Wednesday, November 05, 2008

Software Restriction in Windows 7

These are some quick notes from a session on AppLocker by Paul A. Cooke, Tech-Ed EMEA 2008:

As you may have seen, I’ve written a few articles on Software Restriction Policy (SRP) under Windows XP and Windows Vista for (see below). I’m very happy to tell you, that Microsoft now improved this functionality and renamed it into: AppLocker!

Unfortunately I cannot bring you any screenshots (because of NDA), but I can tell you a few things about the basic functionality. With AppLocker you can more easily eliminate unwanted and unknown applications in your Windows (7) environment. You can enforce application standardization – both from a security (malware), and from a management point of view (licensing & user control).

What most organizations try to do these days, it to limit users to be standard users (non-administrators) on their local machines – however this is actually not enough to feel secure as an IT administrator. Running as standard user is not the solution to all of our problems. Many applications can do bad stuff, even within user context – like stealing data, deleting data, manipulating data, encrypting data, creating bot-nets, send spam, social engineering etc. etc. This is true for applications that install in user context (like Google Chrome), or regular executables that don’t actually install – they just run!

If you want to control applications like that, what can run and what cannot – then you need another approach. AppLocker comes to the rescue!

AppLocker has been build around digital signatures – signing of software executables and DLLs. This was also an option in SRP under Windows XP, were we had path, filename, HASH & certificate rule, but it was pretty hard to manage and enforce back then. With Windows 7, a new GUI has been added to the group policy editor to support easy creation of software rules. We have 3 types of rules:
- Allow rules: same as Whitelisting (‘known good’ software)
- Deny rules: same as Blacklisting (‘known bad’ software)
- Exceptions: exclusion from allow or deny rules

Allow rules are of course the recommended approach – the “default deny all applications” rule (Whitelisting), but with specific applications the network administrators wants to allow users to run. As an administrator, you get granular control of specific applications, enforcing who can run and/or install them (if they have the appropriate rights and permissions).

The administration is done by group policy under Computer Configuration > Application Control Policies, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.

You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like “Microsoft Office 2007”) – and wildcards seems to be supported still.

You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)

Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance  and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go “live”.

AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there’s no need to create all the rules manually – you have the option to “automatically generate rule”, this feature will analyze a “reference machine” (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a “snapshot” feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).

The new rule creation tools and wizards seem pretty straight forward – but you really need to think about the SRP design before you go for it, and test intensively, or else you’ll end up in serious trouble ;-)


I just can’t wait to test this deeply and bring you more information!


Previous article series on SRP:
Default Deny All Applications (Part 1)
Default Deny All Applications (Part 2)

Microsoft AppLocker description:


User Account Control in Windows 7

These are some quick notes from a session on UAC by Paul A. Cooke, Tech-Ed EMEA 2008:

Microsoft Windows 7 will reduce the number of OS applications and tasks, that require elevation – this has been done by re-factoring apps and tasks into elevated and non-elevated pieces.

UAC v2 will provide a more flexible prompt behavior for administrators, also administrators will see less UAC elevation prompts.

Users can do even more as standard user (eg. parts of Bitlocker, Windows Update etc.), they will also be able to ‘read’ system settings without needing to elevate.

Windows 7 will be better spotting human vs. application changes, this way “human administrator” changes will be allowed without too many prompts.

UAC can now easily be graduated into 4 levels (from the strict Vista default to totally off) - everything can of course be handled using group policy.


To me this is all pretty cool – but to be honest, I’m one of those weird guys, who don’t care about Vista UAC prompts… I just press ALT+C… How hard can it be? ;-)


Monday, October 20, 2008

I just love sharing!

Just found this - using Google Alerts of course :)

I made little modifications on this script created by Jakob Heidelberg to search for printers manually created on user profiles. This is very usefull when you wanna ensure that eveybody has only auto created printers, from Citrix or ThinPrint.

This script load ntuser.dat on each profile, check some registry keys, write a log and unload ntuser.dat. Some users can have problems to load their profiles if you use this script on the same time that they try logon.

I just love sharing!

Sunday, October 12, 2008

Why does standby overrule shutdown?

Well, I’m a Microsoft kinda guy – but I do have a problem with one “feature” which has been part of the Windows OS for some time…

Normally I change the default behavior under Power Setting, so that Windows does NOT start a STANDBY process when I close the lid of my laptops – but I haven’t done it on all of my machines, and under every user profile I have (and customers have the same issue).

So, what happens is, that you are done for the day, and then you start a SHUTDOWN process like normally, and then you close the laptops lid – a STANDBY process then starts – Doh!

