heidelbergit

RegistryProfileCleanup - cleartext

2011-10-14T08:45:00.003+02:00

Several people have asked me for the VBS code to my "Efficient Registry Cleanup" script, since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/RegistryProfileCleanup.txt

Also the "Get User Profile Dirs From Registry" script is here:

http://dl.dropbox.com/u/11617172/GetUserProfileDirsFromRegistry.txt

Cya!
Jakob

P.S. The article is still here: http://www.windowsecurity.com/articles/efficient-registry-cleanup.html

InstallGPPCSE - cleartext

2011-10-14T08:41:00.000+02:00

Several people have asked me for the VBS code to my GPP CSE Install script since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/InstallGPPCSE.txt

Cya!
Jakob

FlexCommand - cleartext

2011-06-24T20:38:00.001+02:00

Several people have asked me for the HTA code to my FlexCommand tool since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/FLEXCOMMAND.txt

Cya!

Jakob

Unique passwords on local user accounts using VBS and Group Policy

2009-05-24T10:25:00.022+02:00

The purpose of the script (SetLocalPassword.v2.txt - just rename to "SetLocalPassword.vbs") is, to ensure assignment of unique and complex password to a specific local user account (typically the local administrator account) on a Windows client in an Active Directory (AD) domain environment.

The script can be used, if you (for one reason or another) want a specified local user account (e.g. administrator) to be active, but you still want to ensure, that the password used is unique for each computer, that the password is changed regularly (a given period of time) and that you are able to logon using the password at any time. Usually I would recommend customers to just deactivate the local administrator account, or set the password using Group Policy Preferences (preferably different passwords on different security areas), but if these solutions aren’t usable in the environment, “ChangeLocalPassword.vbs” could be the right solution.

The intention is to execute the script as a "Startup Script” within a Group Policy Object (GPO), which is aimed at the relevant computer accounts in AD (as you probably know GPO’s can be filtered by AD security groups, WMI filters, Organizational Units (OU), domain and/or site). This way we ensure that the script is executed in ”SYSTEM" context, in which we can pretty much do anything on the local computer(s). Furthermore, SYSTEM can access network resources on behalf of the computer, as long as the resource in question (a file share in this case) allows “Domain Computers”, the specific AD computer account og “Authenticated Users” to gain access.

It is crucial that the group ”Authenticated Users” is NOT given access to the network share – in that case all users within the domain will be able to read which passwords are used on all computers hit by the GPO. Share permissions (could be a hidden share$) can of course be set to Everyone Full Control, but NTFS must be set to allow only members of the group "Domain Computers" to read and write - domain administrators, and other relevant groups (e.g. helpdesk, supporters, backup account etc.) should also have read access. If you have a Distributed File System (DFS) up and running it could be used as the network share.

This illustrates the scripts cycle:

1. The SYSTEM account is used by the computer during the boot process
2. DNS and AD is contacted, and Group Policies are processed (machine policies)
3. The GPO with the Startup Script is loaded
4. The VBS script is executed (also in SYSTEM context)
5. All activity is logged to a local log file (strLocalLog)
6. Some preliminary checks are performed, this includes last modification of strLocalStamp and network access (strNetShare)
7. A password (strNewPassword) is generated from 4 different criteras (intPasswordLength, intWantNumber, intWantLcase and intWantUcase)
8. The username and password (clear text) is logged in a central log file (strnetFile)
9. The chosen local user account (strLocalUser) is assigned the newly generated password (only if 8 was completed without any errors)
10. A local timestamp file is created or modified if 9 was successfully completed

Some important notes...

First and foremost one must ensure, that the script file the GPO is pointing to cannot be modified by others than the relevant administrators. If a user gets write access to that file, he or she can do anything (locally) on all machines executing the code. This is of course true for any GPO Startup Script used.

Another important thing to note is, that if your users have local admin rights (I hope not), they will be able to “hack” the solution in a couple of ways. First of all they will of course be able to reset passwords for all local user accounts, but if they are a bit clever, they will also be able to take over the SYSTEM account (hint: AT command or PSEXEC) and access the network share we are using – and thus read or modify the log files with all the clear text passwords. But who in the world would allow users to be local administrators in the fist place, right?

