How To Fin Computer Configuration >> Administrative Templates

Authoritative Template

Policies and Procedures for Securing XenApp

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Administrative Templates

Policy settings that appear in the Administrative Templates node of the GPO Editor incorporate Registry settings to reach each of the settings contained in the bureaucracy. Policies for user configuration are placed in the HKEY_CURRENT_USER (HKCU) area of the Registry, while those for computer configurations are placed in the HKEY_LOCAL_MACHINE (HKLM) expanse.

Authoritative templates incorporate settings for Windows components such as NetMeeting, Net Explorer, Final Services, Windows Media Player, and Windows update, to name a few. Other components common to both user and calculator configurations include settings for user profiles, script execution, and group policy.

While the different policy settings between user and estimator configurations are too numerous to listing here, at that place are some primal components available for the user configuration. These include the Start Carte du jour, Taskbar, Desktop, Command Panel, and Shared folder settings.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492812000068

Potent Access Controls

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (2d Edition), 2010

Setting Session Timeout and Password-Protected Screen Savers in Active Directory

Under User Configuration, get to Administrative Templates | Control Panel | Display. Double-click on Activate screen saver, click the radio next to Enabled, and then click OK. This will enable screen savers on all client machines. Now double-click on Screen saver executable name and click the radio side by side to Enabled and in the text box type scrnsave.scr (encounter Fig. 5.3).

This enables a bare screen saver on all computers in the domain. Now double-click on Password protect screen saver, click the radio next to Enabled, and and then click OK. Terminal just not least, click on Screen saver timeout and so click on the radio next to Enabled. PCI requires that all sessions timeout after 15 min, which is equivalent to 900 s (see Fig. 5.4).

That's all there is to it. Now all the sessions on your Windows machines in your domain should time out after 15 min and require a login to get back in. In the end, your screen should expect similar Fig. five.5.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597494991000106

Microsoft Vista: Data Protection

In Microsoft Vista for Information technology Security Professionals, 2007

Controlling Device Apply

Once y'all've controlled the installation and upgrading of device drivers for your users and your administrators, you may desire to go further and control the use of those device drivers that you lot have immune to deploy.

The "big whammy" setting is All Removable Storage classes: Deny all admission. Enable this setting and (after a reboot if the devices are currently in use) all removable storage is inaccessible to the OU—computer or user—on which y'all enable it.

None of these settings applies to processes running in the SYSTEM context, such as the aforementioned ReadyBoost technology.

Tabular array five.2. Group Policy Objects Controlling Device Apply

Policy Proper name	Effect
All Removable Storage classes: Deny all access	Enabled: All removable storage devices are inaccessible, for write or read. Disabled (default): Removable storage devices are field of study to class-specific settings.
All Removable Storage classes: Allow directly access in remote sessions	Enabled: Removable storage devices can exist accessed by remote sessions. Disabled (default): Removable storage devices may not be accessed by remote sessions.
CD and DVD: Deny read access	Enabled: Read access to CD/DVD storage devices is denied. Disabled (default): CD/DVD storage devices may exist read from.
CD and DVD: Deny write access	Enabled: Write access to CD/DVD burning devices is denied. Disabled (default): CD/DVD burning devices are writeable.
Custom Classes: Deny read access	Enabled: A list of form GUIDs must be provided; read admission to devices matching the listed classes is denied. Disabled (default): There is no custom list of GUIDs for which read access is denied.
Custom Classes: Deny write access	Enabled: A list of class GUIDs must be provided; write admission to devices matching the listed classes is denied. Disabled (default): There is no custom list of GUIDs for which read access is denied.
Floppy Drives: Deny read access	Enabled: Floppy drives may non exist read from. Disabled (default): Floppy drives may be read from.
Floppy Drives: Deny write access	Enabled: Floppy drives may not be written to. Disabled (default): Floppy drives may exist written to.
Removable Disks: Deny read access	Enabled: Removable disks may not exist read from. Disabled (default): Removable disks may be read from.
Removable Disks: Deny write access	Enabled: Removable disks may not exist written to. Disabled (default): Removable disks may exist written to.
Record Drives: Deny read access	Enabled: Tape drives may non be read from. Disabled (default): Tape drives may exist read from.
Record Drives: Deny write access	Enabled: Record drives may non be written to. Disabled (default): Tape drives may be written to.
WPD Devices: Deny read access	Enabled: Devices marked as "Windows Portable Devices" (WPD) may non be read from. This includes mobile phones, media players, cameras, and then on (i.e., devices that do more than than but provide storage). Disabled (default): WPDs may be read from.
WPD Devices: Deny write access	Enabled: WPDs may not be written to. Disabled (default): WPDs may be written to.
Time (in seconds) to forcefulness reboot	Enabled: The time spent waiting for a resource currently being accessed before rebooting the organisation to forcefulness a change in this set of policies to exist applied. Disabled (default): If a removable storage device is currently in use, and policy changes cannot be applied every bit a event, the policy alter will not take effect.