That means, the SHUTDOWN process is put into STANDBY mode, and the next time you boot your laptop, the machine state resumes, just to finalize the SHUTDOWN process… And then you have to boot you machine to get started – hmmm, I definitely don’t like it!

So what should happen? Well, when a SHUTDOWN process had started, a STANDBY process should NOT be able to “take over” – just let me close the laptop lid and continue the already started SHUTDOWN process, thanx :)

OK, I admit that it’s only a problem when I haven’t changed the default Power Settings, but I can’t be the only human being in this world with that particular problem!?!? Why would you EVER want a SHUTDOWN process to be put into STANDBY mode?


BTW – I have seen, that Mac and Ubuntu people have the same issue on some version – don’t know if it has been fixed on those OS – I have the problem on all the different Windows systems I run on laptops.

Thursday, October 02, 2008

Microsoft: online forum er nu opdateret


Microsoft Danmark tror meget på lokale danske it netværk. Vi vil gerne hjælpe danske it professionelle med at knytte professionelle forbindelser og have et forum for tekniske spørgsmål og svar, hvor ikke-Microsoft ansatte bidrager med deres perspektiver. er et gratis online forum for danske IT professionelle. Sitet har haft stor succes med en åben stil, hvor alle medlemmer kan stille tekniske spørgsmål og dele sin viden med andre. Efter en nylig opdatering af sitet er der kommet rigtig mange nye features til, såsom RSS feeds i utallige afskygninger, blogs, OpenID og meget andet. Hvis du ikke allerede er oprettet som bruger på den nye platform, så gør det nu og her:

De typiske brugere er professionelle IT konsulenter, specialister, administratorer, supportere og arkitekter indenfor messaging, sikkerhed, infrastruktur, virtualisering, terminal services og lignende. Der er en overvejende hovedvægt på Microsoft platformen, men der er bestemt også plads til fokus på andre områder indenfor IT verdenen.

Bag står en række dygtige danske IT konsulenter, MVP’ere og Microsoft Technet Influenters, som yder en stor indsats for at holde sitet kørende, besvare spørgsmål, blogge, skrive artikler og lignende, alt på frivillig basis.

Vi ønsker tillykke med den nye platform og vil hermed opfordre til at deltage i det største danske Microsoft community for IT professionelle:


Sunday, July 06, 2008

Windows SteadyState 2.5 is out there!

This is great news - I've been writing a few articles on this baby, but now we have a brand new version available for download!!!

Go ahead and read some more:

Protect Public Computers with Windows SteadyState, Part 1

Protect Public Computers with Windows SteadyState, Part 2

Windows SteadyState 2.5 Technical FAQ

Windows SteadyState 2.5 Handbook


Download Windows SteadyState 2.5 right here!




Tuesday, May 27, 2008

Great Vista hack... Somebody call Mr. Bitlocker!

We've seen hacks like this before, no doubt about it - but it's a really nice trick which you gotta love (and hate) - check it out here!

So, basically this hack requires PHYSICAL ACCESS to the harddrive, using BackTrack (or some other boot utility capable of reading/writing NTFS) the file Utilman.Exe in \Windows\System32 is replaced with Cmd.exe - after a reboot, at the logon screen, if Utilman is called (by hitting Win-key + U) you'll get a nice command prompt running under SYSTEM credentials - pretty powerfull... From there the only limit is your imagination!

Yes, Bitlocker protects us from attacks like these - so somebody please call Mr. Bitlocker!


Tuesday, April 29, 2008

Group Policy Survival Guide

Yes, it's true - there's a new GP guide out there from Microsoft...

Check it out here - it's pretty cool!



Tuesday, April 22, 2008

No place like

So, I'm back home from a great trip to Seattle, Washington, US. The MVP Summit 2008 was a cool experience with lots of info and room for dialog with the product teams at the Microsoft Campus in Redmond.

We had some awesome talks on the future of Group Policy and I would really like to share it with you, but because of Non-Disclosure Agreements 'n' stuff I can't really say anything - yet.

Seattle is a very interesting city with a lot of great restaurants, nice architecture and friendly people. I had 2½ day to spend after the summit and even though I was missing my family Seattle took great care of me :)

Anyway, I hope to go back there next year - better prepared for jetlag (which basically means I'll travel a few days before the event next time) - but, that all depends on how much time I get to share information with you guys/girls out there... No sharing, no MVP award - that's the rule ya' know ;-)

Thanx to the GP team and the other MVPs for a great experience!



Thursday, April 10, 2008

Protect Public Computers with Windows SteadyState (Part 2)

This is my 2nd article that deals with the Windows SteadyState product and how use it to protect public computers!

If you haven't read part 1, please read it here...




