How To Use the GPOAccelerator

How to Use the GPOAccelerator

Version 3.0

Published: November 2007 | Updated: February 2008

For the latest information, please see

microsoft.com/solutionaccelerators

Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is

your responsibility. By using or providing feedback on this documentation, you agree to the license agreement

below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or

organization, then this documentation is licensed to you under the Creative Commons Attribution-

NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or

send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".

Your use of the documentation cannot be understood as substituting for customized service and information

that might be developed by Microsoft Corporation for a particular user based upon that user’s particular

environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS

ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY

DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering

subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your

use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change

without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-

mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual

Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective

owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to

the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,

without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You

also give to third parties, without charge, any patent rights needed for their products, technologies and

services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.

You will not give Feedback that is subject to a license that requires Microsoft to license its software or

documentation to third parties because we include your Feedback in them.

Contents

Overview ........................................................................................................ 1

What the GPOAccelerator Does ...................................................................... 1

Who Should Read This Guide ......................................................................... 1

How to Use the GPOAccelerator in Your Environment ........................................ 2

Prescribed Security Baseline Environments ................................................ 2

Using the /LAB Option to Evaluate the Security Guide Settings ..................... 3

Chapter Descriptions..................................................................................... 3

Acknowledgments ........................................................................................ 4

Chapter 1: GPOAccelerator Command-Line Options and User Interface .......... 7

The Group Policy Management Console ........................................................... 7

Two Different Security Environments .............................................................. 7

Options for the GPOAccelerator ...................................................................... 8

Common GPOAccelerator Commands .............................................................. 9

GPOAccelerator User Interface ...................................................................... 12

Chapter 2: Using the GPOAccelerator with Windows Server 2008................. 15

Implementing the Security Policies ................................................................ 15

Implementation Tasks ............................................................................ 15

The GPOAccelerator Tool ........................................................................ 16

Security Templates ................................................................................ 24

Subdirectories and Files .......................................................................... 25

More Information ........................................................................................ 26

Chapter 3: Using the GPOAccelerator with Windows Vista ............................ 27







Chapter 4: Using the GPOAccelerator with Windows XP ............................... 39




ii How To Use the GPOAccelerator




Chapter 5: Using the GPOAccelerator with the 2007 Microsoft Office

Release ......................................................................................................... 49

Using the GPOAccelerator to Test and Deploy Your Office Security Guide GPO Design ................................................................................................ 50

Design Test Tasks .................................................................................. 50

Deploying the Design in a Production Environment .......................................... 52

Index ............................................................................................................ 53

Overview

This guide will help you test and deploy the security settings that are defined in the following security guides:

Windows XP

Windows Vista

Windows Server 2008 Security Guide

2007 Microsoft Office Security Guide

Each security guide provides recommendations and a methodology to help secure computers that run these Microsoft products. The methodology involves the use of Group Policy in an environment that uses Active Directory® Domain Services (AD DS). Group Policy objects (GPOs) are collections of settings that you can apply to computers and users.

The security guidance also describes recommended settings for different security environments. The easiest way to deploy these recommended settings is by using the GPOAccelerator, a tool created by Microsoft to deploy the settings.

This guide provides instructions for using the GPOAccelerator that you can use to test and deploy the recommended settings in the referenced security guidance. The settings you deploy with the GPOAccelerator depend on which guide you are using.

Microsoft recommends to secure the operating system(s) that run on your client computers, as well as the 2007 Microsoft® Office release. To do so, read this Overview, then Chapter 1, "GPOAccelerator Command-Line Options and User Interface," and finally the relevant chapter or chapters for the products that you want to secure.

Important It is important that you read the appropriate security guide to design your security strategy before you use the GPOAccelerator.

What the GPOAccelerator Does

The GPOAccelerator creates all the GPOs that you need to deploy the recommended security settings for your environment. This functionality saves many hours of work that would otherwise be needed to configure and deploy security settings manually.

Who Should Read This Guide

This guide supplements the security guides for Windows® XP, Windows Vista®, Windows Server® 2008, and the 2007 Microsoft Office release. It is primarily intended for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan application or infrastructure development for both desktop and laptop client computers in an enterprise environment. This guidance is not intended for home users. Microsoft recommends to only use this guidance after reading one of the referenced security guides.

http://go.microsoft.com/fwlink/?linkid=14839


http://go.microsoft.com/fwlink/?LinkId=107266



2 How To Use the GPOAccelerator

This guidance assumes the following knowledge and skills:

MCSE on Windows Server® 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge.

In-depth knowledge of the organization’s domain and Active Directory environments.

Experience in the administration of Group Policy using the Group Policy Management Console (GPMC), Gpupdate, and Gpresult.

How to Use the GPOAccelerator in Your

Environment

The GPOAccelerator helps you deploy GPOs in your environment, which requires careful planning and testing. This section describes a way to test and deploy the GPOs described in the Windows XP Security Guide, the Windows Vista Security Guide, the Windows Server 2008 Security Guide, and the 2007 Microsoft Office Security Guide.

If you want to use the GPOAccelerator to harden Office applications in your environment, be sure to first use the tool to harden the operating system environment with the information specified in Chapter 1, "GPOAccelerator Command-Line Options and User Interface." Using these commands and options enables you to establish one of the prescribed security baselines defined in the following section. Then you can use the tool to apply the guidance for the 2007 Office Security Guide GPOs, which is described in Chapter 5, "Using the GPOAccelerator with the 2007 Microsoft Office System."

Prescribed Security Baseline Environments

The baseline GPOs that the GPOAccelerator helps you to deploy provide a combination of tested settings that enhance security for computers running these operating systems and applications in the following two distinct environments:

Enterprise Client (EC)

Specialized Security – Limited Functionality (SSLF)

The Enterprise Client (EC) Environment

The Enterprise Client (EC) environment referred to in this guidance consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista or Windows XP, and member servers running Windows Server 2008 or Windows Server 2003 R2.

The domain controllers, member servers, and client computers are managed in this environment through Group Policy, which is applied to sites, domains, and OUs. Group Policy provides a centralized infrastructure within AD DS that enables directory-based change and configuration management of user and computer settings, including security and user data. The Group Policy this guide prescribes does not support client computers running Windows® 2000.

Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 3

The Specialized Security – Limited Functionality (SSLF) Environment

The Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows Server® 2008. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.

Caution The SSLF security settings are not intended for the majority of enterprise organizations. To successfully implement the SSLF settings, organizations must thoroughly test the settings in their environment to ensure that the prescribed security configurations do not limit required functionality.

If you decide to test and deploy the SSLF configuration settings to servers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Remote Desktop, which allows users to connect interactively to desktops and applications on remote computers.

Using the /LAB Option to Evaluate the Security Guide Settings

The GPOAccelerator /LAB option creates the OUs and GPOs that are discussed in the referenced security guides, and then links the GPOs to the OUs. Microsoft recommends that you first use the GPOAccelerator /LAB option in a test environment that uses AD DS.

