Tuesday, March 25, 2008

Remote Server Administration Tools Available!

You can now download the RSAT toolkit for Windows Vista - go get the package right HERE (32-bit) or HERE (64-bit)...

Time to get Group Policy Preferences and all those other goodies up and running - cool stuff!



Thursday, March 20, 2008

What's inside Vista Service Pack 1

Well - in regards to Hotfixes and Security Updates, check out this TechNet article. To get the complete overview, read this one. The "notable changes" can be found here.

That should be enough info to get safely through Eastern :-)



Wednesday, March 19, 2008

Configuring Granular Password Settings in Windows Server 2008 – The Easy Way!

This article will demonstrate “The Easy Way” of how to handle Granular Password Policies – also known as Fine-Grained Password Policies - in a Windows Server 2008 domain environment.

In the article series “Configuring Granular Password Settings” (part 1 & part 2) I demonstrated how to configure Granular Password Settings for individual users or global security groups in a Windows Server 2008 Active Directory environment, using built-in methods. This article will demonstrate “The Easy Way” of how to handle these additional password policies in your Windows Server 2008 domain environment... Using Specops Password Policy Basic!





Tuesday, March 18, 2008

Easily leave users with the Least Privilege possible

A new and shiny - free! - tool from BeyondTrust makes it possible for admins around the world to figure out exactly what rights different applications in the environment need to run. This kind of info is essential for removing administrative rights from users and running a "principle of least privilege" environment!

BeyondTrust® Application Rights Auditor is a totally FREE tool which profiles applications and seamlessly identifies the required permissions - very easy to implement, use and manage.

We all know, that administrative rights allow users to circumvent security policies, install unauthorized applications and make unauthorized modifications to a standard desktop configuration - let's move away from those risks... Just register, download and test out this free application - this is "low hanging fruit" giving your environment a needed security-vitamin injection!

Download the Product Sheet (PDF) right here!

A desktop component can be installed on multiple computers to transparently examine applications during execution. The reporting console gives a nice overview of applications the environment from a central point.

Reporting Console Prerequisites:
Microsoft .NET Framework 3.0 SP 1 and
Microsoft Management Console 3.0


Go for it !


Saturday, March 01, 2008

Windows Server 2008 Security Guide and the new GPOAccelerator tool is out there!

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft:
The primary purposes of this guide are to enable you to do the following:

  • Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
  • Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
  • Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
  • Understand role based security for different workloads in Windows Server 2008.

The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

  • Active Directory Domain Services (AD DS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • Domain Name System (DNS) Server
  • Web Server (IIS)
  • File Services
  • Print Services
  • Active Directory Certificate Services (AD CS)
  • Network Policy and Access Services
  • Terminal Services

The "complete solution" from Microsoft:
The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

  • Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
  • Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).
  • Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
  • Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
  • Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
  • GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

Where can I get this?
Windows Server 2008 Security Guide (online version)
Get the Windows Server 2008 Security Guide
Get the GPOAccelerator





How to install GPP CSEs using a Startup Script

When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you'll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista... But that's not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - http://support.microsoft.com/kb/914783/en-us) are installed.
To make all this pretty easy I've created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)...
Note: I haven't been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!
Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.

I hope this works out nicely for you!