Wednesday, April 09, 2008

StarterGPOs available for download

Microsoft introduced the concept of StarterGPOs with GPMC version 2.0 in Vista SP1 + RSAT and Windows Server 2008. The idea is that it should be easy to share Group Policy settings, read more here!

The GREAT thing is that Microsoft has now released some StarterGPO samples - go download the first shipment here!

Saturday, April 05, 2008

Security White Papers & Guides for download

This post gives you some links to online available White Papers and Guides from the Microsoft download site - I hope you can use some of it to analyze and protect your own network(s)!

New Security White Paper of April 2008:

"The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The NST also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries."

You will find these papers:

- Electronic Signature Assurance and the Digital Chain-of-Evidence
- Enabling Secure Collaboration for Professional Services Firms
- Establishing the Foundation of Authenticity for Electronically Stored Information
- Information Protection Strategies For Financial Services
- Optimizing Branch Office Security and Productivity in the Financial Services Sector
- Secure Software Development for the Financial Services Industry
- Securing the Retail Store-Securing the Data

Go get them here!


Also, go check out the "Fundamental Computer Investigation Guide for Windows":

"The Fundamental Computer Investigation Guide for Windows Solution Accelerator is intended for IT professionals who need to effectively conduct investigations of Microsoft® Windows®–based computers in their organizations. It provides a computer investigation model as well as process and best practice information. The guide also provides a fictitious example of an investigation that involves unauthorized access to confidential information. This investigation uses the provided guidance and demonstrates the use of numerous tools. Information is also included about how to configure a lab to create the example scenario. An appendix provides information about how to prepare for computer investigations, sample worksheets, contact information for reporting different types of computer-related crimes to appropriate law enforcement agencies, and lists of useful tools."

Go get that document right here!


And finally, what about checking out the "The Security Risk Management Guide"?:

"The Security Risk Management Guide explains how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.
This guide references many industry accepted standards for managing security risks. It is an important example of Microsoft's commitment to delivering quality guidance to help customers secure their IT infrastructures.

That document is available right here!




Tuesday, April 01, 2008

MVP:Enterprise Security

Yup, a wish came through - I'm now an MVP!

Receiving the Microsoft Most Valuable Professional Award is a great honor and much appreciated - thank you.


Sharing Rocks - Information wants to be free!

Time to get a beer :-)



Core with a GUI

If you have messed around in Windows Server 2008 Core installation you've probably had some challenges along the way - like: how do I join a computer to the domain using a command prompt, how can I add Features, tweak the firewall etc. Well, a nice and very useful solution to many of the basic configuration tasks is out there - and it's free of course!

Go check out CoreConfigurator (Server Core Configurator) written by Guy Teverovsky - look how easy it is and stop acting like a geek sent back to the early 90s :-)

Download here and enjoy!


Tuesday, March 25, 2008

Remote Server Administration Tools Available!

You can now download the RSAT toolkit for Windows Vista - go get the package right HERE (32-bit) or HERE (64-bit)...

Time to get Group Policy Preferences and all those other goodies up and running - cool stuff!



Thursday, March 20, 2008

What's inside Vista Service Pack 1

Well - in regards to Hotfixes and Security Updates, check out this TechNet article. To get the complete overview, read this one. The "notable changes" can be found here.

That should be enough info to get safely through Eastern :-)



Wednesday, March 19, 2008

Configuring Granular Password Settings in Windows Server 2008 – The Easy Way!

This article will demonstrate “The Easy Way” of how to handle Granular Password Policies – also known as Fine-Grained Password Policies - in a Windows Server 2008 domain environment.

In the article series “Configuring Granular Password Settings” (part 1 & part 2) I demonstrated how to configure Granular Password Settings for individual users or global security groups in a Windows Server 2008 Active Directory environment, using built-in methods. This article will demonstrate “The Easy Way” of how to handle these additional password policies in your Windows Server 2008 domain environment... Using Specops Password Policy Basic!





Tuesday, March 18, 2008

Easily leave users with the Least Privilege possible

A new and shiny - free! - tool from BeyondTrust makes it possible for admins around the world to figure out exactly what rights different applications in the environment need to run. This kind of info is essential for removing administrative rights from users and running a "principle of least privilege" environment!

BeyondTrust® Application Rights Auditor is a totally FREE tool which profiles applications and seamlessly identifies the required permissions - very easy to implement, use and manage.

We all know, that administrative rights allow users to circumvent security policies, install unauthorized applications and make unauthorized modifications to a standard desktop configuration - let's move away from those risks... Just register, download and test out this free application - this is "low hanging fruit" giving your environment a needed security-vitamin injection!

Download the Product Sheet (PDF) right here!