Chapter Descriptions

In addition to this Overview, the How to Use the GPOAccelerator guidance consists of the following five chapters:

Chapter 1: GPOAccelerator Command-Line Options and User Interface.

This chapter describes how to use the tool to create and deploy GPOs in your organization, the tool's functional capabilities, and the wizard for the tool.

Chapter 2: Using the GPOAccelerator with Windows Server 2008.

This chapter provides step-by-step guidance about how to use the tool to create and deploy GPOs for Windows Server 2008. It describes how to use the /LAB option, test a customized Windows Server 2008 GPO design in a lab environment, and deploy a customized Windows Server 2008 GPO design in a production environment.

Chapter 3: Using the GPOAccelerator with Windows Vista.

This chapter provides step-by-step guidance about how to use the tool to create and deploy GPOs for Windows Vista. It describes how to use the /LAB option, test a customized Windows Vista GPO design in a lab environment, and deploy a customized Windows Vista GPO design in a production environment.


Chapter 4: Using the GPOAccelerator with Windows XP.

This chapter provides step-by-step guidance about how to use the tool to create and deploy GPOs for Windows XP. It describes how to use the /LAB option, test a customized Windows XP GPO design in a lab environment, and deploy a customized Windows XP GPO design in a production environment.

Chapter 5: Using the GPOAccelerator with the 2007 Microsoft Office System.

This chapter provides step-by-step guidance about how to use the tool to create and deploy GPOs for the following six applications in the 2007 Office release:

Microsoft Office Access™ 2007

Microsoft Office Excel® 2007

Microsoft Office InfoPath® 2007

Microsoft Office Outlook® 2007

Microsoft Office PowerPoint® 2007

Microsoft Office Word 2007

It describes how to test a customized 2007 Office GPO design in a lab environment and deploy a customized 2007 Office GPO design in a production environment.

Acknowledgments

The SA-SC team would like to acknowledge and thank the group of people who produced How to Use the GPOAccelerator. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this guide.

Content Developers

Bill Gruber – Microsoft

Bill Wade – Wadeware LLC

Edgar Brovick – Wadeware LLC

Ethan Casey – Wadeware LLC

Paul Slater – Wadeware LLC

Developers

José Maldonado – Microsoft

Ross Carter – Microsoft

Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd.

Editors

Jennifer Kerns – Wadeware LLC

John Cobb – Wadeware LLC

Steve Wacker – Wadeware LLC


Reviewers

Derick Campbell – Microsoft

Chase Carpenter – Microsoft

Product Managers

Alain Meeus – Microsoft

Jim Stuart – Microsoft

Program Managers

Flicka Enloe – Microsoft

Kelly Hengesteg – Microsoft

Vlad Pigin – Microsoft

Release Manager

Karina Larson – Microsoft

Test Manager

Gaurav Singh Bora – Microsoft

Testers

Beenu Venugopal – Infosys Technologies Ltd.

Bhakti Bhalerao – Infosys Technologies Ltd.

Harish Ananthapadmaanabhan – Infosys Technologies Ltd.

IndiraDevi Chandran – Infosys Technologies Ltd.

RaxitKumar Gajjar – Infosys Technologies Ltd.

Sumit Parikh – Infosys Technologies Ltd.

Swaminathan Viswanathan – Infosys Technologies Ltd.

Chapter 1: GPOAccelerator Command-

Line Options and User Interface

This chapter documents the GPOAccelerator commands and options that you will use to deploy Group Policy objects (GPOs) in an environment that uses Active Directory® Domain Services (AD DS). After you deploy the GPOs, you will use the Group Policy Management Console (GPMC) to manage them.

The Group Policy Management Console

The GPMC helps you manage your enterprise more efficiently by combining the functionality of multiple tools: the snap-ins for Active Directory Users and Computers, Active Directory Sites and Services, and Resultant Set of Policy. It consists of a Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces. This guide provides instructions for using the GPMC to manage the GPOs that the security guides install.

For detailed instructions about how to use the GPMC, see the Step-by-Step Guide to Using the Group Policy.

Two Different Security Environments

The security guides describe setting recommendations for two different security environments: the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment. The GPOs for each environment are different because they have different security requirements.

The EC environment represents an organization with typical security needs. It is suitable for midsize and large organizations that seek to balance security and functionality.

The SSLF environment represents a less typical organization, one in which security is paramount. It is suitable only for midsize and large organizations that have stringent security standards, and for which security is more important than application functionality.

Caution The SSLF security settings are not intended for the majority of enterprise organizations. To successfully implement the SSLF settings, organizations must thoroughly test the settings in their environment to ensure that the prescribed security configurations do not limit required functionality.

More information about these two types of environments is provided in the respective security guides for Windows® XP, Windows Vista®, Windows Server® 2008, and the 2007 Microsoft Office release.




Options for the GPOAccelerator

The GPOAccelerator is a Windows shell script that runs from a command shell. If you run the GPOAccelerator without any options, the tool displays a list of all options as shown in the following screen shot:

Figure 1.1. GPOAccelerator options


The following table provides definitions for GPOAccelerator options.

Table 1.1. GPOAccelerator Options and Definitions

Option Definition

/Vista Creates Windows Vista Security Guide GPOs.

/XP Creates Windows XP Security Guide GPOs.

/Office Creates 2007 Office Security Guide GPOs.

/WSSG Creates Windows Server 2008 Security Guide GPOs.

/Enterprise Creates Enterprise Client (EC) GPOs.

/SSLF Creates Specialized Security – Limited Functionality (SSLF) GPOs.

/Desktop Modifies security settings on your local desktop.

/Laptop Modifies security settings on your local laptop.

/LAB Creates the OU structure for the lab environment described in the corresponding security guide, and links the GPOs to the OUs. You must manually link the Domain Policy GPO.

/ConfigSCE Configures the Security Configuration Editor (SCE) to display MSS settings.

/ResetSCE Restores the SCE to its default settings.

/Restore Restores all settings to their default configuration only on the computer where you run this option.

Common GPOAccelerator Commands

The following five tables show commands and options that are commonly used when creating and deploying GPOs and OUs with the GPOAccelerator.

Table 1.2. Common Commands When Deploying Windows XP Security Guide GPOs

Command Results

GPOAccelerator.wsf /Enterprise /XP

Creates the EC GPOs described in the Windows XP Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /SSLF /XP

Creates the SSLF GPOs described in the Windows XP Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /Enterprise /LAB /XP

Creates and links the EC GPOs and OUs according to the sample OU structure prescribed in the Windows XP Security Guide.


Command Results

GPOAccelerator.wsf /SSLF /XP /Desktop

Applies the desktop SSLF security settings to the local Windows XP–based computer.

GPOAccelerator.wsf /SSLF /XP /Laptop

Applies the laptop SSLF security settings to a local Windows XP–based computer.

Table 1.3. Common Commands When Deploying Windows Vista Security Guide GPOs

Command Results

GPOAccelerator.wsf /Enterprise /Vista

Creates the EC GPOs described in the Windows Vista Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /SSLF /Vista

Creates the SSLF GPOs described in the Windows Vista Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /Enterprise /LAB /Vista

Creates and links the EC GPOs and OUs according to the sample OU structure prescribed in the Windows Vista Security Guide.