A Startup Script will time out if the script takes too long to execute, but we should not have such a problem with this script (normally executed in less than a second). Startup Scripts react differently depending on whether the “Always wait for the network at computer startup and logo” setting is set or not - the script should work in both cases though.

Let’s take a look at the customizable variables.

intDays = 60
- default: 60 days between password change

strNetShare = "\\SERVER\SHARE\"
- define as a share with the correct NTFS permissions set
- is could be a hidden share, perhaps on a DFS
- remember a trailing backslash (\) or the script will fail!

strLocalLog = "C:\admpwd.log"
- placement of the local log file of all activity (except for the password itself)

strLocalStamp = "C:\admpwd.stp"
- placement of the file used as a timestamp

strLocalUser = "test-user"
- name the user account to control (e.g. "administrator")

intPasswordLength = 12
- the number of characters the password should have (exactly)
- must be at least the same as the domains minimum password length

intWantNumbers = 1
- set whether or not the password should contain numbers (complexity requirement)

intWantLcase = 1
- set whether or not the password should contain lowercase letters (complexity requirement)

intWantUcase = 1
- set whether or not the password should contain UPPERCASE letters (complexity requirement)

An example of the strLocalLog (default "c:\admpwd.log") local log file:

2009-05-22 13:20:26 [STARTED]
2009-05-22 13:20:26 [VARIABLES - A]
2009-05-22 13:20:26 - intDays : 1
2009-05-22 13:20:26 - strNetShare : '\\SERVER\SHARE\'
2009-05-22 13:20:26 - strLocalLog : 'C:\admpwd.log'
2009-05-22 13:20:26 - strLocalStamp : 'C:\admpwd.stp'
2009-05-22 13:20:26 - strLocalUser : 'test-user'
2009-05-22 13:20:26 - strComputer : 'COMPUTER1'
2009-05-22 13:20:26 - strNetFile : '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:20:26 STATUS - No local stamp file, probably first run
2009-05-22 13:20:26 SUCCESS - ALIVE:\\SERVER\SHARE\
2009-05-22 13:20:26 [VARIABLES - B]
2009-05-22 13:20:26 - intPasswordLength: 12
2009-05-22 13:20:26 - intWantNumbers : 1
2009-05-22 13:20:26 - intWantLcase : 1
2009-05-22 13:20:26 - intWantUcase : 1
2009-05-22 13:20:26 SUCCESS - PWD SET for: 'test-user'
2009-05-22 13:20:26 SUCCESS - PWD written to: '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:20:26 SUCCESS - TIME written to: 'C:\admpwd.stp'
2009-05-22 13:20:26 [COMPLETED]

2009-05-22 13:27:45 [STARTED]
2009-05-22 13:27:45 [VARIABLES - A]
2009-05-22 13:27:45 - intDays : 1
2009-05-22 13:27:45 - strNetShare : '\\SERVER\SHARE\'
2009-05-22 13:27:45 - strLocalLog : 'C:\admpwd.log'
2009-05-22 13:27:45 - strLocalStamp : 'C:\admpwd.stp'
2009-05-22 13:27:45 - strLocalUser : 'test-user'
2009-05-22 13:27:45 - strComputer : 'COMPUTER1'
2009-05-22 13:27:45 - strNetFile : '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:27:45 STATUS - STAMP last modified: 22-05-2009 13:20:26
2009-05-22 13:27:45 STATUS - STAMP younger than: 1 days!
2009-05-22 13:27:45 [COMPLETED]

An example of the strNetFile (named [computername].log) network log file:

2009-05-20 13:20:26 test-user : 'W57Ja6c5Xcus'
2009-05-22 08:10:39 test-user : 'sdEc7s9Gbba8'

Final note:

The code could most definitely be more optimized (and prettier), but it works like a charm (and pretty fast too) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7.

I hope it will turn out to be useful to someone out there - enjoy!

.

Get email address of all users from all mails in an Outlook Folder

2009-01-09T10:52:00.005+01:00

Hi,
Ever had the need to extract all email adresses from a folder in Outlook?

Let's say you want to make a reply to a lot of people who are not in your addressbook (contacts), but who have sent you an email which you have archived in a specific folder (or from your Sent items).

I archive my emails all the time using one folder pr. "case", "customer" etc. - and sometimes it's ery useful to be able to write to everyone who had to do with the specific case. This is when it get's a bit frustrating - you have to find a way to get all the email-adresses, and only once!