A desktop component can be installed on multiple computers to transparently examine applications during execution. The reporting console gives a nice overview of applications the environment from a central point.

Reporting Console Prerequisites:
Microsoft .NET Framework 3.0 SP 1 and
Microsoft Management Console 3.0


Go for it !


Saturday, March 01, 2008

Windows Server 2008 Security Guide and the new GPOAccelerator tool is out there!

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft:
The primary purposes of this guide are to enable you to do the following:

  • Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
  • Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
  • Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
  • Understand role based security for different workloads in Windows Server 2008.

The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

  • Active Directory Domain Services (AD DS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • Domain Name System (DNS) Server
  • Web Server (IIS)
  • File Services
  • Print Services
  • Active Directory Certificate Services (AD CS)
  • Network Policy and Access Services
  • Terminal Services

The "complete solution" from Microsoft:
The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

  • Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
  • Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).
  • Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
  • Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
  • Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
  • GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

Where can I get this?
Windows Server 2008 Security Guide (online version)
Get the Windows Server 2008 Security Guide
Get the GPOAccelerator





How to install GPP CSEs using a Startup Script

When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you'll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista... But that's not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - are installed.
To make all this pretty easy I've created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)...
Note: I haven't been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!
Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.

I hope this works out nicely for you!

Tuesday, February 26, 2008

Group Policy Preference Client Side Extensions are now available for download!

Here we are - Group Policy Preference Client Side Extensions are now available for download. This is a cool thing bringing lot's of Group Policy Power to admins around the world!

The GPP CSEs are included in Windows Server 2008 RTM, but can now be downloaded for:
Windows XP SP2+ (32/64 bit)
Windows Server 2003 SP1+ (32/64 bit)
Windows Vista RTM+ (32/64 bit)

These are the links:
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!

But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now ;-)



Friday, February 22, 2008

BitUnlocker - exploiting RAM after poweroff?

This is shocking - if it's true (haven't tested yet)...

Check it out here and see the video below!

get the Full research paper here.


Hope this is not true - BitLocker (and other disk encryption tools) is still a good thing, but it has kinda lost some of its advantages...

Where can I buy RAM that drops its content ASAP after power off? ;-)



Wednesday, February 20, 2008

Group Policy Changes in WS2008 article - part 4


Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" has been released today on

This 4th article in the series deals with Group Policy Preference actions, processing options, SYSVOL, Item Level targeting (ILT), Export/Import functionality, "well hidden stuff", variables, logging, future additions etc. - read more here...


I hope you like it - feel free to drop a comment or vote on the site!!!




Friday, February 15, 2008

CEH | Certified Ethical Hacker

Today I went for the CEH v5 exam, EC-Council certification# 312-50, I'd been studying for it for a while. It had no less than 150 questions - and pretty tough ones too - but I managed to pass it (85% which is OK considering US law was part of the Qs).

I can really recommend you to go for this exam - it's somethin' else dude! The questions are short and exact (still multiple choice), but just the process of going there is VERY cool and interesting. Personally I downloaded a lot of spooky tools and guides, created an isolated network with virtual machines and tested, tested, tested. It was fun I can tell you - I can't seem to stop studying this stuff!

I also read 2 books on the journey:
- Michael Gregg: Certified Ethical Hacker Exam Prep (very good)
- Kimberly Graves: Official Certified Ethical Hacker Review Guide (very brief)

If you're a totally cool (and white) hacker dude already, you could probably go for the latter only (it will give you the overall idea of what this exam is all about, the CEH terminology etc). BUT the first one mentioned, by Michael Gregg, is a VERY good introduction (broad and deep) into the world of haxin' actually.

The whole idea with this exam is, that to be a professional penetration tester or security consultant, you need the skills and tools of the hackers. Put yourself in their place and start looking for your (or your customers) weakest link! A security system is only as strong as its weakest link - that also means, that security is a process (maintenance).


Security is, and always will be, a mixture of: Prevention + Detection + Response!



Wednesday, February 13, 2008

The WMI Filter Contest - are you the knight in shining armor?

Welcome to "The Quest for the Holy Desktop WMI Filter”, this is a global search for what you could call "The Perfect Desktop WMI Filter". A WMI filter which, by using WMI Query Language (WQL), should be able to spot DESKTOP computers only. It should be a general query - meaning it should be possible to use the filter in most Active Directory environments around the globe for Group Policy filtering.

So, what is a desktop really? Well, actually in this case we'll say it's the opposite of a laptop. Hmm, then what is a laptop? Easy enough: a computer with a battery! We've got the WMI filter for finding laptops already:

Select * from Win32_Battery  - don't you just love the simplicity in this query?