GPOAccelerator.wsf /SSLF /Vista /Desktop

Applies the desktop SSLF security settings to a local Windows Vista–based computer.

GPOAccelerator.wsf /SSLF /Vista /Laptop

Applies the laptop SSLF security settings to a local Windows Vista–based computer.

Table 1.4. Common Commands When Deploying Windows Server 2008 Security Guide GPOs

Command Results

GPOAccelerator.wsf /Enterprise /WSSG

Creates the EC GPOs described in the Windows Server 2008 Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /SSLF /WSSG

Creates the SSLF GPOs described in the Windows Server 2008 Security Guide. You must then link the GPOs to the appropriate OUs to make this Group Policy configuration effective.

GPOAccelerator.wsf /Enterprise /LAB /WSSG

Creates and links the EC GPOs according to the sample OU structure prescribed in the Windows Server 2008 Security Guide.

GPOAccelerator.wsf /SSLF /LAB /WSSG

Creates and links the SSLF GPOs according to the sample OU structure prescribed in the Windows Server 2008 Security Guide.


Table 1.5. Common Commands When Deploying 2007 Microsoft Office Security Guide GPOs

Command Results

GPOAccelerator /Enterprise /Office

Creates the 2007 Office Security Guide GPOs (/Office) for an EC (/Enterprise) environment. You must then link the GPOs to the OUs to make this Group Policy configuration effective.

GPOAccelerator /SSLF /Office

Creates the 2007 Office Security Guide GPOs (/Office) for an SSLF (/SSLF) configuration in a production environment. You must then link the GPOs to the OUs to make this Group Policy configuration effective.

Table 1.6. Other Common Commands When Deploying GPOs

Command Results

GPOAccelerator.wsf /ConfigSCE

Changes the settings on the local computer so that all the GPO settings are visible in the Group Policy Editor.

GPOAccelerator.wsf /ResetSCE

Reverts the local computer to display the default settings in the Group Policy Editor. If your organization has customized these settings and you run this command, the customizations will be lost.

GPOAccelerator.wsf /Restore {/Vista | /XP}

Restores the default settings for Windows Vista or Windows XP to their default values on a local computer for .inf based security settings. This command is useful when preparing customized workstation settings. For example, after running a test you might want to restore to the default settings and try different settings.


GPOAccelerator User Interface

The previous sections in this chapter provide commands and options that you can use at a command prompt to run the GPOAccelerator tool. This section provides information about how to use the GPOAccelerator Wizard, which provides all of the same functionality.

You can use this wizard to establish and deploy baseline security settings that Microsoft prescribes for either the EC environment or the SSLF environment. The wizard provides you with the same set of options to define a configuration to meet the security needs of your environment.

Figure 1.2. The GPOAccelerator Wizard

The following figure displays the Tool Options page in the wizard that you can use to define how you want to establish and deploy your security baseline. On the Welcome page, click Next to access this page.


Figure 1.3. The Tool Options page

The Tool Options page provides you with the following choices:

Domain. Use this option to implement a security baseline and create Group Policy objects (GPOs) for a domain-based environment. This option provides you with other options on subsequent pages in the wizard to run a combination of options, such as /Enterprise, /SSLF, and /Lab to establish and test your security baseline.

Note You must be a domain administrator to use this option.

Local. Use this option to implement a security baseline and modify the default security settings on a client computer. This option provides you with other options on subsequent pages in the wizard to run the /Desktop, /Laptop, and /Restore command-line options that are defined in the security guides for Windows XP and Windows Vista.

Note You must be an administrator to use this option.

Update SCE. Use this option to update the Security Configuration Editor (SCE) to display MSS security settings. You can use this option to execute the /ConfigSCE and /ResetSCE command-line options discussed in the security guides.

Note You must be an administrator to use this option.

Chapter 2: Using the GPOAccelerator

with Windows Server 2008

After reading the Windows Server 2008 Security Guide, you can use the tasks and procedures in this chapter with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the Enterprise Client (EC) environment that the guide prescribes in your production environment.

Important The tasks and procedures in this chapter are specific to creating and testing the GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the guide prescribes. You can use a different set of options with the same tasks and procedures in this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options and User Interface."

The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply the Windows Server® 2008 security guidance. You do not need to spend time editing policy settings and applying templates manually.

Implementing the Security Policies

Implementing the security design for the two environments described in this guidance requires you to use the Group Policy Management Console (GPMC), and GPMC-based scripts. The GPMC is integrated into the Windows Server 2008 operating system, so you do not have to download the console each time you need to manage GPOs on a different computer. To use the GPMC, start Server Manager, and then select the "Group Policy Management" feature.

Important You must perform all of the procedures in this chapter on a client computer running Windows Vista® or Windows Server 2008 that is joined to domain that uses Active Directory® Domain Services (AD DS). In addition, the user who performs the procedures must be a member of the Domain Administrators group or have been delegated equivalent privileges. If you use the Windows® XP or Windows Server® 2003 operating systems, many security settings for Windows Server 2008 will not be visible in the GPMC.

Implementation Tasks

To implement the security design, there are a few key tasks to complete:

1. Create the EC environment.

2. Use the GPMC to link the WSSG EC Domain Policy to the domain.

3. Use the GPMC to link the WSSG EC Domain Controllers Baseline Policy to the Domain Controllers OU.

4. Use the GPMC to check your results.

Similarly, you also use these steps to configure security for each server role in your environment.



The GPOAccelerator Tool

This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator, which automatically creates the prescribed GPOs. This section also includes information about how to use the GPMC to check the GPOs created by the tool. The Windows Server 2008 Security Guide Settings workbook that also accompanies this guide provides another resource that you can use to compare setting values.

The GPOAccelerator

The main feature of this tool automatically creates all the GPOs you need to apply this guidance. You do not need to spend a lot of time manually editing policy settings and applying templates. For servers in the EC environment, the script creates the following GPOs:

WSSG EC Domain Policy for the domain.

WSSG EC Domain Controller Baseline Policy for domain controllers.

WSSG EC Member Server Baseline Policy for all servers.

WSSG EC <Server Role> Policy for individual server roles.

Use the GPOAccelerator to:

Test the design in a lab environment. In your test environment, use the GPOAccelerator to create an OU structure, create the GPOs, and then automatically link the GPOs to the OUs. After you complete the test phase of the implementation, you can use the script in your production environment.

Deploy the design in a production environment. When you start working in your production environment to implement the solution, you must first create a suitable OU structure or modify an existing set of OUs. You can then use the GPOAccelerator to create the GPOs, and then link the newly created GPOs to the appropriate OUs in your environment.

Test the Design in a Lab Environment

The GPOs that the GPOAccelerator creates have been thoroughly tested. However, it is important to perform your own testing in your own environment. To save time, you can use the GPOAccelerator to create the prescribed GPOs and the recommended OU structure, and then automatically link the GPOs to the OUs.