This is how to do it the easy way:
1. In Outlook press ALT+F11 (opens Microsoft Visual Basic console)
2. Open "ThisOutlookSession" from the Project tree (left menubar)
3. Paste the code below into the project (right window)
4. Press F5 to Run the code (execute)
5. Select the folder you want to use and hit OK (might take some time to complete)
6. Press ALT+G and then copy the email-addresses from the "immediate" window (debug window)

Oh, and remember to use the BCC field if they shouldn't see eachothers email addresses (in the case you want to send an email to all of them).

CODE:
Sub GetEmailAddressesInFolder()
Dim objFolder As MAPIFolder
Dim strEmail As String
Dim strEmails As String
Dim objItem As Object

Set objFolder = Application.GetNamespace("Mapi").PickFolder

For Each objItem In objFolder.Items
If objItem.Class = olMail Then
strEmail = objItem.SenderEmailAddress
If InStr(strEmails, strEmail) = 0 Then strEmails = strEmails + strEmail + ";"
End If
Next
Debug.Print strEmails
End Sub

The above code is tested on Microsoft Outlook 2007, but should work on older Office systems too.

Original source here - I just had to modify the code a bit.

Bye for now!
.

Software Restriction in Windows 7

2008-11-05T12:21:00.001+01:00

These are some quick notes from a session on AppLocker by Paul A. Cooke, Tech-Ed EMEA 2008:

As you may have seen, I’ve written a few articles on Software Restriction Policy (SRP) under Windows XP and Windows Vista for www.windowsecurity.com (see below). I’m very happy to tell you, that Microsoft now improved this functionality and renamed it into: AppLocker!

Unfortunately I cannot bring you any screenshots (because of NDA), but I can tell you a few things about the basic functionality. With AppLocker you can more easily eliminate unwanted and unknown applications in your Windows (7) environment. You can enforce application standardization – both from a security (malware), and from a management point of view (licensing & user control).

What most organizations try to do these days, it to limit users to be standard users (non-administrators) on their local machines – however this is actually not enough to feel secure as an IT administrator. Running as standard user is not the solution to all of our problems. Many applications can do bad stuff, even within user context – like stealing data, deleting data, manipulating data, encrypting data, creating bot-nets, send spam, social engineering etc. etc. This is true for applications that install in user context (like Google Chrome), or regular executables that don’t actually install – they just run!

If you want to control applications like that, what can run and what cannot – then you need another approach. AppLocker comes to the rescue!

AppLocker has been build around digital signatures – signing of software executables and DLLs. This was also an option in SRP under Windows XP, were we had path, filename, HASH & certificate rule, but it was pretty hard to manage and enforce back then. With Windows 7, a new GUI has been added to the group policy editor to support easy creation of software rules. We have 3 types of rules:
- Allow rules: same as Whitelisting (‘known good’ software)
- Deny rules: same as Blacklisting (‘known bad’ software)
- Exceptions: exclusion from allow or deny rules

Allow rules are of course the recommended approach – the “default deny all applications” rule (Whitelisting), but with specific applications the network administrators wants to allow users to run. As an administrator, you get granular control of specific applications, enforcing who can run and/or install them (if they have the appropriate rights and permissions).

The administration is done by group policy under Computer Configuration > Application Control Policies, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.

You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like “Microsoft Office 2007”) – and wildcards seems to be supported still.

You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)

Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go “live”.

AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there’s no need to create all the rules manually – you have the option to “automatically generate rule”, this feature will analyze a “reference machine” (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a “snapshot” feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).

The new rule creation tools and wizards seem pretty straight forward – but you really need to think about the SRP design before you go for it, and test intensively, or else you’ll end up in serious trouble ;-)

I just can’t wait to test this deeply and bring you more information!

Previous article series on SRP:
Default Deny All Applications (Part 1)
Default Deny All Applications (Part 2)

Microsoft AppLocker description:
http://www.microsoft.com

User Account Control in Windows 7

2008-11-05T11:07:00.001+01:00

These are some quick notes from a session on UAC by Paul A. Cooke, Tech-Ed EMEA 2008:

Microsoft Windows 7 will reduce the number of OS applications and tasks, that require elevation – this has been done by re-factoring apps and tasks into elevated and non-elevated pieces.