This filter will make a computer with a battery respond back with "TRUE" (because the WMI class instance is present), meaning a GPO with this filter will apply to computers with batteries. Simple right? And you might think it's easy to just "turn it around" to find desktops, like:

Select * From Win32_Battery Where Availability != 2
Select * From Win32_Battery Where Availability IS NOT NULL
“Where Not X Like Y” or whatever

Maybe it is, maybe it's not... I think it's pretty damn hard! For spotting laptops we could have tested the classes Win32_PortableBattery, Win32_PCMCIAController, Win32_POTSModem as well - but somehow I think most people will agree, that the "essential ting", which makes a laptop a laptop, is in fact the battery presence!

But, our tests for spotting DESKTOPS only (machines without a battery - yes, I know this will include servers as they a "stationary" too) have not been a success yet! We probably just need the correct syntax? And this is where you get into the picture!


Are you able to crack open this nut? There's a cool price!

This all started on a mailing list for Group Policy guys and girls - called GPTalk - created and maintained by Group Policy guru and MVP Darren Mar-Elia - the guy behind and SDM Software. You can join the list RIGHT HERE and participate in this contest to WIN a free copy of the:

GPExpert™ Troubleshooting Pak 

BUT you have to be the first person to crack this thing, there'll be only ONE WINNER - that could be you!

I'll be evaluating incoming answers - FIFO: "First In First Out" method is used. Hopefully we'll see the most simple solution first - simplicity works, right? Actually I wouldn't know in this case would I...

One important thing! We will ask you kindly to TEST any WMI query submissions before sending them to everybody on the list. During your testing, you should use a tool to verify the WMI filter against a minimum of 2 desktops and 2 laptops. You can use the free WMI Filter Validation Tool to test you WMI filters in your environment. Personally I’m also using Scriptomatic version 2 and WBEMTEST for finding the available classes, items, queries etc.

Please have a look at the "rules" further down!

Why do this? Well, because it's fun - and useful at the same time... When looking at it generally, the purpose of this filter is to say: "I want these user settings to apply, but only when the user logs on to stationary machines". This can be used for a lot of security related setting, eg. in the case where Automatically cached Offline Files/Folders are unwanted on stationary machines for certain users etc. The job of most WMI filters placed on User policies is to limit which machines the policy setting(s) should apply to (even though WMI filters could check for user specific things too). Besides from that it's a nice challenge, we can pretty easily "spot" laptops, as they have batteries – and desktops don’t, but that’s not good enough for Mr. WQL, is it?!


Stuff we have tried - and the rules

We’ve been around solutions looking for Win32_SystemEnclosure > ChassisType before - which basically doesn’t work in a WMI filter because that’s an Array (and yes, I've also seen lots of posts on forums out there claiming that particular class is the solution – but for WMI/WQL queries it’s not). If would work in a script (because you can add additional logic to scripts), but we are searching for a WMI Filter - not workarounds of any kind!

As mentioned we tried with the Win32_Battery WMI class. However, as desktops don’t know this class at all, they'll return FALSE no matter what. Basically a desktop computer is gonna say “Heck, I don’t know anything about that class *Panic* I’m out!” – or just “False”... Bummer!

We have also tried PowerSupplyState, Win32_DesktopMonitor, Win32_DisplayConfiguration, Win32_SystemSlot, Win32_Fan and other classes – just haven’t found the perfect “this is definitely a desktop WMI item value or class”…

We're basically looking for something like:

A) Select * from Win32_SomeClassOnlyDesktopsHave


B )Select * from Win32_SomeClass.SomeItem = “SomeValueOnlyDesktopsHave”


C) Some way of saying “if you don’t know the class (eg. Win32_Battery), then apply the GPO anyway”

Again, the “quest” is to find the perfect, *universal*, way of spotting “Non-laptops” or Desktops – it can of course be done by looking for some special computer Manufacturer/Model, BIOS version, specific hardware driver or whatever – but that stuff it most likely gonna be different from environment to environment. Also, if we all just used computer names like “DESKxxx” for desktops and “LAPTxxx” for laptops, we could have used WMI filters for computer name – but unfortunately that’s not the case - or at least I won't consider that a valid solution :)

The thing is, that normally it’s the LAPTOPS that have special hardware – like Batteries and built-in Modems, PCMCIA slots etc. – so they are pretty easy to find. With desktop computers it’s another story – hope you can help us out here!

Please, again, we know lot’s of “workarounds”, but what we need is a *WMI filter* and it has to return *TRUE* for *DESKTOPS* (or let’s call the NON-LAPTOPS or NON-PORTABLES, it doesn’t really matter).