Design Test Tasks

To test the design in a lab environment, complete the following key tasks:


2. Use the GPMC to link the WSSG EC Domain Policy to the domain.

3. Use the GPMC to link the WSSG EC Domain Controller Baseline Policy to the Domain Controllers OU



Task 1: Create the EC Environment

The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows Installer (.msi) file creates in the Program Files folder.

Note The GPOAccelerator folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment

1. Log on as a domain administrator to a computer running Windows Server 2008 that is joined to the domain using Active Directory in which you will create the GPOs.

2. On the computer, click Start, click All Programs, and then click GPOAccelerator.

3. Right-click the command-line here.cmd file, and then click Run as administrator to open a command prompt with full domain administrative privileges.

Note If prompted for logon credentials, type your user name, password, and press ENTER.

4. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise /LAB and then press ENTER.

5. In the Click Yes to continue, or No to exit the script message box, click Yes.

Note This step can take several minutes.

6. In The Enterprise Lab Environment is created message box, click OK.

7. In the Make sure to link the Enterprise Domain GPO to your domain message box, click OK, and then complete the steps in the next task to link the WSSG EC Domain Policy and the WSSG EC Domain Controllers Policy.

Note The domain level Group Policy includes settings that apply to all computers and users in the domain. It is important to be able to decide when to link the domain GPO, as this GPO applies to all users and computers. For this reason, the GPOAccelerator does not automatically link the domain GPO to the domain.

Similarly, the domain controllers GPO will immediately start to modify the configuration of all domain controllers in your environment. For this reason, the GPOAccelerator does not automatically link the Domain Controllers GPO to the domain controllers OU.

Task 2: Use the GPMC to Link the WSSG EC Domain Policy to the Domain

You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a computer running Windows Server 2008 to link the WSSG EC Domain Policy to the domain.

To link the WSSG EC Domain Policy

1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the Windows logo key+R.)

2. In the Open text box, type gpmc.msc and then click OK.

3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.

4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click OK.

5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link

to top button.


Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the WSSG EC Domain Policy settings.

Task 3: Use the GPMC to Link the WSSG EC Domain Controller Baseline Policy to

the Domain Controllers OU

You are now ready to link the domain controllers GPO to the domain controllers OU. The following instructions describe how to use the GPMC to link the WSSG EC Domain Controllers Baseline Policy to the domain controllers OU.

To link the WSSG EC Domain Controller Baseline Policy



3. Under the Domains tree, right-click the Domain Controllers OU, and then click Link an

existing GPO.

4. In the Select GPO dialog box, click the WSSG EC Domain Controller Baseline Policy

GPO, and then click Yes.

5. In the details pane, select the WSSG EC Domain Controller Baseline Policy, and then click the Move link to top button.

Important Ensure that the WSSG EC Domain Controller Baseline Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain controllers OU, such as the Default Domain Controller Policy GPO, to overwrite the WSSG EC Domain Controllers Policysettings.

Task 4: Use the GPMC to Check Your Results

You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a computer running Windows Server 2008 to verify the GPOs and OU structure that the GPOAccelerator creates for you.

To verify the results of the GPOAccelerator

1. Click Start, click All Programs, click Accessories, and then click Run.


3. Click the appropriate forest, click Domains, and then click your domain.

4. Click and expand the WSSG Member Servers OU, and then click each of the child OUs below it to open them.

5. Verify your OU structure and GPO links match the following figure.


Figure 2.1. The GPMC view of the OU structure and GPO links that the GPOAccelerator creates

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving servers into their respective OUs, and making sure each server functions as expected. Many of the settings contained in the GPOs will take effect immediately, but many will not take effect until the server is restarted.

For details about the settings contained in each GPO, see "Appendix A: Security Group Policy Settings," which accompanies the Windows Server 2008 Security Guide.



Deploy the Design in a Production Environment

To save time, you can use the GPOAccelerator to create the GPOs for the EC environment. Then you can link the GPOs to the appropriate OUs in your existing structure. In larger domains with a large number of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs.

Microsoft recommends to keep computer OUs distinct from user OUs. Client workstations, such as laptop and desktop computers also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs. You can use the settings reference in "Appendix A: Security Group Policy Settings," which accompanies the Windows Server 2008 Security Guide, to help you decide what modifications may be necessary.

Note As discussed in the previous section, you can use the GPOAccelerator with the /LAB option in a test environment to create the sample OU structure. However, environments with a flexible OU structure can also use this option in a production environment to create a basic OU structure, and automatically link the GPOs. Then you can manually modify the OU structure to meet the requirements of your environment.

Deployment Tasks

To deploy the design in a production environment, complete the following key tasks:

1. Create the GPOs.


3. Use the GPMC to link the GPOs to the OUs.

Task 1: Create the GPOs

You create the EC GPOs described in this guide using the GPOAccelerator. The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows Installer (.msi) file creates for you in the Documents folder.

Note You can also simply copy the GPOAccelerator folder from a computer where the folder is installed to another computer that you want to use to run the script. The GPOAccelerator folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs in a production environment

1. Log on as a domain administrator to a computer running Windows Server 2008 that is joined to the AD DS domain in which you will create the GPOs.


3. Open the GPOAccelerator Tool folder.


Note If prompted for logon credentials, type your user name and password, and then press ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise and then press ENTER.





7. In The Enterprise GPOs are created message box, click OK.

8. In the Make sure to link the Enterprise GPOs to the appropriate OUs message box, click OK.


You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a computer running Windows Server 2008 to verify the GPOs that the GPOAccelerator creates.





4. Click and expand Group Policy Objects, and then verify that the WSSG EC GPOs have been created according to those listed in the following figure.

Figure 2.2. The GPMC view of the EC GPOs that the GPOAccelerator creates


You can now use GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this.

Task 3: Use the GPMC to Link the GPOs to the OUs

The following procedure describes how to use the GPMC on a computer running Windows Server 2008 to accomplish this task.

To link the GPOs in a production environment




Note You also can drag a GPO from under the Group Policy objects node to an OU. However, you can only perform this drag-and-drop operation within the same domain.

4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click OK.

5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link

to top button.

Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the WSSG EC Domain Policy settings.

6. Under the Domains tree, right-click the Domain Controllers OU, and then choose the Link an existing GPO option.

7. In the Select GPO dialog box, click the WSSG EC Domain Controllers Baseline Policy

GPO, and then click OK.

8. In the details pane, select the WSSG EC Domain Controllers Baseline Policy GPO, and then click the Move link to top button.

Important Ensure that the WSSG EC Domain Controllers Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the OU, such as the Default Domain Controllers Policy GPO, to overwrite the WSSG EC Domain Controllers Policy settings.

9. Right-click the appropriate member server OU node, and then choose the Link an

existing GPO option.

10. In the Select GPO dialog box, click the WSSG EC Member Server Baseline Policy, and then click OK.

11. Right-click the first server role OU node, and then choose the Link an existing GPO option.

12. In the Select GPO dialog box, click the appropriate WSSG <Server Role> Policy GPO, and then click OK.

13. Repeat the last two steps in this procedure as needed to link each GPO to the appropriate Server role OU.

Note The GPOAccelerator script will create GPOs for the server roles discussed in the guide. However, Microsoft recommends creating these GPOs using the Security Configuration Wizard (SCW) as described in Chapter 2, "Reducing the Attack Surface by Server Role" of the Windows Server 2008 Security Guide. This will result in GPOs that take into consideration services and applications specific to your environment.