UAC v2 will provide a more flexible prompt behavior for administrators, also administrators will see less UAC elevation prompts.

Users can do even more as standard user (eg. parts of Bitlocker, Windows Update etc.), they will also be able to ‘read’ system settings without needing to elevate.

Windows 7 will be better spotting human vs. application changes, this way “human administrator” changes will be allowed without too many prompts.

UAC can now easily be graduated into 4 levels (from the strict Vista default to totally off) - everything can of course be handled using group policy.

To me this is all pretty cool – but to be honest, I’m one of those weird guys, who don’t care about Vista UAC prompts… I just press ALT+C… How hard can it be? ;-)

I just love sharing!

2008-10-20T10:01:00.002+02:00

Just found this - using Google Alerts of course :)

I made little modifications on this script created by Jakob Heidelberg to search for printers manually created on user profiles. This is very usefull when you wanna ensure that eveybody has only auto created printers, from Citrix or ThinPrint.

This script load ntuser.dat on each profile, check some registry keys, write a log and unload ntuser.dat. Some users can have problems to load their profiles if you use this script on the same time that they try logon.

http://www.robertoalves.com/?p=58

I just love sharing!

Why does standby overrule shutdown?

2008-10-12T17:48:00.001+02:00

Well, I’m a Microsoft kinda guy – but I do have a problem with one “feature” which has been part of the Windows OS for some time…

Normally I change the default behavior under Power Setting, so that Windows does NOT start a STANDBY process when I close the lid of my laptops – but I haven’t done it on all of my machines, and under every user profile I have (and customers have the same issue).

So, what happens is, that you are done for the day, and then you start a SHUTDOWN process like normally, and then you close the laptops lid – a STANDBY process then starts – Doh!

That means, the SHUTDOWN process is put into STANDBY mode, and the next time you boot your laptop, the machine state resumes, just to finalize the SHUTDOWN process… And then you have to boot you machine to get started – hmmm, I definitely don’t like it!

So what should happen? Well, when a SHUTDOWN process had started, a STANDBY process should NOT be able to “take over” – just let me close the laptop lid and continue the already started SHUTDOWN process, thanx :)

OK, I admit that it’s only a problem when I haven’t changed the default Power Settings, but I can’t be the only human being in this world with that particular problem!?!? Why would you EVER want a SHUTDOWN process to be put into STANDBY mode?

BTW – I have seen, that Mac and Ubuntu people have the same issue on some version – don’t know if it has been fixed on those OS – I have the problem on all the different Windows systems I run on laptops.

Microsoft: IT-experts.dk online forum er nu opdateret

2008-10-02T13:05:00.000+02:00

Citat:

Microsoft Danmark tror meget på lokale danske it netværk. Vi vil gerne hjælpe danske it professionelle med at knytte professionelle forbindelser og have et forum for tekniske spørgsmål og svar, hvor ikke-Microsoft ansatte bidrager med deres perspektiver.

IT-experts.dk er et gratis online forum for danske IT professionelle. Sitet har haft stor succes med en åben stil, hvor alle medlemmer kan stille tekniske spørgsmål og dele sin viden med andre. Efter en nylig opdatering af sitet er der kommet rigtig mange nye features til, såsom RSS feeds i utallige afskygninger, blogs, OpenID og meget andet. Hvis du ikke allerede er oprettet som bruger på den nye platform, så gør det nu og her: http://it-experts.dk/medlem.

De typiske brugere er professionelle IT konsulenter, specialister, administratorer, supportere og arkitekter indenfor messaging, sikkerhed, infrastruktur, virtualisering, terminal services og lignende. Der er en overvejende hovedvægt på Microsoft platformen, men der er bestemt også plads til fokus på andre områder indenfor IT verdenen.

Bag IT-experts.dk står en række dygtige danske IT konsulenter, MVP’ere og Microsoft Technet Influenters, som yder en stor indsats for at holde sitet kørende, besvare spørgsmål, blogge, skrive artikler og lignende, alt på frivillig basis.

Vi ønsker IT-experts.dk tillykke med den nye platform og vil hermed opfordre til at deltage i det største danske Microsoft community for IT professionelle: www.it-experts.dk.

Kilde: http://blogs.technet.com/dkitpro

Windows SteadyState 2.5 is out there!

2008-07-06T16:45:00.001+02:00

This is great news - I've been writing a few articles on this baby, but now we have a brand new version available for download!!!