Remember, simplicity works - maybe the answer/solution is pretty straight forward? Feel free to post any additional questions to the mailing list!


Another example of what has been tried

We could maybe try to go for presence of PCI (and not Mini-PCI) or AGP slots, as we expect most desktops to have PCI slots (and laptops to have Mini-PCI, but that would depend on the form factor) – or maybe AGP (but does onboard VGA count as AGP? Any PCI VGA cards left out there? Yeah, probably...). If not we could maybe go for something like this:

A) Select * From Win32_SystemSlot Where SlotDesignation = “PCI%”
B) Select * From Win32_SystemSlot Where SlotDesignation = “AGP”

However, this is not accepted as a solution as we cannot say that all desktop computers have AGP slots. But - maybe you can convince us otherwise?


Other cool Group Policy information:

You'll find additional Group Policy information at these sites: - The home of Group Policy guru and MVP Jeremy Moskowitz, check out the community there too!
TechNet Group Policy Forum - A brand new Group Policy forum on Microsoft TechNet
The Group Policy Team - The home of the Microsoft Group Policy Team
Jakob H. Heidelberg blog - My own blog, mostly about Group Policy and Security - My website with blog RSS, certifications, LinkedIn info etc.


Hope to hear from you soon - O' Yee Knight of the Microsoft Group Policy Table!

Tuesday, February 12, 2008

A strange KB I would say - 240 days of Windows Server 2008 for nothing?

Sometimes you come upon a strange KB article - which makes you wonder why that information is public or what's the general purpose of the article is... I found this one today:

How to extend the Windows Server 2008 evaluation period


This is quoted from the article:


This article describes how to extend, or re-arm, the Windows Server 2008 evaluation period. The evaluation period is also known as the "activation grace" period. These instructions apply to any edition of Windows Server 2008. This includes evaluation copies.


Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days.
Note Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.


How to install Windows Server 2008 without activating it

1. Run the Windows Server 2008 Setup program.
2. When you are prompted to enter a product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection.
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition that you want to install.
Note After Windows Server 2008 is installed, the edition cannot be changed without reinstalling it.

4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms.
5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the Slmgr.vbs script that is in the System32 folder. Use the -dli switch to run this script. The slmgr.vbs -dli command displays the number of days that are left in the current 60-day evaluation period.

How to manually extend the evaluation period
When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt.
2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.
3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER.
4. Restart the computer.

This resets the evaluation period to 60 days.

How to automate the extension of the evaluation period

You may want to set up a process that automatically resets the evaluation period every 60 days. One way to automate this process is by using the Task Scheduler. You can configure the Task Scheduler to run the Slmgr.vbs script and to restart the server at a particular time. To do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Task Scheduler.
2. Copy the following sample task to the server, and then save it as an .xml file. For example, you can save the file as Extend.xml.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="">
<Author>Microsoft Corporation</Author>
<TimeTrigger id="18c4a453-d7aa-4647-916b-af0c3ea16a6b">
<Principal id="Author">
<Actions Context="Author">

3. In the sample task, change the value of the following “UserID” tag to contain your domain and your alias:


4. In the Task Scheduler, click Import Task on the Action menu.

5. Click the sample task .xml file. For example, click Extend.xml.

6. Click Import.

7. Click the Triggers tab.

8. Click the One Time trigger, and then click Edit.

9. Change the start date of the task to a date just before the end of your current evaluation period.

10. Click OK, and then exit the Task Scheduler.

The Task Scheduler will now run the evaluation reset operation on the date that you specified.



Sunday, February 10, 2008

Windows Vista vs. Windows XP patching

On January 24 MVP:Security Jesper Johansson posted a very good blog entry, "Do Vista Users Need Fewer Security Patches Than XP Users?", about Windows XP vs. Windows Vista security. This was in reply to the "One Year Vulnerability Report" by Jeff Jones (who is the Director of Security at Microsoft).

It's VERY interesting reading  showing how strong Vista is - oh, and Jesper takes that even further comparing IE7 and Firefox patching. Cool stuff.





Saturday, February 09, 2008

WSUS 3.0 SP1 is out there!

The final version has been released:

Windows Server Update Services 3.0 SP1 - download here.


Windows Server Update Services 3.0 Service Pack 1 (WSUS 3.0 SP1) delivers important customer-requested management, stability, and performance improvements, while incorporating further enhancements to local publishing of drivers and the Client Servicing API addition.
WSUS 3.0 SP1 delivers new features that enable administrators to more easily manage and deploy updates across the organization. This package installs both the WSUS 3.0 Server and WSUS 3.0 Administration Console components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1 client is included in all supported client platform languages. You must install the server components on a computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the Administration Console on a remote computer running Windows Server 2008, Windows Vista, Windows Server 2003 SP1, or Windows XP SP2.

