this GPO
applies to all users and computers. For this reason, the GPOAccelerator does not
automatically link the domain GPO to the domain.

Task 2: Use the GPMC to Link the VSG EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows Vista to link the VSG EC
Domain Policy to the domain.
To link the VSG EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.
5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the VSG EC Domain Policy settings.
30 How To Use the GPOAccelerator

Task 3: Use the GPMC to Check Your Results


You can use the GPMC to check the results of the script. The following procedure
describes how to use the GPMC on a computer running Windows Vista to verify the
GPOs and OU structure that the GPOAccelerator creates for you.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand the Vista Security Guide EC Client OU, and then click each of the
child OUs below it to open them.
5. Verify your OU structure and GPO links match the following figure.

Figure 3.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving users and computers into their respective OUs. For details
about the settings contained in each GPO, see "Appendix A: Security Group Policy
Settings," which accompanies the Windows Vista.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 31

Deploy the Design in a Production Environment


To save time, you can use the GPOAccelerator to create the GPOs for the EC
environment. Then you can link the GPOs to the appropriate OUs in your existing
structure. In larger domains with a large number of OUs, you will need to consider how to
use your existing OU structure to deploy the GPOs.
Microsoft recommends to keep computer OUs distinct from user OUs. Client
workstations, such as laptop and desktop computers, also should be organized in their
own OUs. If such a structure is not possible in your environment, you may need to modify
the GPOs. You can use the settings reference in "Appendix A: Security Group Policy
Settings," which accompanies the Windows Vista, to help you decide what modifications
may be necessary.
Note As discussed in the previous section, you can use the GPOAccelerator with the /LAB
option in a test environment to create the sample OU structure. However, environments with a
flexible OU structure can also use this option in a production environment to create a basic OU
structure, and automatically link the GPOs. Then you can manually modify the OU structure to
meet the requirements of your environment.

Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.

Task 1: Create the GPOs


You create the EC GPOs described in this guidance using the GPOAccelerator. The
GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates for you in the Program Files folder.
Note You can also simply copy the GPOAccelerator folder from a computer where the folder is
installed to another computer that you want to use to run the script. The GPOAccelerator folder
and subfolders for it must be present on the local computer for the script to run as described in
the following procedure.

To create the GPOs in a production environment


1. Log on as a domain administrator to a computer running Windows Vista that is joined
to the AD DS domain in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Open the GPOAccelerator Tool folder.
4. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise and then
press ENTER.
32 How To Use the GPOAccelerator

6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

7. In The Enterprise GPOs are created message box, click OK.


8. In the Make sure to link the Enterprise GPOs to the appropriate OUs message box,
click OK.

Task 2: Use the GPMC to Check Your Results


You can use the GPMC to ensure that the script has successfully created all of the
GPOs. The following procedure describes how to use the GPMC on a computer running
Windows Vista to verify the GPOs that the GPOAccelerator creates.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand Group Policy Objects, and then verify that the VSG EC GPOs have
been created according to those listed in the following figure.

Figure 3.2. The GPMC view of the EC GPOs that the GPOAccelerator creates

You can now use the GPMC to link each GPO to the appropriate OU. The final task in
this process explains how to do this.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 33

Task 3: Use the GPMC to Link the GPOs to the OUs


The following procedure describes how to use the GPMC on a computer running
Windows Vista to accomplish this task.
To link the GPOs in a production environment
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
Note You also can drag a GPO from under the Group Policy objects node to an OU.
However, you can only perform this drag-and-drop operation within the same domain.

4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.
5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the VSG EC Domain Policy settings.

6. Right-click the Windows Vista Users OU node, and then choose the Link an existing
GPO option.
7. In the Select GPO dialog box, click the VSG EC Users Policy GPO, and then click OK.
8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.
9. In the Select GPO dialog box, click the VSG EC Desktop Policy GPO, and then click
OK.
10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.
11. In the Select GPO dialog box, click the VSG EC Laptop Policy GPO, and then click OK.
12. Repeat these steps for any additional user or computer OUs that you created to link
them to the appropriate GPOs.
To confirm the GPO linkages using the GPMC
Expand the Group Policy Objects node, select the GPO, then in the details pane, click
the Scope tab and note the information in the Link Enabled and Path columns.
– Or –
Select the OU, and then in the details pane, click the Linked Group Policy Objects tab
and note the information in the Link Enabled and GPO columns.
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the
GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no
longer need. To completely undo all Active Directory modifications made by the
GPOAccelerator, you must manually delete the EC-VSGAuditPolicy.cmd file, the EC-
ApplyAuditPolicy.cmd, and the EC-AuditPolicy.txt file from the NETLOGON share of one of
your domain controllers. For additional details on how to completely remove the
implementation of the Audit policy, refer to the "Audit Policy" section in Appendix A,
"Security Group Policy Settings."