To confirm the GPO linkages using the GPMC

Expand the Group Policy Objects node, select the GPO, then in the details pane, click the Scope tab and note the information in the Link Enabled and Path columns.

– Or –

Select the OU, and then in the details pane, click the Linked Group Policy Objects tab and note the information in the Link Enabled and GPO columns.

Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need. To completely undo all Active Directory modifications made by the GPOAccelerator, you must manually delete the EC-WSSGAuditPolicy.cmd file, the EC-WSSGApplyAuditPolicy.cmd, and the EC-WSSGAuditPolicy.txt file from the NETLOGON share of one of your domain controllers. For additional details on how to completely remove the implementation of the Audit policy, refer to the "Audit Policy" section in "Appendix A: Security Group Policy Settings," which accompanies the Windows Server 2008 Security Guide.

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving servers into their respective OUs, and making sure each server functions as expected. Many of the settings contained in the GPOs will take effect immediately, but many will not take effect until the server is restarted.

For details about the settings contained in each GPO, see "Appendix A: Security Group Policy Settings," which accompanies the Windows Server 2008 Security Guide.

GPMC and SCE Extensions

The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows Server 2008 or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on a computer running Windows Server 2008.

To modify the SCE to display MSS settings

1. Ensure that you have met the following prerequisites:

The computer is joined to the domain using Active Directory where you created the GPOs.

The GPOAccelerator tool is installed.

Note You can also simply copy the GPOAccelerator folder from a computer on which you have installed the folder to another computer that you want to use to run the script. The GPOAccelerator folder and subfolders must be present on the local computer for the script to run as described in this procedure.

2. Log on to the computer as an administrator.






4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.


5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press ENTER.


7. In The Security Configuration Editor is updated message box, click OK.

Note This script only modifies SCE to display MSS settings. This script does not create GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings in Windows Server 2008.

To reset the SCE tool to the default settings in Windows Server 2008

1. Log on to the computer as an administrator.




4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press ENTER.


Note Completing this procedure reverts the SCE on your computer to the default settings in Windows Server 2008. Any settings added to the default SCE will be removed. This will only affect the ability to view the settings with the SCE. Configured Group Policy settings remain in place.


Security Templates

Security Templates are provided so that if you want to build your own policies, rather than use or modify the policies supplied with this guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in. Unlike some previous versions of the Windows operating system, Windows Server 2008 does not come with predefined Security Templates.

Security Templates are included with the GPOAccelerator. The following templates for the EC environment are located in the GPOAccelerator\Security Templates\WSSG folder:

WSSG EC Domain.inf

WSSG EC Domain Controller.inf


WSSG EC Member Server.inf

Important You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates

If you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the templates, you can use the following procedure to import them into the GPOs that you have created as needed.

To import a Security Template into a GPO

1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the GPMC, right-click the GPO, and then click Edit.

2. In the Group Policy Object Editor, browse to the Windows Settings folder.

3. Expand the Windows Settings folder, and then select Security Settings.

4. Right-click the Security Settings folder, and then click Import Policy.

5. Browse to the WSSG folder in the Program Files\GPOAccelerator\Security Templates folder.

6. Select the Security Template that you want to import, and then click Open.

The result of the last step in this procedure imports the settings from the file into the GPO. You can also use the Security Templates supplied with the Windows Server 2008 Security Guide to modify the local security policy on stand-alone servers running Windows Server 2008 (that is, servers that are not joined to an AD DS domain).

Note The GPOAccelerator does not currently support applying Security Template inf files to the local security policy on stand-alone servers running Windows Server 2008. You can use the Local Security Policy snap-in (secpol.msc) to import Security Templates to the local security policy of stand-alone servers in your environment.

Subdirectories and Files

When you run the Windows Installer (.msi) file, it creates the GPOAccelerator folder in the Program Files folder on your computer. The .msi file also creates a subfolder structure in the GPOAccelerator folder.





More Information

The following resources provide additional information about Windows Server 2008 security-related topics on Microsoft.com:

Administering Group Policy.

Enterprise Management with the Group Policy.

Loopback Processing of Group Policy.

Migrating GPOs.

Step-by-Step Guide to Understanding the Group Policy.

Step-by-Step Guide to Using the Delegation of Control Wizard.

Summary of New or Expanded Group Policy.

Windows Server 2008 Security Guide.

Windows Server 2008 TechCenter.



http://support.microsoft.com/Default.aspx?id=231287






http://www.microsoft.com/technet/windowsvista/library/gpol/2b8dc2fd-eafe-4c74-914c-ec101133feb4.mspx?mfr=true




with Windows Vista

After you read the Windows Vista, you can use the tasks and procedures in this chapter with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the Enterprise Client (EC) environment that the guide prescribes in your production environment.


The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply the Windows Vista® security guidance. You do not need to spend time editing policy settings and applying templates manually.


Implementing the security design for the two environments described in this guidance requires you to use the Group Policy Management Console (GPMC), and GPMC-based scripts. The GPMC is integrated into the original version of the Windows Vista operating system. However, GPMC is not integrated into Windows Vista with SP1 computers. To use the GPOAccelerator on computers running Windows Vista with SP1, you must first download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Web site.

Important You must perform all of the procedures in this chapter on a client computer running Windows Vista or Windows Server® 2008 that is joined to a domain that uses Active Directory® Domain Services (AD DS). In addition, the user who performs the procedures must be a member of the Domain Administrators group or have been delegated equivalent privileges. If you use the Windows XP® or Windows Server 2003 operating systems, many security settings for Windows Server 2008 will not be visible in the GPMC.




2. Use the GPMC to link the VSG EC Domain Policy to the domain.


This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator, which automatically creates the prescribed GPOs.





This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator, which automatically creates the prescribed GPOs. This section also includes information about how to use the GPMC to check the GPOs created by the tool. The Windows Vista Security Guide Settings workbook that also accompanies the Windows Vista Security Guide provides another resource that you can use to compare setting values.

The GPOAccelerator

The main feature of this script automatically creates all the GPOs you need to apply this guidance. You do not need to spend a lot of time manually editing policy settings and applying templates. For computers in the EC environment, the script creates the following four GPOs:

VSG EC Domain Policy for the domain.

VSG EC Users Policy for users.

VSG EC Desktop Policy for desktop computers.

VSG EC Laptop Policy for laptop computers.

Use the GPOAccelerator to complete the following tasks:





Design Test Tasks



2. Use the GPMC to link the VSG EC Domain Policy to the domain.







1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.




Note If prompted for logon credentials, type your user name, password, and press ENTER.

5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise /LAB and then press ENTER.




8. In the Make sure to link the Enterprise Domain GPO to your domain message box, click OK, and then complete the steps in the next task to link the VSG EC Domain Policy.