Supported Operating Systems:
Windows Server 2003 Service Pack 1; Windows Server 2008
- Note: there's a special guide for SBS 2003 environments...

Additional information:

Release Notes for Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Overview

Deploying Microsoft Windows Server Update Services 3.0 SP1

Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Operations Guide

Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003





Friday, February 08, 2008

Why a single AV engine is not enough!

This is just to prove my point - a single AV engine is not enough if you want to be secure.

I had this problem today at a customer - a user had received a link in her Messenger... And she clicked it and probably accepted to execute the thing => Pooof (all her MSN Messenger contacts were spammed with links to the worm)!

We tried to use some different online scanners - as the local AV engines (no names mentioned) didn't find anything - even after updating the signatures. The online scanners I tried first didn't show anything. So, this particular online scanner turned out to be VERY cool and effective:


I can recommend this scanning link whenever you have a suspicious file you want to scan:

As you can see it uses several engines to determine if the file is infected or not - so nice, thanx!




Free online scanners

Just a quick list of online scanners - will try to update regularly - please post or send me an email if you have other great links!

General scanner (very cool):

File/Machine scanning:

Microsoft Malicious Software Removal Tool

GFI EndPointScan

Acunetix WVS (is your website hackable?)

Test email system



Wednesday, February 06, 2008

Windows Server 2008 RTM Administrative Template and Security settings reference spreadsheet available

The Microsoft Group Policy Team has released the very useful Excel spreadsheet describing Administrative Template and Security policy settings.

Check out the GP team blog here or download the XLS/XLSX spreadsheet right here!


Enjoy... ;-)




Using Group Policy to Secure and Manage UNIX, Linux and Mac Systems

This new webinar from has been announced lately - featuring my good pal Jeremy Moskowitz - it's gonna be awesome!

Check out the content and sign up for a great show - 100% guarantee:


Five Top Benefits of Using Windows Group Policy to Secure and Manage UNIX, Linux and Mac Systems

    Date:           February 21, 2008    
    Time:          2 p.m. Eastern US (11 a.m. Pacific)    
    Duration:     1 hour  

In this live webinar, Linux, UNIX and Mac admins will get a concise overview of how Group Policy works from Jeremy Moskowitz, author of authoritative works on both Windows Group Policy and Windows/Linux integration. Centrify's David McNeely will then explain the workings of the Group Policy engine that is seamlessly built into DirectControl and the unique benefits of using it for non-Windows policy enforcement. He'll also demonstrate using Windows Group Policy to lock down user and security settings on a Mac desktop system.

Register now (*CLICK HERE*) and we'll send you a free copy of our complementary white paper on extending Windows Group Policy to Linux, UNIX and Mac.



Wednesday, January 30, 2008

Powershell Group Policy Remote Refresh

Check out this new Powershell Cmdlet from Darren Mar-Elia:

We have had the capability with other tools/script - but using PS is new, great stuff!



Limiting Tor access with ISA 2004/2006

If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: - and perhaps WikiPedia.

As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don't want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.

The answer? Well, first you gotta ask yourself: "who are they"? And there's really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn't be possible to track the communication. What you don't know can hurt you, right? I'm not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds... What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?

Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I'm not going to decide on your behalf - that's politics!

So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won't be able to poke around your IIS servers or whatever you have.


So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven't got. I'm just a scripting kinda guy... The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).

But, then I found a list on - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft... Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!

So, I created a simple script for:

a) Downloading the latest Tor server list from
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters

You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I've tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).

If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).

Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you're on your own :)


The dynamically created/updated ISA Computer Set:


The ISA Rule/Publishing Exceptions:


What's missing?
I can think of a lot of things I'd like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.

Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there's a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.


Hope you can use this :)


Tuesday, January 29, 2008

Is your company prepared for 2008?

Read an interesting piece of information about the most likely security threats in 2008 - read it here!

Top Ten Cyber Security Menaces for 2008:

  1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
  2. Increasing Sophistication And Effectiveness In Botnets
  3. Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
  4. Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
  5. Insider Attacks
  6. Advanced Identity Theft from Persistent Bots
  7. Increasingly Malicious Spyware
  8. Web Application Security Exploits
  9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
  10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations

The ranked list is created by Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.



Friday, January 25, 2008

SQL attacks - the lethal injection

Hi there,

Let everybody know the two very simple golden rules when it comes to web-applications that are communicating with SQL servers:

1. Never send user input text strings directly to the (backend) SQL server(s). Make sure to "clean it up" first (eg. no special chars etc.). Only accept thing you KNOW you want.