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
34 How To Use the GPOAccelerator

test the design by moving users and computers into their respective OUs. For details
about the settings contained in each GPO, see "Appendix A: Security Group Policy
Settings," which accompanies the Windows Vista.

GPMC and SCE Extensions


The solution presented in this guidance uses GPO settings that do not display in the
standard user interface (UI) for the GPMC in Windows Vista or the Security Configuration
Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the
Microsoft Solutions for Security group for previous security guidance.
For this reason, you need to extend these tools so that you can view the security settings
and edit them as required. To accomplish this, the GPOAccelerator automatically
updates your computer while it creates the GPOs. Use the following procedure to update
the SCE on a computer running Windows Vista.
To modify the SCE to display MSS settings
1. Ensure that you have met the following prerequisites:
The computer is joined to the domain using Active Directory where you created
the GPOs.
The GPOAccelerator is installed.
Note You can also simply copy the GPOAccelerator folder from a computer on which you
have installed the tool to another computer that you want to use to run the script. The
GPOAccelerator folder and subfolders must be present on the local computer for the script to
run as described in this procedure.

2. Log on to the computer running Windows Vista as an administrator.


3. On the computer, click Start, click All Programs, and then click GPOAccelerator.
4. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press
ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
7. In The Security Configuration Editor is updated message box, click OK.
Note This script only modifies SCE to display MSS settings; it does not create GPOs or OUs.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 35

The following procedure removes the additional MSS security settings, and then resets
the SCE to the default settings in Windows Vista.
To reset the SCE to the default settings in Windows Vista
1. Log on to the computer running Windows Vista as an administrator.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows Vista. Any settings added to the default SCE are removed. This will only affect the
ability to view the settings with the SCE. Configured Group Policy settings remain in place.

6. In The Security Configuration Editor is updated message box, click OK.

Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies prescribed in Windows Vista Security Guide, you can import
the relevant security settings. Security Templates are text files that contain security
setting values. They are subcomponents of the GPOs. You can modify the policy settings
that are contained in the Security Templates in the MMC Group Policy Object Editor
snap-in. Unlike some previous versions of the Windows operating system, Windows Vista
does not come with predefined Security Templates.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\VSG
folder:
VSG EC Desktop.inf
VSG EC Domain.inf
VSG EC Laptop.inf
Important You do not need to use the Security Templates to deploy the solution described in
this guide. The templates provide an alternative to the GPMC-based solution, and only cover
computer security settings that appear under Computer Configuration\Windows
Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows
Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates


If you want to use the Security Templates you must first extend the SCE so that the
custom MSS security settings display in the UI. See the procedure in the previous
"GPMC and SCE Extensions" section in this chapter for details. When you can view the
36 How To Use the GPOAccelerator

templates, you can use the following procedure to import them as needed into the GPOs
that you have created.
To import a Security Template into a GPO
1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the
GPMC, right-click the GPO, and then click Edit.
2. In the Group Policy Object Editor, browse to the Windows Settings folder.
3. Expand the Windows Settings folder, and then select Security Settings.
4. Right-click the Security Settings folder, and then click Import Policy.
5. Browse to the VSG folder in the \Program Files\GPOAccelerator\Security Template
folder.
6. Select the Security Template that you want to import, and then click Open.
You can also use the Security Templates supplied with this guide to modify the local
security policy on stand-alone client computers running Windows Vista. The
GPOAccelerator simplifies the process to apply the templates.
To apply the Security Templates to modify the local Group Policy on a stand-alone
client computer running Windows Vista
1. Log on as an administrator to a computer running Windows Vista.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or


cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.
5. Completing this procedure modifies the local security policy settings using the values
in the Security Templates for the EC environment.
To restore local Group Policy to the default settings in Windows Vista
1. Log on as an administrator to a client computer running Windows Vista.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /Restore, and then press
ENTER.
Completing this procedure restores the local security policy settings to their default
values in Windows Vista.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 37

Subdirectories and Files


When you run the Windows Installer (.msi) file, it creates the GPOAccelerator folder in
the Program Files folder on your computer. The .msi file also creates a subfolder
structure in the GPOAccelerator folder.