Task 2: Use the GPMC to Link the VSG EC Domain Policy to the Domain

You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a computer running Windows Vista to link the VSG EC Domain Policy to the domain.

To link the VSG EC Domain Policy




4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.

5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to

top button.

Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the VSG EC Domain Policy settings.



You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a computer running Windows Vista to verify the GPOs and OU structure that the GPOAccelerator creates for you.





4. Click and expand the Vista Security Guide EC Client OU, and then click each of the child OUs below it to open them.



All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see "Appendix A: Security Group Policy Settings," which accompanies the Windows Vista.





Microsoft recommends to keep computer OUs distinct from user OUs. Client workstations, such as laptop and desktop computers, also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs. You can use the settings reference in "Appendix A: Security Group Policy Settings," which accompanies the Windows Vista, to help you decide what modifications may be necessary.


Deployment Tasks


1. Create the GPOs.




You create the EC GPOs described in this guidance using the GPOAccelerator. The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows Installer (.msi) file creates for you in the Program Files folder.



1. Log on as a domain administrator to a computer running Windows Vista that is joined to the AD DS domain in which you will create the GPOs.





5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise and then press ENTER.








You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a computer running Windows Vista to verify the GPOs that the GPOAccelerator creates.





4. Click and expand Group Policy Objects, and then verify that the VSG EC GPOs have been created according to those listed in the following figure.


You can now use the GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this.



The following procedure describes how to use the GPMC on a computer running Windows Vista to accomplish this task.






4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.

5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to

top button.

Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the VSG EC Domain Policy settings.

6. Right-click the Windows Vista Users OU node, and then choose the Link an existing

GPO option.

7. In the Select GPO dialog box, click the VSG EC Users Policy GPO, and then click OK.

8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.

9. In the Select GPO dialog box, click the VSG EC Desktop Policy GPO, and then click OK.

10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.

11. In the Select GPO dialog box, click the VSG EC Laptop Policy GPO, and then click OK.

12. Repeat these steps for any additional user or computer OUs that you created to link them to the appropriate GPOs.



– Or –


Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need. To completely undo all Active Directory modifications made by the GPOAccelerator, you must manually delete the EC-VSGAuditPolicy.cmd file, the EC-ApplyAuditPolicy.cmd, and the EC-AuditPolicy.txt file from the NETLOGON share of one of your domain controllers. For additional details on how to completely remove the implementation of the Audit policy, refer to the "Audit Policy" section in Appendix A, "Security Group Policy Settings."

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to


test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see "Appendix A: Security Group Policy Settings," which accompanies the Windows Vista.


The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows Vista or the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on a computer running Windows Vista.




The GPOAccelerator is installed.

Note You can also simply copy the GPOAccelerator folder from a computer on which you have installed the tool to another computer that you want to use to run the script. The GPOAccelerator folder and subfolders must be present on the local computer for the script to run as described in this procedure.

2. Log on to the computer running Windows Vista as an administrator.







Note This script only modifies SCE to display MSS settings; it does not create GPOs or OUs.



The following procedure removes the additional MSS security settings, and then resets the SCE to the default settings in Windows Vista.

To reset the SCE to the default settings in Windows Vista

1. Log on to the computer running Windows Vista as an administrator.






Note Completing this procedure reverts the SCE on your computer to the default settings in Windows Vista. Any settings added to the default SCE are removed. This will only affect the ability to view the settings with the SCE. Configured Group Policy settings remain in place.


Security Templates

Security Templates are provided so that if you want to build your own policies, rather than use or modify the policies prescribed in Windows Vista Security Guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in. Unlike some previous versions of the Windows operating system, Windows Vista does not come with predefined Security Templates.

Security Templates are included with the GPOAccelerator. The following templates for the EC environment are located in the GPOAccelerator\Security Templates\VSG folder:

VSG EC Desktop.inf

VSG EC Domain.inf

VSG EC Laptop.inf

Important You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows Firewall settings in the GPOs using a Security Template, and user settings are not included.


If you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the


templates, you can use the following procedure to import them as needed into the GPOs that you have created.






5. Browse to the VSG folder in the \Program Files\GPOAccelerator\Security Template folder.


You can also use the Security Templates supplied with this guide to modify the local security policy on stand-alone client computers running Windows Vista. The GPOAccelerator simplifies the process to apply the templates.

To apply the Security Templates to modify the local Group Policy on a stand-alone client computer running Windows Vista

1. Log on as an administrator to a computer running Windows Vista.

2. On the computer, click Start, click All Programs, and click GPOAccelerator.



4. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.

5. Completing this procedure modifies the local security policy settings using the values in the Security Templates for the EC environment.

To restore local Group Policy to the default settings in Windows Vista

1. Log on as an administrator to a client computer running Windows Vista.




4. At the command prompt, type cscript GPOAccelerator.wsf /Restore, and then press ENTER.

Completing this procedure restores the local security policy settings to their default values in Windows Vista.




More Information

The following resources provide additional information about Windows Vista security-related topics on Microsoft.com:




Migrating GPOs.




Windows Vista.












with Windows XP

After you read the Windows XP, you can use the tasks and procedures in this chapter with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the Enterprise Client (EC) environment that the guide prescribes in your production environment.


The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply the security guidance for Windows® XP. You do not need to spend time editing policy settings and applying templates manually.


Implementing the security design for the two environments described in this guidance requires you to use the Group Policy Management Console (GPMC), and GPMC-based scripts. You must download and install the GPMC before using the GPOAccelerator with Windows XP or Windows Server® 2003. You can download the GPMC from the Enterprise Management with the Group Policy page on the Microsoft Web site. If you are not running Windows Server 2003 R2, you must also install .NET Framework version 1.1.

Important You must perform all of the procedures in this chapter on a client computer running Windows XP that is joined to an AD DS domain. In addition, the user who performs the procedures must be a member of the Domain Administrators group or have been delegated equivalent privileges. If you use the Windows Vista or Windows Server 2008 operating systems, some security settings will differ from those documented in the Windows XP Security Guide.




2. Use the GPMC to link the XP EC Domain Policy to the domain.


Similarly, you also use these steps to configure security for each server role in your environment.





This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator, which automatically creates the prescribed GPOs. This section also includes information about how to use the GPMC to check the GPOs created by the tool. The Windows XP Security Guide Settings workbook that also accompanies the Windows XP Security Guide provides another resource that you can use to compare setting values.

The GPOAccelerator

The main feature of this script automatically creates all the GPOs you need to apply this guidance. You do not need to spend a lot of time manually editing policy settings and applying templates. For computers in the EC environment, the script creates the following four GPOs:

XP EC Domain Policy for the domain.

XP EC Desktop Policy for desktop computers.

XP EC Laptop Policy for laptop computers.

XP EC Users Policy for users.

Use the GPOAccelerator to complete the following tasks:





Design Test Tasks



2. Use the GPMC to link the XP EC Domain Policy to the domain.







1. Log on as a domain administrator to a computer running Windows XP that is joined to the domain using Active Directory in which you will create the GPOs.