2. Always use Stored Procedures and call them with arguments instead of letting text strings (SQL injections) take control of your (backend) SQL server(s).

Sticking to those rules will make life a lot easier for admins, consultant and security guys like me. Tell you company developers, thirds party software vendors etc. to stick to the rules (even though they should know them by heart already) - spread the word and life will be a lot easier for all of us good people around the globe :)

Yes of course you can assign Group Policies to Security Groups!

I have to blog this right away - it will be part of a larger "GP Processing" article at some point though... But this is IMHO important stuff which needs to get out there quick :)


I've heard the following sentence too many times (in one way or the other): "You can only assign Group Policy Objects to Site, Domain Level or OU's"...

- but that's only partly true! Normally in newsgroups, forums etc. this leaves the readers (eg. someone who asked a GP question or whatever) with the impression that you cannot "hit" members of a certain Security Group only (which leaves you with "Site/Domain/OU Filtering" and/or "WMI Filtering" as the only possible a choices available). But that's simply not fair to the amazing Group Policy processing engine!

Even though "WMI Filtering" is pretty well-known these days (after WS2003 arrived), many people tend to forget the little - but extremely effective and flexible - thing called "Security Filtering" (even though it's somewhat more "Basic" compared to WMI)...


Let's talk about it for a minute or two if you are interested...


You can set this kind of filtering within the Group Policy Management Console (GPMC) on either the Scope tab:


- or the Delegation tab (a bit more Advanced):


As you can see, by DEFAULT all Group Policy Objects (GPO) include "Authenticated Users" with both Allow:"Read" and Allow:"Apply Group Policy" permissions set. Both of these permissions are needed for users and computers to take on (or process) a given GPO:


The thing about the very important "Authenticated Users" group is that it includes ALL User AND Computer accounts/objects within the AD domain (Domain Controllers too, right). So, by default a GPO applies to both computers and users (we are not going to talk about disabling GPO parts etc. now).

That's the "technical" explanation why policies placed on
a) the Site applies to ALL users and computers within the Site (users site follows computer site, site follows IP address)
b) the Domain Level applies to ALL users and computers within the Domain
c) any given OU applies to ALL users and computers within that particular OU (and sub-OUs for that matter)
=> because the "Authenticated Users" security group is there by default. These default permissions on new GPOs are handled by something called "Security Descriptors", but more on that in some other blog or article.

So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that's another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or 'applied'). All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.

First step is generally to remove the "Authenticated Users" group from the GPO in question. Click Remove (below Security Filtering section) on the Scope tab and click OK:


Click Add... and select the domain security group you want to "hit" - click OK when done:


And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object...) you selected:


Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that's better in your case) - but the Domain Level should be fine for most environments.

Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny:"Apply Group Policy" instead. In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!

Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)... But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).

You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!

One way of automatically creating Security Groups from members of an OU is described in my article "Configuring Granular Password Settings in Windows Server 2008, Part 2" - these groups are referred to as Shadow Groups (cool, right). In some "filtering situations" that is nice to know...


Wow - that was nice getting it off my shoulders, and now I can refer to this blog entry whenever I get the question again - and so can you of course :-)


Thursday, January 17, 2008

VM Ware with Multiple Physical NICs

Got a question about whether it's possible to attach physical network adapters to VM Wares virtual network adapters - like eg. 1-to-1. An 'yes' it's possible... Just like it's possible in Virtual PC and Virtual Server from Microsoft.

It's basically the same story for VM Ware Workstation and Server (almost the same dialog boxes) - go to Virtual Network Settings:


Select what "Virtual Networks" you want - in here you can assign specific NICs to VMnet0-9 (you BRIDGE your adapters to the virtual "switch" you could say).

Pretty nice - now you're almost done...

On the Virtual Machine Settings - select the Network Adapter - choose Custom - and select the Virtual Network your Physical Network Adapter is bound to:


That should do it. Simple, right?



Saturday, January 12, 2008

Time to contribute to the Group Policy Explain texts!

The Microsoft Group Policy Team invites everyone to send in suggestions for Explain text changes of any kind (check the link).

Just send your suggestions to "gptext(@)microsoft(.)com".


Wednesday, January 09, 2008

Do you want GGPI? Great Group Policy Information?

So, you are in the mood for studying Group Policy? In the lack of GGPI, I know the feeling.

And you got tired of reading my GP stuff here: :-)

I'll recommend you to go for these sites then:

That's where everything starts...



Friday, January 04, 2008

You just have to check out this Oracle install!

Some say Danes are strange - this is the proof :-)

A guy installs an Oracle database with his nose only - go check out "The Nose Job":