More Information
The following resources provide additional information about Windows Vista security-
related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows Vista.
Chapter 4: Using the GPOAccelerator
with Windows XP
After you read the Windows XP, you can use the tasks and procedures in this chapter
with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the
Enterprise Client (EC) environment that the guide prescribes in your production
environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."

The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the security guidance for Windows® XP. You do not need to spend time editing policy
settings and applying templates manually.

Implementing the Security Policies


Implementing the security design for the two environments described in this guidance
requires you to use the Group Policy Management Console (GPMC), and GPMC-based
scripts. You must download and install the GPMC before using the GPOAccelerator with
Windows XP or Windows Server® 2003. You can download the GPMC from the
Enterprise Management with the Group Policy page on the Microsoft Web site. If you are
not running Windows Server 2003 R2, you must also install .NET Framework version 1.1.
Important You must perform all of the procedures in this chapter on a client computer running
Windows XP that is joined to an AD DS domain. In addition, the user who performs the
procedures must be a member of the Domain Administrators group or have been delegated
equivalent privileges. If you use the Windows Vista or Windows Server 2008 operating systems,
some security settings will differ from those documented in the Windows XP Security Guide.

Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the XP EC Domain Policy to the domain.
3. Use the GPMC to check your results.
Similarly, you also use these steps to configure security for each server role in your
environment.
40 How To Use the GPOAccelerator

The GPOAccelerator Tool


This section of the chapter describes these tasks and procedures and the functionality of
the GPOAccelerator, which automatically creates the prescribed GPOs. This section also
includes information about how to use the GPMC to check the GPOs created by the tool.
The Windows XP Security Guide Settings workbook that also accompanies the Windows
XP Security Guide provides another resource that you can use to compare setting
values.

The GPOAccelerator
The main feature of this script automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For computers in the EC environment, the script creates the following
four GPOs:
XP EC Domain Policy for the domain.
XP EC Desktop Policy for desktop computers.
XP EC Laptop Policy for laptop computers.
XP EC Users Policy for users.
Use the GPOAccelerator to complete the following tasks:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.

Test the Design in a Lab Environment


The GPOs that the GPOAccelerator creates have been thoroughly tested. However, it is
important to perform your own testing in your own environment. To save time, you can
use the GPOAccelerator to create the prescribed GPOs and the recommended OU
structure, and then automatically link the GPOs to the OUs.

Design Test Tasks


To test the design in a lab environment, complete the following key tasks:
1. Create the EC environment.
2. Use the GPMC to link the XP EC Domain Policy to the domain.
3. Use the GPMC to check your results.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 41

Task 1: Create the EC Environment


The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates in the Program Files folder.
Note The GPOAccelerator folder and subfolders for it must be present on the local computer for
the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows XP that is joined to
the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Click the command-line here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /XP /Enterprise /LAB and
then press ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

6. In The Enterprise Lab Environment is created message box, click OK.


7. In the Make sure to link the Enterprise Domain GPO to your domain message box, click
OK, and then complete the steps in the next task to link the XP EC Domain Policy.
Note The domain level Group Policy includes settings that apply to all computers and users
in the domain. It is important to be able to decide when to link the domain GPO, as this GPO
applies to all users and computers. For this reason, the GPOAccelerator does not
automatically link the domain GPO to the domain.

Task 2: Use the GPMC to Link the XP EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows XP to link the XP EC
Domain Policy to the domain.
To link the XP EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.
5. In the details pane, select the XP EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the XP EC Domain Policy settings.
42 How To Use the GPOAccelerator

Task 3: Use the GPMC to Check Your Results


You can use the GPMC to check the results of the script. The following procedure
describes how to use the GPMC on a computer running Windows XP to verify the GPOs
and OU structure that the GPOAccelerator creates for you.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc, and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand the XP Security Guide EC Client OU, and then click each of the child
OUs below it to open them.
5. Verify your OU structure and GPO links match the following figure.