3. Click the command-line here.cmd file.

4. At the command prompt, type cscript GPOAccelerator.wsf /XP /Enterprise /LAB and then press ENTER.




7. In the Make sure to link the Enterprise Domain GPO to your domain message box, click OK, and then complete the steps in the next task to link the XP EC Domain Policy.


Task 2: Use the GPMC to Link the XP EC Domain Policy to the Domain

You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a computer running Windows XP to link the XP EC Domain Policy to the domain.

To link the XP EC Domain Policy




4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.

5. In the details pane, select the XP EC Domain Policy, and then click the Move link to

top button.

Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the XP EC Domain Policy settings.



You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a computer running Windows XP to verify the GPOs and OU structure that the GPOAccelerator creates for you.



2. In the Open text box, type gpmc.msc, and then click OK.


4. Click and expand the XP Security Guide EC Client OU, and then click each of the child OUs below it to open them.



All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this guidance prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see the Windows XP.





Microsoft recommends to keep computer OUs distinct from user OUs. Client workstations, such as laptop and desktop computers, also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs.


Deployment Tasks


1. Create the GPOs.




You create the EC GPOs described in this guidance using the GPOAccelerator. The GPOAccelerator is located in the GPOAccelerator folder that the Microsoft Windows Installer (.msi) file creates for you in the Documents folder.



1. Log on as a domain administrator to a computer running Windows XP that is joined to the AD DS domain in which you will create the GPOs.



4. Click the command-line here.cmd file.

5. At the command prompt, type cscript GPOAccelerator.wsf /XP /Enterprise and then press ENTER.







You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a computer running Windows XP to verify the GPOs that the GPOAccelerator creates.





4. Click and expand Group Policy Objects, and then verify that the XP EC GPOs have been created according to those listed in the following figure.


You can now use the GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this.



The following procedure describes how to use the GPMC on a computer running Windows XP to accomplish this task.






4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.

5. In the details pane, select the XP EC Domain Policy, and then click the Move link to

top button.

Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the XP EC Domain Policy settings.

6. Right-click the Windows XP Users OU node, and then choose the Link an existing GPO option.

7. In the Select GPO dialog box, click the XP EC Users Policy GPO, and then click OK.

8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.

9. In the Select GPO dialog box, click the XP EC Desktop Policy GPO, and then click OK.

10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.

11. In the Select GPO dialog box, click the XP EC Laptop Policy GPO, and then click OK.

12. Repeat these steps for any additional user or computer OUs that you created to link them to the appropriate GPOs.



– Or –


Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need.

All of the GPOs that the GPOAccelerator creates are fully populated with the settings that this the Windows XP Security Guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see the Windows XP Security Guide.






The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows XP or the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on a computer running Windows XP.




The GPOAccelerator is installed.

Note You can also simply copy the GPOAccelerator folder from a computer on which you have installed the tool to another computer that you want to use to run the script. The GPOAccelerator folder and subfolders must be present on the local computer for the script to run as described in this procedure.

2. Log on to the computer running Windows XP as an administrator.

3. On the desktop, click Start, click All Programs, and then click GPOAccelerator.

4. Click the Command-line Here.cmd file.




Note This script only modifies the SCE to display MSS settings. This script does not create GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets the SCE to the default settings in Windows XP.

To reset the SCE to the default settings in Windows XP

1. Log on to the computer running Windows XP as an administrator.

2. On the desktop, click Start, click All Programs, and then click GPOAccelerator.




Note Completing this procedure reverts the SCE on your computer to the default settings in Windows XP. Any settings added to the default SCE are removed. This will only affect the ability to view the settings with the SCE. Configured Group Policy settings remain in place.



Security Templates

Security Templates are provided so that if you want to build your own policies, rather than use or modify the policies prescribed in Windows XP Security Guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in.

Security Templates are included with the GPOAccelerator. The following templates for the EC environment are located in the GPOAccelerator\Security Templates\XPG folder:

XP EC Desktop.inf

XP EC Domain.inf

XP EC Laptop.inf

Important You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows

Firewall settings in the GPOs using a Security Template, and user settings are not included.


If you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the templates, you can use the following procedure to import them as needed into the GPOs that you have created.






5. Browse to the XPG folder in the \Program Files\GPOAccelerator\Security Template folder.



You can also use the Security Templates supplied with this guide to modify the local security policy on stand-alone client computers running Windows XP. The GPOAccelerator simplifies the process to apply the templates.

To apply the Security Templates to modify local Group Policy on a stand-alone client computer running Windows XP

1. Log on as an administrator to a computer running Windows XP.



4. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.

Completing this procedure modifies the local security policy settings using the values in the Security Templates for the EC environment.

To restore a local Group Policy to the default settings in Windows XP

1. Log on as an administrator to a client computer running Windows XP.



4. At the command prompt, type cscript GPOAccelerator.wsf /Restore and then press ENTER.

Completing this procedure restores the local security policy settings to their default values in Windows XP.



More Information

The following resources provide additional information about Windows XP security-related topics on Microsoft.com:




Migrating GPOs.




Windows XP.












with the 2007 Microsoft Office Release

After you read the 2007 Microsoft Office Security Guide and customize the Group Policy objects (GPOs) it identifies to meet your organization’s security requirements, you can use the GPOAccelerator to test your design, and then deploy it in your production environment.

The GPOs for the Windows XP and the Windows Vista are designed to work in conjunction with the GPOs defined in the 2007 Microsoft Office Security Guide. The testing and deployment of the 2007 Microsoft Office Security Guide assumes that you have already implemented the GPOs from either the Windows XP Security Guide or the Windows Vista Security Guide.

This chapter assumes that you have secured your operating system by following the recommendations of either the Windows XP Security Guide or the Windows Vista Security Guide.

The GPOAccelerator.msi file installs the GPOAccelerator tool along with related materials. The GPOAccelerator automatically creates all the GPOs that you need to implement either the Enterprise Client (EC) or the Specialized Security – Limited Functionality (SSLF) settings from the 2007 Microsoft Office Security Guide. The GPOAccelerator also supports the Windows XP Security Guide, the Windows Vista Security Guide, and the Windows Server 2008 Security Guide.

This chapter provides information about how to use the GPOAccelerator to perform the following tasks:

Test your customized Office GPO design in a lab environment. You will probably need to customize the GPOs that the GPOAccelerator deploys, and the OUs to which they are linked for your environment.

Deploy your customized Office GPO design in your production environment. You can do this after you finish testing and are satisfied that the deployed GPOs in the lab meet your organization’s security requirements.

For client computers in the EC environment, the GPOAccelerator script creates the following four GPOs:

Office EC Computer Policy for the computer.

Office EC Users Policy for users.

Office SSLF Computer Policy for the computer.

Office SSLF Users Policy for users.

For more information about specific GPOs, see the 2007 Microsoft Office Security Guide.






