Saturday, May 19, 2007

Export a Local User Policy on Vista

I received an interesting question by mail the other day regarding my article about MLGO on Windowsecurity.com. The question was, if it is possible to export a local policy assigned to a specific user to a user on another computer...?

After scratching my head and researching a bit it seemed like nobody had a good answer for this and no GUI tool is apparently available - so I had to come up with something myself... This is the result:

The following undocumented - and probably unsupported - method worked for me:

On "Source Computer":
1. Create/modify a local policy for the "Source User"
2. Go to "C:\Windows\System32\GroupPolicyUsers\" and locate the last modified policy folder
- the folder should be named with the SID (Security ID) of the "Source User", e.g. "S-1-5-21-452792215-1268730067-2626448776-1108"
3. Copy the folder and content to the "Target Computer" into the same directory structure

On "Target Computer":
1. Rename the newly copied folder to the SID of the "Target User" (the user who should receive the "exported" policy)
- how to find the SID of a local user?
2. Set NTFS permissions on the newly renamed folder to:
- SYSTEM = "Full Control"
- Administrators group = "Full Control"
- "Target User" = "Read & Execute"
3. Test a logon as the "Target User", the policies should be correctly applied.

Done! Well, the procedure is a bid "odd", but it could be scripted if required.

Thursday, May 10, 2007

Blocking U3 USB devices

Hey,

I get this question a lot: how can we block U3 devices on the network?

Well, one approach that some companies take is to simply block the physical USB ports by glue etc. - no USB devices are able to get in, so we have a "secure" system... Hmmm, this would mean that we are not able to use other USB devices either - maybe not the best solution for all of us then...

If you have Windows Vista deployed the new Device Control functionality, but most companies have Windows XP and Windows Server 2003 products in production (and probably waits for Vista Service Pack 1 before they go ahead with the Vista deployment)... So, what could they do then?

Third party software, like GFI EndPointSecurity is capable of blocking USB devices etc. - and it's does a very good job too, but there's also a free way to do it (if you ask me it's the best way to do it): implement Software Restriction Policies (SRP)!

I've been writing about the "Default Deny All Applications" approach and this is (of couse) also capable of blocking U3 devices - out of the box, built-in Windows functionality.

When the Default Security Level is set to Disallowed, nothing is able to launch except what the administrator defines as Unrestricted (and some default rules and limitations on top of this). When a user plugs in the U3 USB device NOTHING happens - no weird hacker tools, utilities, applications and whatever those 'wonderful' devices normally introduce.

Behind the scenes SRP restricts access to the U3 LaunchPad and leaves only an event in the Windows Event log:






Source: Software Restriction Policy
Event ID: 865
Type: Warning

"Access to C:\...\LaunchPad.exe has been restricted by your Administrator by the default software restriction policy level"


This limitation can be set on user and/or computer level.

After introducing SRP on your Windows computers (Windows XP and above) - you can consider your network "U3 free".

Thursday, May 03, 2007

Remote Desktop issue on multihomed machines

I have seen this issue too many times now, so I have to write this short blog about it!

Have you ever seen this error when trying to connect to a Remote Desktop enabled machine using MSTSC/Remote Desktop Client:

Remote Desktop Disconnected
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.

Well, I've seen it so many times now, especially on ISA servers... Even after the RDP sessions have worked nicely, sometimes, for some reason, the RDP settings can be changed - or even "corrupted". In most cases the above error has something to do with NIC (Network Interface Card) adapter binding to RDP.

If you are experiencing this issue go read the Microsoft KB article: "You can not establish a Remote Desktop session to a computer running one of the affected products". You will find it here http://support.microsoft.com/kb/555382 - good luck!

Tuesday, May 01, 2007

WSUS 3.0 Released - nice stuff!

I'm happy to tell you that WSUS version 3.0 has been released! The release day was April 30th 2007 - a day to remember...

This version bring lots of goodies compared to it's younger brother WSUS 2.0 (who did a great job in my opinion).

So, what's new? Well, let my try to wrap up some of the really good stuff:
- Inplace upgrade over WSUS 2.0 SP1
- New setup and configuration wizard
- New MMC (Microsoft Management Console) GUI
- New views and reports (and faster reports - up to 50%)
- Cleanup wizard for management of stale clients and content
- Built-in email notifications
- New approvement rules
- Enhanced target group concepts (eg. overlapping group membership)
- Support for language sub-setting for downstream replica servers
- Peer caching
- Syncronization with MS down to every 1 hour now
- Native support for x64 platform
- NLB (Network Load balancing) and SQL Cluster support
- MOM Management Pack (will be released very soon)
- Client 'Sync me now' quick check-in
- and all the other stuff...

Download:
x86/x64 package
WSUS 3.0 Release Notes
WSUS 3.0 on SBS 2003
Deployment Guide for WSUS 3.0
Step-by-step Guide: Getting Started with WSUS 3.0

Go to WSUS Technical Library for more information, guides etc.

I think we will all benefit from this release - well, maybe not the penguin guys :)