Figure 4.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guidance prescribes. You can now use the Active Directory Users and Computers
tool to test the design by moving users and computers into their respective OUs. For
details about the settings contained in each GPO, see the Windows XP.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 43

Deploy the Design in a Production Environment


To save time, you can use the GPOAccelerator to create the GPOs for the EC
environment. Then you can link the GPOs to the appropriate OUs in your existing
structure. In larger domains with a large number of OUs, you will need to consider how to
use your existing OU structure to deploy the GPOs.
Microsoft recommends to keep computer OUs distinct from user OUs. Client
workstations, such as laptop and desktop computers, also should be organized in their
own OUs. If such a structure is not possible in your environment, you may need to modify
the GPOs.
Note As discussed in the previous section, you can use the GPOAccelerator with the /LAB
option in a test environment to create the sample OU structure. However, environments with a
flexible OU structure can also use this option in a production environment to create a basic OU
structure, and automatically link the GPOs. Then you can manually modify the OU structure to
meet the requirements of your environment.

Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.

Task 1: Create the GPOs


You create the EC GPOs described in this guidance using the GPOAccelerator. The
GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates for you in the Documents folder.
Note You can also simply copy the GPOAccelerator folder from a computer where the folder is
installed to another computer that you want to use to run the script. The GPOAccelerator folder
and subfolders for it must be present on the local computer for the script to run as described in
the following procedure.

To create the GPOs in a production environment


1. Log on as a domain administrator to a computer running Windows XP that is joined to
the AD DS domain in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Open the GPOAccelerator Tool folder.
4. Click the command-line here.cmd file.
5. At the command prompt, type cscript GPOAccelerator.wsf /XP /Enterprise and then
press ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.

7. In The Enterprise GPOs are created message box, click OK.


8. In the Make sure to link the Enterprise GPOs to the appropriate OUs message box,
click OK.
44 How To Use the GPOAccelerator

Task 2: Use the GPMC to Check Your Results


You can use the GPMC to ensure that the script has successfully created all of the
GPOs. The following procedure describes how to use the GPMC on a computer running
Windows XP to verify the GPOs that the GPOAccelerator creates.
To verify the results of the GPOAccelerator
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Click the appropriate forest, click Domains, and then click your domain.
4. Click and expand Group Policy Objects, and then verify that the XP EC GPOs have
been created according to those listed in the following figure.

Figure 4.2. The GPMC view of the EC GPOs that the GPOAccelerator creates

You can now use the GPMC to link each GPO to the appropriate OU. The final task in
this process explains how to do this.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 45

Task 3: Use the GPMC to Link the GPOs to the OUs


The following procedure describes how to use the GPMC on a computer running
Windows XP to accomplish this task.
To link the GPOs in a production environment
1. Click Start, click All Programs, click Accessories, and then click Run.
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
Note You also can drag a GPO from under the Group Policy objects node to an OU.
However, you can only perform this drag-and-drop operation within the same domain.

4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.
5. In the details pane, select the XP EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the XP EC Domain Policy settings.

6. Right-click the Windows XP Users OU node, and then choose the Link an existing GPO
option.
7. In the Select GPO dialog box, click the XP EC Users Policy GPO, and then click OK.
8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.
9. In the Select GPO dialog box, click the XP EC Desktop Policy GPO, and then click OK.
10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.
11. In the Select GPO dialog box, click the XP EC Laptop Policy GPO, and then click OK.
12. Repeat these steps for any additional user or computer OUs that you created to link
them to the appropriate GPOs.
To confirm the GPO linkages using the GPMC
Expand the Group Policy Objects node, select the GPO, then in the details pane, click
the Scope tab and note the information in the Link Enabled and Path columns.
– Or –
Select the OU, and then in the details pane, click the Linked Group Policy Objects tab
and note the information in the Link Enabled and GPO columns.
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Use the
GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no
longer need.

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this the Windows XP Security Guide prescribes. You can now use the Active Directory
Users and Computers tool to test the design by moving users and computers into their
respective OUs. For details about the settings contained in each GPO, see the Windows
XP Security Guide.
46 How To Use the GPOAccelerator

GPMC and SCE Extensions


The solution presented in this guidance uses GPO settings that do not display in the
standard user interface (UI) for the GPMC in Windows XP or the Security Configuration
Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the
Microsoft Solutions for Security group for previous security guidance.
For this reason, you need to extend these tools so that you can view the security settings
and edit them as required. To accomplish this, the GPOAccelerator automatically
updates your computer while it creates the GPOs. Use the following procedure to update
the SCE on a computer running Windows XP.
To modify the SCE to display MSS settings
1. Ensure that you have met the following prerequisites:
The computer is joined to the domain using Active Directory where you created
the GPOs.
The GPOAccelerator is installed.
Note You can also simply copy the GPOAccelerator folder from a computer on which you
have installed the tool to another computer that you want to use to run the script. The
GPOAccelerator folder and subfolders must be present on the local computer for the script to
run as described in this procedure.