Using the GPOAccelerator to Test and

Deploy Your Office Security Guide GPO

Design

This section provides you with information to use the GPOAccelerator in an Active Directory® environment. However, most organizations have existing OUs and GPOs and use a variety of Active Directory services. It is important to test the GPO settings that the GPOAccelerator creates to ensure that they do not negatively affect application functionality in your environment. Information that appears later in this section describes how to deploy the GPOs that the GPOAccelerator creates in your environment.

Important The GPOs that the GPOAccelerator creates have been thoroughly tested. However, it is important to perform your own testing, in your own environment, with your own directory data.

Design Test Tasks


1. Run the GPOAccelerator with the /Office option.

2. Use the GPMC to check your results and link the GPOs.

Task 1: Run GPOAccelerator with the /Office Option



To create the GPOs in a lab environment

1. Log on as a domain administrator to a computer running either Windows Vista® or Windows® XP that is joined to a domain using Active Directory in which you will create the GPOs.

2. Click Start, click All Programs, point to GPOAccelerator, and then click Run

GPOAccelerator Tool.

3. At the command prompt, type GPOAccelerator.wsf /Enterprise /Office and then press ENTER.

4. Read the warning message and click Yes to continue.


5. In the message box labeled The Enterprise Office GPOs are created, click OK.


Task 2: Use the GPMC to Check Your Results and Link the GPOs

You can use the Group Policy Management Console (GPMC) to check the results of the script. The following procedure describes how to use the GPMC to verify the GPOs and OU structure that the GPOAccelerator creates.


1. While logged on as a domain administrator, click Start, and then click Run.

2. In the Open box, type gpmc.msc and then click OK.

3. Under Group Policy Management, expand the forest, expand Domains, and then expand <YourDomainName>.

4. Right-click the OU to which you want to link a GPO, and select Link Existing GPO as shown in the following figure.

Figure 5.1. Linking OUs and GPOs

5. Select the GPO under Group Policy Objects, and then click OK.

6. Repeat steps 4 and 5 for each OU to link the appropriate GPO to meet the requirements of the GPO design that you created through the security guide.


Deploying the Design in a Production

Environment

After you have read the 2007 Microsoft Office Security Guide, customized the GPOs to meet your organization's security needs, identified the OUs to which you will link the GPOs, and tested and documented your design, back up any customized GPOs that you will use in your production environment. If you have not customized any GPOs that the GPOAccelerator tool provides, you can use the tool to deploy them in your production environment.

For information about backing up customized GPOs using the GPMC, see Backup Using GPMC.

For information about restoring backed up GPOs using GMPC, see Restore Using GPMC.

Microsoft recommends to deploy your GPOs at least once in the lab and to document your findings. This will help to simplify deploying the GPOs in your production environment. When doing so, consider things that might be different from your lab experience, including the following:

GPOs reside in the configuration partition of Active Directory and will replicate to every domain controller in the Active Directory forest. There might be a centrally located domain controller on which you can run the GPOAccelerator, which will minimize replication latency across your forest.

You can run the GPOAccelerator, create the GPOs in Active Directory, and link the GPOs to OUs one at a time to verify that no adverse effects result. For example, if you have a Computer OU for five different groups within your organization, you might choose to link a GPO to one of the five OUs, and then verify the result of this before linking the GPO to all five OUs.

You might want to communicate with the users in your environment to inform them that the security changes might affect their user experience.

Finally, Microsoft recommends to provide administrators and support staff with training so that they are comfortable administering and supporting Active Directory.

http://technet2.microsoft.com/windowsserver/en/library/edbff35f-8dae-4c7d-ae09-c5a48962f9d21033.mspx?mfr=true



http://technet2.microsoft.com/windowsserver/en/library/bf831d5a-5375-467d-b844-a949b39f9a0b1033.mspx?mfr=true



Index

-A-

Active Directory, 1, 2, 7, 15, 17, 19, 23, 27, 29, 30, 34, 41, 42, 45, 46, 50, 52

attack, 22

audit, 23, 34

-B-

backup, 51, 52

baseline, 2, 11, 12, 13, 15, 16, 18, 22

-D-

domain, 1, 2, 7, 9, 13, 15, 16, 17, 18, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 50, 51, 52

domain controller, 2, 15, 16, 17, 18, 22, 23, 25, 34, 52

-E-

Enterprise Client Environment, 7, 11, 15, 16, 20, 24, 27, 28, 31, 36, 39, 40, 43, 47, 49

-F-

forest, 18, 21, 30, 32, 42, 44, 51, 52

-G-

GPOAccelerator tool, 9, 10, 11, 17, 20, 24, 29, 32, 35, 36, 37, 41, 43, 46, 47, 48, 50

Group Policy, 1, 2, 7, 9, 10, 11, 13, 15, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 29, 31, 32, 33, 34, 35, 36, 37, 39, 41, 44, 45, 46, 47, 48, 49, 50, 51

Group Policy Management Console (GPMC), 2, 7, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37, 39, 40, 41, 42, 43, 44, 45, 47, 48, 50, 51, 52

Group Policy object, 1, 2, 3, 4, 7, 8, 9, 10, 11, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52

-H-

harden, 2

-L-

logon, 17, 20, 24, 29, 31, 35, 36, 37

-M-

Microsoft Outlook, 4

Microsoft Windows XP, 1, 2, 3, 8, 9, 11, 13, 27, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49

-N-

network, 1, 3

-O-

organizational unit, 2, 3, 9, 10, 11, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 27, 28, 29, 30, 31, 32, 33, 34, 35, 39, 40, 41, 42, 43, 44, 45, 46, 49, 50, 51, 52

-P-

password, 17, 20, 24, 29, 31, 35, 36, 37

policy, 2, 7, 9, 15, 16, 17, 18, 22, 23, 24, 25, 27, 28, 29, 33, 34, 35, 36, 37, 39, 40, 41, 45, 46, 47, 48, 49

-S-

Security Configuration Editor (SCE), 9, 13, 23, 24, 25, 34, 35, 36, 45, 46, 47


Security Configuration Wizard (SCW), 22

Security Templates, 24, 25, 35, 36, 46, 47

Server Manager, 15

console, 15

Initial Configuration Tasks (ICT) feature, 15

Microsoft Management Console (MMC), 15

Specialized Security – Limited Functionality (SSLF), 2, 3, 7, 9, 10, 15, 27, 39, 49

-T-

template, 15, 16, 24, 25, 27, 28, 35, 36, 39, 40, 46, 47

-W-

Windows Firewall, 25, 36, 47

Windows Vista, 1, 2, 3, 7, 8, 10, 11, 13, 15, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39, 49, 50

Security Guide Security Guide Management Console with Group Policy

Management Console Abstract Management Console Across Domains with

GPMC Feature Set Settings Security Guide Security Guide Security Guide

Security Guide with Group Policy Management Console Abstract Management

Console Across Domains with GPMC Feature Set Settings Security Guide

Security Guide Management Console Security Guide with Group Policy

Management Console Abstract Management Console Across Domains with

GPMC Feature Set Settings Security Guide Security Guide Security Guide

Date post:	12-Nov-2014
Category:	Documents
Upload:	pivic
View:	3,690 times
Download:	5 times