Go ahead and read some more:

Protect Public Computers with Windows SteadyState, Part 1

Protect Public Computers with Windows SteadyState, Part 2

Windows SteadyState 2.5 Technical FAQ

Windows SteadyState 2.5 Handbook

Download Windows SteadyState 2.5 right here!

Enjoy!

Great Vista hack... Somebody call Mr. Bitlocker!

2008-05-27T07:02:00.007+02:00

We've seen hacks like this before, no doubt about it - but it's a really nice trick which you gotta love (and hate) - check it out here!

So, basically this hack requires PHYSICAL ACCESS to the harddrive, using BackTrack (or some other boot utility capable of reading/writing NTFS) the file Utilman.Exe in \Windows\System32 is replaced with Cmd.exe - after a reboot, at the logon screen, if Utilman is called (by hitting Win-key + U) you'll get a nice command prompt running under SYSTEM credentials - pretty powerfull... From there the only limit is your imagination!

Yes, Bitlocker protects us from attacks like these - so somebody please call Mr. Bitlocker!

.

Group Policy Survival Guide

2008-04-29T09:13:00.001+02:00

Yes, it's true - there's a new GP guide out there from Microsoft...

Check it out here - it's pretty cool!

No place like 127.0.0.1

2008-04-22T14:47:00.001+02:00

So, I'm back home from a great trip to Seattle, Washington, US. The MVP Summit 2008 was a cool experience with lots of info and room for dialog with the product teams at the Microsoft Campus in Redmond.

We had some awesome talks on the future of Group Policy and I would really like to share it with you, but because of Non-Disclosure Agreements 'n' stuff I can't really say anything - yet.

Seattle is a very interesting city with a lot of great restaurants, nice architecture and friendly people. I had 2½ day to spend after the summit and even though I was missing my family Seattle took great care of me :)

Anyway, I hope to go back there next year - better prepared for jetlag (which basically means I'll travel a few days before the event next time) - but, that all depends on how much time I get to share information with you guys/girls out there... No sharing, no MVP award - that's the rule ya' know ;-)

Thanx to the GP team and the other MVPs for a great experience!

Protect Public Computers with Windows SteadyState (Part 2)

2008-04-10T23:43:00.001+02:00

This is my 2nd article that deals with the Windows SteadyState product and how use it to protect public computers!

If you haven't read part 1, please read it here...

Enjoy!

StarterGPOs available for download

2008-04-09T09:02:00.001+02:00

Microsoft introduced the concept of StarterGPOs with GPMC version 2.0 in Vista SP1 + RSAT and Windows Server 2008. The idea is that it should be easy to share Group Policy settings, read more here!

The GREAT thing is that Microsoft has now released some StarterGPO samples - go download the first shipment here!

Security White Papers & Guides for download

2008-04-05T09:34:00.001+02:00

This post gives you some links to online available White Papers and Guides from the Microsoft download site - I hope you can use some of it to analyze and protect your own network(s)!

New Security White Paper of April 2008:

"The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The NST also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries."

You will find these papers:

- Electronic Signature Assurance and the Digital Chain-of-Evidence
- Enabling Secure Collaboration for Professional Services Firms
- Establishing the Foundation of Authenticity for Electronically Stored Information
- Information Protection Strategies For Financial Services
- Optimizing Branch Office Security and Productivity in the Financial Services Sector
- Secure Software Development for the Financial Services Industry
- Securing the Retail Store-Securing the Data

Go get them here!

Also, go check out the "Fundamental Computer Investigation Guide for Windows":

"The Fundamental Computer Investigation Guide for Windows Solution Accelerator is intended for IT professionals who need to effectively conduct investigations of Microsoft® Windows®–based computers in their organizations. It provides a computer investigation model as well as process and best practice information. The guide also provides a fictitious example of an investigation that involves unauthorized access to confidential information. This investigation uses the provided guidance and demonstrates the use of numerous tools. Information is also included about how to configure a lab to create the example scenario. An appendix provides information about how to prepare for computer investigations, sample worksheets, contact information for reporting different types of computer-related crimes to appropriate law enforcement agencies, and lists of useful tools."

Go get that document right here!