Tools and Traps…

Group Policy Restrictions Don't Apply at Boot Time

Group Policy restrictions such as those in Tabular array 5.2 use only to access from within Windows. If you disable read access to CD and DVD drives, you have non protected your systems against being booted from a CD-ROM or DVD-ROM. To do that, yous must alter the basic input/output system (BIOS) settings, and protect those BIOS settings with a BIOS countersign.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491396500091

Implementing Virtual Profiles into the Virtual Desktop

Gareth R. James , in Citrix XenDesktop Implementation, 2010

Configure Virtual Profiles – Step by Step

i.: From the Run command, execute gpedit.msc.
2.: Under Reckoner Configuration, correct-click on Administrative Templates – select Add/Remove Templates… as shown in Figure 12.12.

Figure 12.12. Microsoft Grouping Policy editor.
iii.: Click Add together… and browse to Profile Direction Folder as shown in Figure 12.13.

Effigy 12.13. Add together/Remove templates dialog box.
4.: Select ctxprofile2.one.0.adm – open up equally shown in Figure 12.14.

Figure 12.xiv. Browse to ctxprofile2.1.0.adm file.
5.: Select Enable Profile direction – Set to Enabled as shown in Figure 12.15.

Figure 12.15. Citrix folder in Group Policy Management Console.
half dozen.: Select Path to user store.
seven.: Prepare the path and click OK equally shown in Effigy 12.sixteen.

Figure 12.xvi. Path to user shop properties.

The default location is in the user'due south habitation directory, under the Windows subdirectory. For a proof of concept or airplane pilot, you may want to isolate the virtual desktop environment from the electric current environment. In this instance, use the following syntax: \\fileserver\sharename\%username%.

%username% is an environment variable that resolves to the user's logon name. The security settings for the "sharename" folder needs to include "Full Control" for "Creator Owner."

Profile Manager uses the user's logon credentials to Read/Write to the share, and 1 of the most common issues with Contour Managing director is simple file/binder permissions.

Past default, all of the standard contour settings are now saved to the specified location.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495820000129

Mitigating Network Vulnerabilities

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from End to Edge and Beyond, 2013

Define the Address Space of Your Intranet Network

1.: In the Group Policy Management snap-in (gpmc.msc), open the Default Domain Policy.
ii.: From the Group Policy Direction Editor, expand Estimator Configuration, Policies, Administrative Templates, Network and and so click Network Isolation.
3.: In the right pane, double-click Private network ranges for apps.
4.: In the Private network ranges for apps dialog box, click Enabled. In the Private subnets text box, type the private subnets for your intranet (separated past commas).
5.: Double-click Subnet definitions are administrative. Click Enabled if you want the subnet definitions that you previously created to exist the single source for your subnet definition.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B978159749980400011X

Microsoft Vista: Trusted Platform Module Services

In Microsoft Vista for IT Security Professionals, 2007

Preparing Your Longhorn Domain Controllers

The process of preparing your Windows Server 2007 domain controllers in an all-Longhorn environment is much simpler. At that place is no need to upgrade the Agile Directory schema. The only things missing from these domain controllers are the authoritative templates that brandish the relevant Group Policy settings in the Group Policy Management MMC. Actually, they're non missing entirely. They are installed in the %systemroot%\PolicyDefinitions folder on both Windows Vista and Windows Server 2007 systems where the Local Computer Policy reads them from.