2. Log on to the computer running Windows XP as an administrator.


3. On the desktop, click Start, click All Programs, and then click GPOAccelerator.
4. Click the Command-line Here.cmd file.
5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press
ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
7. In The Security Configuration Editor is updated message box, click OK.
Note This script only modifies the SCE to display MSS settings. This script does not create
GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets
the SCE to the default settings in Windows XP.
To reset the SCE to the default settings in Windows XP
1. Log on to the computer running Windows XP as an administrator.
2. On the desktop, click Start, click All Programs, and then click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows XP. Any settings added to the default SCE are removed. This will only affect the
ability to view the settings with the SCE. Configured Group Policy settings remain in place.

6. In The Security Configuration Editor is updated message box, click OK.


Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 47

Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies prescribed in Windows XP Security Guide, you can import the
relevant security settings. Security Templates are text files that contain security setting
values. They are subcomponents of the GPOs. You can modify the policy settings that
are contained in the Security Templates in the MMC Group Policy Object Editor snap-in.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\XPG
folder:
XP EC Desktop.inf
XP EC Domain.inf
XP EC Laptop.inf
Important You do not need to use the Security Templates to deploy the solution described in
this guide. The templates provide an alternative to the GPMC-based solution, and only cover
computer security settings that appear under Computer Configuration\Windows
Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows
Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates


If you want to use the Security Templates you must first extend the SCE so that the
custom MSS security settings display in the UI. See the procedure in the previous
"GPMC and SCE Extensions" section in this chapter for details. When you can view the
templates, you can use the following procedure to import them as needed into the GPOs
that you have created.
To import a Security Template into a GPO
1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the
GPMC, right-click the GPO, and then click Edit.
2. In the Group Policy Object Editor, browse to the Windows Settings folder.
3. Expand the Windows Settings folder, and then select Security Settings.
4. Right-click the Security Settings folder, and then click Import Policy.
5. Browse to the XPG folder in the \Program Files\GPOAccelerator\Security Template
folder.
6. Select the Security Template that you want to import, and then click Open.
48 How To Use the GPOAccelerator

You can also use the Security Templates supplied with this guide to modify the local
security policy on stand-alone client computers running Windows XP. The
GPOAccelerator simplifies the process to apply the templates.
To apply the Security Templates to modify local Group Policy on a stand-alone
client computer running Windows XP
1. Log on as an administrator to a computer running Windows XP.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or
cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.
Completing this procedure modifies the local security policy settings using the values
in the Security Templates for the EC environment.
To restore a local Group Policy to the default settings in Windows XP
1. Log on as an administrator to a client computer running Windows XP.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /Restore and then press
ENTER.
Completing this procedure restores the local security policy settings to their default
values in Windows XP.

Subdirectories and Files


When you run the Windows Installer (.msi) file, it creates the GPOAccelerator folder in
the Program Files folder on your computer. The .msi file also creates a subfolder
structure in the GPOAccelerator folder.