And finally, what about checking out the "The Security Risk Management Guide"?:

"The Security Risk Management Guide explains how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.
This guide references many industry accepted standards for managing security risks. It is an important example of Microsoft's commitment to delivering quality guidance to help customers secure their IT infrastructures."

That document is available right here!

Enjoy...

MVP:Enterprise Security

2008-04-01T19:25:00.001+02:00

Yup, a wish came through - I'm now an MVP!

Receiving the Microsoft Most Valuable Professional Award is a great honor and much appreciated - thank you.

Sharing Rocks - Information wants to be free!

Time to get a beer :-)

Core with a GUI

2008-04-01T00:03:00.000+02:00

If you have messed around in Windows Server 2008 Core installation you've probably had some challenges along the way - like: how do I join a computer to the domain using a command prompt, how can I add Features, tweak the firewall etc. Well, a nice and very useful solution to many of the basic configuration tasks is out there - and it's free of course!

Go check out CoreConfigurator (Server Core Configurator) written by Guy Teverovsky - look how easy it is and stop acting like a geek sent back to the early 90s :-)

Download here and enjoy!

Remote Server Administration Tools Available!

2008-03-25T22:51:00.001+01:00

You can now download the RSAT toolkit for Windows Vista - go get the package right HERE (32-bit) or HERE (64-bit)...

Time to get Group Policy Preferences and all those other goodies up and running - cool stuff!

What's inside Vista Service Pack 1

2008-03-20T08:49:00.001+01:00

Well - in regards to Hotfixes and Security Updates, check out this TechNet article. To get the complete overview, read this one. The "notable changes" can be found here.

That should be enough info to get safely through Eastern :-)

Configuring Granular Password Settings in Windows Server 2008 – The Easy Way!

2008-03-19T22:48:00.001+01:00

This article will demonstrate “The Easy Way” of how to handle Granular Password Policies – also known as Fine-Grained Password Policies - in a Windows Server 2008 domain environment.

In the article series “Configuring Granular Password Settings” (part 1 & part 2) I demonstrated how to configure Granular Password Settings for individual users or global security groups in a Windows Server 2008 Active Directory environment, using built-in methods. This article will demonstrate “The Easy Way” of how to handle these additional password policies in your Windows Server 2008 domain environment... Using Specops Password Policy Basic!

Enjoy!

Easily leave users with the Least Privilege possible

2008-03-18T08:34:00.001+01:00

A new and shiny - free! - tool from BeyondTrust makes it possible for admins around the world to figure out exactly what rights different applications in the environment need to run. This kind of info is essential for removing administrative rights from users and running a "principle of least privilege" environment!

BeyondTrust® Application Rights Auditor is a totally FREE tool which profiles applications and seamlessly identifies the required permissions - very easy to implement, use and manage.

We all know, that administrative rights allow users to circumvent security policies, install unauthorized applications and make unauthorized modifications to a standard desktop configuration - let's move away from those risks... Just register, download and test out this free application - this is "low hanging fruit" giving your environment a needed security-vitamin injection!

Download the Product Sheet (PDF) right here!

A desktop component can be installed on multiple computers to transparently examine applications during execution. The reporting console gives a nice overview of applications the environment from a central point.

Reporting Console Prerequisites:
Microsoft .NET Framework 3.0 SP 1 and
Microsoft Management Console 3.0

Go for it !

Windows Server 2008 Security Guide and the new GPOAccelerator tool is out there!

2008-03-01T09:21:00.001+01:00

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft:
The primary purposes of this guide are to enable you to do the following:

Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
Understand role based security for different workloads in Windows Server 2008.

Hardening:
The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

Active Directory Domain Services (AD DS)
Dynamic Host Configuration Protocol (DHCP) Server
Domain Name System (DNS) Server
Web Server (IIS)
File Services
Print Services
Active Directory Certificate Services (AD CS)
Network Policy and Access Services
Terminal Services

The "complete solution" from Microsoft:
The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).
Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

Where can I get this?
Windows Server 2008 Security Guide (online version)
Get the Windows Server 2008 Security Guide
Get the GPOAccelerator

Enjoy!

How to install GPP CSEs using a Startup Script

2008-03-01T01:34:00.001+01:00

When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you'll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista... But that's not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - http://support.microsoft.com/kb/914783/en-us) are installed.
To make all this pretty easy I've created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)...
Note: I haven't been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!
Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.

I hope this works out nicely for you!
.