All nosotros need to practice is copy them to the central store which is part of SYSVOL so that they are replicated to all domain controllers and are available for domain GPOs. We demand to brand sure we re-create both the authoritative templates and the language-specific files. For English, execute the following commands from a command prompt:

C:\>xcopy C:\WINDOWS\PolicyDefinitions\*

C:\WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\

C:\>xcopy C:\WINDOWS\PolicyDefinitions\EN-US\*

C:\WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\EN-Us\

When the files have been copied, yous may need to wait for replication to distribute this change throughout your network. However, on the domain controller on which you just performed the copy, yous tin can start using the Group Policy Object Editor to create a GPO right abroad.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B978159749139650008X

Controlling Access to Your Environment with Authentication and Dominance

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from Cease to Edge and Beyond, 2013

Picture Password Management Problems

Remember that you can only utilize Film Password for local log on. That means you cannot employ it over an RDP session.

If y'all practice not want users to use Flick Countersign, you can employ a Group Policy setting to block this feature. Use the computer group policy setting Turn off picture password sign-in, which is under the Authoritative Templates\Organization\Logon node of the Group Policy Management Editor. This is the only Picture Password Grouping Policy pick available and y'all cannot use Group Policy to modify how Picture Countersign works exterior this option.

There is no logging of the specifics of the Picture Password. There is no log information that contains the name of the pic file or that gives any indication of the gestures that were used with the movie file.

What if your users forget their gestures? They tin can sign in using a user name and countersign then become dorsum into the Picture Countersign enrollment awarding. From at that place, they can click the Replay button. At that point, the user will be shown the password and will be asked to confirm the existing gestures. They too have the choice to resample the gestures, which gives them a new Picture Password equally shown in Effigy 7.x.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597499804000078

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Enabling Grouping Policy Settings for BitLocker and TPM Active Directory Fill-in

Hither are the steps to follow to configure Grouping Policies for clients and servers to apply BitLocker Active Directory Backup.

1

Log on with a domain administrator to whatsoever Domain Controller.

2

Click Start, click All Programs, click Administrative Tools, and then click Grouping Policy Management.

3

In the Group Policy Management Console, aggrandize the forest tree downwardly to the domain level.

4

Correct-click the Default Domain Policy and select Edit.

v

In the Group Policy Direction Editor, open up Computer Configuration, open up Authoritative Templates , open Windows Components, and and so open BitLocker Drive Encryption.

6

In the correct pane, double-click Turn on BitLocker fill-in to Active Directory.

7

Select the Enabled selection, select Require BitLocker backup to Ad DS, and click OK.

To farther enable storage of TPM recovery data:

8

Open up Computer Configuration, open Administrative Templates, open up System, and so open Trusted Platform Module Services.

9

In the right pane, double-click Turn on TPM fill-in to Active Directory.

10

Select the Enabled option, select Crave TPM backup to Advertisement DS, and click OK.

Warning

In this example, we apply the Default Domain Policy to configure Active Directory fill-in for BitLocker and TPM recovery data. However, in a real-earth scenario you would create a new GPO that contains only BitLocker specific settings!

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492805000055

USB Device Overflow

Brian Anderson , Barbara Anderson , in Vii Deadliest USB Attacks, 2010

Grouping Policy

If you are an ambassador of a Windows environs, y'all may make up one's mind that the best approach for your workplace would be to disable drivers of external components on all machines without having to make a change to each system. You may as well want to disable certain drives types only for specific groups of computers within your network. Windows 2003 server does not include this policy by default, and y'all will need to create a custom administrative template. The procedures outlined below were performed on a Windows Vista Ultimate system merely should be similar to those experienced on a Windows 2003 domain environment.

Tip

You must authenticate with administrative privileges in lodge to use Group Policy Editor.