More Information
The following resources provide additional information about Windows XP security-
related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows XP.
Chapter 5: Using the GPOAccelerator
with the 2007 Microsoft Office Release
After you read the 2007 Microsoft Office Security Guide and customize the Group Policy
objects (GPOs) it identifies to meet your organization’s security requirements, you can
use the GPOAccelerator to test your design, and then deploy it in your production
environment.
The GPOs for the Windows XP and the Windows Vista are designed to work in
conjunction with the GPOs defined in the 2007 Microsoft Office Security Guide. The
testing and deployment of the 2007 Microsoft Office Security Guide assumes that you
have already implemented the GPOs from either the Windows XP Security Guide or the
Windows Vista Security Guide.
This chapter assumes that you have secured your operating system by following the
recommendations of either the Windows XP Security Guide or the Windows Vista
Security Guide.
The GPOAccelerator.msi file installs the GPOAccelerator tool along with related
materials. The GPOAccelerator automatically creates all the GPOs that you need to
implement either the Enterprise Client (EC) or the Specialized Security – Limited
Functionality (SSLF) settings from the 2007 Microsoft Office Security Guide. The
GPOAccelerator also supports the Windows XP Security Guide, the Windows Vista
Security Guide, and the Windows Server 2008 Security Guide.
This chapter provides information about how to use the GPOAccelerator to perform the
following tasks:
Test your customized Office GPO design in a lab environment. You will probably
need to customize the GPOs that the GPOAccelerator deploys, and the OUs to which
they are linked for your environment.
Deploy your customized Office GPO design in your production environment. You can
do this after you finish testing and are satisfied that the deployed GPOs in the lab
meet your organization’s security requirements.
For client computers in the EC environment, the GPOAccelerator script creates the
following four GPOs:
Office EC Computer Policy for the computer.
Office EC Users Policy for users.
Office SSLF Computer Policy for the computer.
Office SSLF Users Policy for users.
For more information about specific GPOs, see the 2007 Microsoft Office Security Guide.
50 How To Use the GPOAccelerator

Using the GPOAccelerator to Test and


Deploy Your Office Security Guide GPO
Design
This section provides you with information to use the GPOAccelerator in an Active
Directory® environment. However, most organizations have existing OUs and GPOs and
use a variety of Active Directory services. It is important to test the GPO settings that the
GPOAccelerator creates to ensure that they do not negatively affect application
functionality in your environment. Information that appears later in this section describes
how to deploy the GPOs that the GPOAccelerator creates in your environment.
Important The GPOs that the GPOAccelerator creates have been thoroughly tested. However,
it is important to perform your own testing, in your own environment, with your own directory
data.

Design Test Tasks


To test the design in a lab environment, complete the following key tasks:
1. Run the GPOAccelerator with the /Office option.
2. Use the GPMC to check your results and link the GPOs.

Task 1: Run GPOAccelerator with the /Office Option


The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows
Installer (.msi) file creates in the Program Files folder.
Note The GPOAccelerator folder and subfolders for it must be present on the local computer for
the script to run as described in the following procedure.

To create the GPOs in a lab environment


1. Log on as a domain administrator to a computer running either Windows Vista® or
Windows® XP that is joined to a domain using Active Directory in which you will
create the GPOs.
2. Click Start, click All Programs, point to GPOAccelerator, and then click Run
GPOAccelerator Tool.
3. At the command prompt, type GPOAccelerator.wsf /Enterprise /Office and then press
ENTER.
4. Read the warning message and click Yes to continue.
Note This step can take several minutes.

5. In the message box labeled The Enterprise Office GPOs are created, click OK.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 51

Task 2: Use the GPMC to Check Your Results and Link the GPOs
You can use the Group Policy Management Console (GPMC) to check the results of the
script. The following procedure describes how to use the GPMC to verify the GPOs and
OU structure that the GPOAccelerator creates.
To verify the results of the GPOAccelerator
1. While logged on as a domain administrator, click Start, and then click Run.
2. In the Open box, type gpmc.msc and then click OK.
3. Under Group Policy Management, expand the forest, expand Domains, and then
expand <YourDomainName>.
4. Right-click the OU to which you want to link a GPO, and select Link Existing GPO as
shown in the following figure.

Figure 5.1. Linking OUs and GPOs

5. Select the GPO under Group Policy Objects, and then click OK.
6. Repeat steps 4 and 5 for each OU to link the appropriate GPO to meet the
requirements of the GPO design that you created through the security guide.
52 How To Use the GPOAccelerator