Open up Notepad and enter the following text to the file, saving it with an adm extension (for example, File.adm). If you would like to cutting and paste this information into notepad, this data is available on the Microsoft Web site. ^SS

CLASS Machine

CATEGORY !!category

CATEGORY !!categoryname

POLICY !!policynameusb

KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

Explicate !!explaintextusb

Function !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 3 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

Stop ITEMLIST

Finish PART

END POLICY

POLICY !!policynamecd

KEYNAME "Organisation\CurrentControlSet\Services\Cdrom"

EXPLAIN !!explaintextcd

PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC i DEFAULT

NAME !!Enabled VALUE NUMERIC 4

Finish ITEMLIST

END PART

Finish POLICY

POLICY !!policynameflpy

KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

Explicate !!explaintextflpy

PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

Proper noun !!Disabled VALUE NUMERIC iii DEFAULT

Name !!Enabled VALUE NUMERIC iv

Finish ITEMLIST

Cease PART

Stop POLICY

POLICY !!policynamels120

KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"

Explicate !!explaintextls120

PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC iii DEFAULT

NAME !!Enabled VALUE NUMERIC 4

Finish ITEMLIST

END PART

END POLICY

Finish CATEGORY

END CATEGORY

[strings]

category="Custom Policy Settings"

categoryname="Restrict Drives"

policynameusb="Disable USB"

policynamecd="Disable CD-ROM"

policynameflpy="Disable Floppy"

policynamels120="Disable High Capacity Floppy"

explaintextusb="Disables the computers USB ports by disabling the usbstor.sys commuter"

explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"

explaintextflpy="Disables the computers Floppy Drive past disabling the flpydisk.sys commuter"

explaintextls120="Disables the computers High Chapters Floppy Bulldoze by disabling the sfloppy.sys driver"

labeltextusb="Disable USB Ports"

labeltextcd="Disable CD-ROM Drive"

labeltextflpy="Disable Floppy Bulldoze"

labeltextls120="Disable High Chapters Floppy Drive"

Enabled="Enabled"

Disabled="Disabled"

The steps below outline how to add a template allowing the disablement of typical removable device drivers using Group Policy editor. These procedures assume you already have Group Policy editor installed on the target machine.

1.: Click Get-go, then Run, and type gpedit.msc.
two.: Browse to locate the Computer Configuration object, every bit seen in Figure 4.three.

FIGURE iv.iii. Group Policy Editor
3.: Right-click Authoritative templates and choose Add/Remove template.
4.: Click the Add button in the lower-left corner of the pane provided, every bit seen in Figure 4.iv.

Effigy 4.4. Grouping Policy Editor: Add/Remove Templates
v.: Scan to locate the .adm file you but created and select Open.
6.: Highlight Administrative Templates again and so in the View menu click Filtering.
seven.: Articulate the check mark next to Simply show policy settings that can exist fully managed, as seen in Figure 4.5, and and then press OK.

Effigy 4.v. Grouping Policy Editor: Filtering
8.: Nether Computer Configuration, go to Administrative Templates\Classic Administrative Templates\Custom Policy Settings\Restrict Drives. You should now run across the policies entries that were just created in the correct pane, every bit seen in Effigy four.6.

Figure 4.6. Grouping Policy Editor: Restrict Drives
9.: Double-click to select which drive blazon you lot would like to disable. Click Enabled, and so select Enabled to disable the USB port in the policy setting, every bit seen in Figure four.vii.

Figure 4.7. Group Policy Editor: Disable USB Properties

You take at present created a custom policy that volition allow you lot to regulate the computers who are members of your domain. Use the policy to the appropriate containers that contain the target systems in club to enable the enforcement. ^TT Be mindful when making such a sudden and drastic change to your environment. Proper requirements gathering should be done prior to implementing any sort of corporate- or domain-wide policy to ensure you don't break functionality that is deemed critical to the business. ^UU Rigorous testing should besides be washed on all relevant systems to ensure compliance and compatibility. Also keep in mind, this policy will not be enforced on standalone systems or alternate operating systems that are not part of the domain. Information technology volition likewise non utilize to the respective devices that are currently installed on the target systems.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495530000044

Security Guidance for Citrix XenApp Server

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Shadowing through Group Policy Objects

Similar many other Windows settings for Terminal Services, remote control (shadowing) settings can be configured through Group Policy as shown in Effigy 5.8. To configure remote command in a Group Policy Object (GPO) in Active Directory, yous need to navigate to Computer Configuration | Administrative Templates | Windows Components | Concluding Services. In the Terminal Services binder you'll notice the option, Sets rules for remote control of Terminal Services user session. (The same policy exists in the User Configuration tree. Whether you want to use the Calculator Configuration or User Configuration depends on how you choose to use your policy.) Again, here you have the power to enable or disable remote control, specify notification, and specify what level of control is immune for the session.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492812000056