Deploying the Design in a Production


Environment
After you have read the 2007 Microsoft Office Security Guide, customized the GPOs to
meet your organization's security needs, identified the OUs to which you will link the
GPOs, and tested and documented your design, back up any customized GPOs that you
will use in your production environment. If you have not customized any GPOs that the
GPOAccelerator tool provides, you can use the tool to deploy them in your production
environment.
For information about backing up customized GPOs using the GPMC, see Backup Using
GPMC.
For information about restoring backed up GPOs using GMPC, see Restore Using
GPMC.
Microsoft recommends to deploy your GPOs at least once in the lab and to document
your findings. This will help to simplify deploying the GPOs in your production
environment. When doing so, consider things that might be different from your lab
experience, including the following:
GPOs reside in the configuration partition of Active Directory and will replicate to
every domain controller in the Active Directory forest. There might be a centrally
located domain controller on which you can run the GPOAccelerator, which will
minimize replication latency across your forest.
You can run the GPOAccelerator, create the GPOs in Active Directory, and link the
GPOs to OUs one at a time to verify that no adverse effects result. For example, if
you have a Computer OU for five different groups within your organization, you might
choose to link a GPO to one of the five OUs, and then verify the result of this before
linking the GPO to all five OUs.
You might want to communicate with the users in your environment to inform them
that the security changes might affect their user experience.
Finally, Microsoft recommends to provide administrators and support staff with training so
that they are comfortable administering and supporting Active Directory.
Index
Group Policy object, 1, 2, 3, 4, 7, 8, 9, 10, 11, 13,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26,
-A- 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39,
40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52
Active Directory, 1, 2, 7, 15, 17, 19, 23, 27, 29, 30,
34, 41, 42, 45, 46, 50, 52
attack, 22 -H-
audit, 23, 34 harden, 2

-B- -L-
backup, 51, 52 logon, 17, 20, 24, 29, 31, 35, 36, 37
baseline, 2, 11, 12, 13, 15, 16, 18, 22

-M-
-D- Microsoft Outlook, 4
domain, 1, 2, 7, 9, 13, 15, 16, 17, 18, 20, 21, 22, Microsoft Windows XP, 1, 2, 3, 8, 9, 11, 13, 27,
23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49
36, 37, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
50, 51, 52
domain controller, 2, 15, 16, 17, 18, 22, 23,
25, 34, 52 -N-
network, 1, 3

-E-
Enterprise Client Environment, 7, 11, 15, 16, 20, -O-
24, 27, 28, 31, 36, 39, 40, 43, 47, 49
organizational unit, 2, 3, 9, 10, 11, 15, 16, 17, 18,
19, 20, 21, 22, 23, 24, 27, 28, 29, 30, 31, 32,

-F-
33, 34, 35, 39, 40, 41, 42, 43, 44, 45, 46, 49,
50, 51, 52

forest, 18, 21, 30, 32, 42, 44, 51, 52

-P-
-G- password, 17, 20, 24, 29, 31, 35, 36, 37
policy, 2, 7, 9, 15, 16, 17, 18, 22, 23, 24, 25, 27,
GPOAccelerator tool, 9, 10, 11, 17, 20, 24, 29, 32, 28, 29, 33, 34, 35, 36, 37, 39, 40, 41, 45, 46,
35, 36, 37, 41, 43, 46, 47, 48, 50 47, 48, 49
Group Policy, 1, 2, 7, 9, 10, 11, 13, 15, 17, 19, 20,
21, 22, 23, 24, 25, 26, 27, 29, 31, 32, 33, 34,
35, 36, 37, 39, 41, 44, 45, 46, 47, 48, 49, 50, 51
Group Policy Management Console (GPMC), 2, 7,
-S-
15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, Security Configuration Editor (SCE), 9, 13, 23, 24,
28, 29, 30, 31, 32, 33, 34, 36, 37, 39, 40, 41, 25, 34, 35, 36, 45, 46, 47
42, 43, 44, 45, 47, 48, 50, 51, 52
54 How To Use the GPOAccelerator

Security Configuration Wizard (SCW), 22


Security Templates, 24, 25, 35, 36, 46, 47
-T-
Server Manager, 15 template, 15, 16, 24, 25, 27, 28, 35, 36, 39, 40, 46,
47
console, 15
Initial Configuration Tasks (ICT) feature, 15
Microsoft Management Console (MMC), 15 -W-
Specialized Security – Limited Functionality Windows Firewall, 25, 36, 47
(SSLF), 2, 3, 7, 9, 10, 15, 27, 39, 49
Windows Vista, 1, 2, 3, 7, 8, 10, 11, 13, 15, 27, 28,
29, 30, 31, 32, 33, 34, 35, 36, 37, 39, 49, 50

Security Guide Security Guide Management Console with Group Policy


Management Console Abstract Management Console Across Domains with
GPMC Feature Set Settings Security Guide Security Guide Security Guide
Security Guide with Group Policy Management Console Abstract Management
Console Across Domains with GPMC Feature Set Settings Security Guide
Security Guide Management Console Security Guide with Group Policy
Management Console Abstract Management Console Across Domains with
GPMC Feature Set Settings Security Guide Security Guide Security Guide