Authoritative Template

Policies and Procedures for Securing XenApp

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Administrative Templates

Policy settings that appear in the Administrative Templates node of the GPO Editor incorporate Registry settings to achieve each of the settings contained in the hierarchy. Policies for user configuration are placed in the HKEY_CURRENT_USER (HKCU) area of the Registry, while those for calculator configurations are placed in the HKEY_LOCAL_MACHINE (HKLM) area.

Administrative templates comprise settings for Windows components such every bit NetMeeting, Internet Explorer, Terminal Services, Windows Media Player, and Windows update, to proper noun a few. Other components common to both user and computer configurations include settings for user profiles, script execution, and grouping policy.

While the different policy settings between user and estimator configurations are also numerous to list here, there are some key components bachelor for the user configuration. These include the Beginning Menu, Taskbar, Desktop, Control Panel, and Shared folder settings.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492812000068

Strong Access Controls

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (Second Edition), 2010

Setting Session Timeout and Password-Protected Screen Savers in Agile Directory

Under User Configuration, go to Administrative Templates | Command Console | Display. Double-click on Activate screen saver, click the radio adjacent to Enabled, so click OK. This will enable screen savers on all client machines. Now double-click on Screen saver executable proper name and click the radio side by side to Enabled and in the text box blazon scrnsave.scr (encounter Fig. 5.iii).

Figure 5.3. Compliant Windows 2003 Screen Saver Properties

This enables a bare screen saver on all computers in the domain. At present double-click on Password protect screen saver, click the radio next to Enabled, then click OK. Last but not least, click on Screen saver timeout and then click on the radio next to Enabled. PCI requires that all sessions timeout later on 15 min, which is equivalent to 900 s (see Fig. 5.4).

Effigy 5.iv. PCI Compliant Windows 2003 Screen Saver Timeout Properties

That's all there is to it. Now all the sessions on your Windows machines in your domain should time out subsequently 15 min and require a login to get back in. In the finish, your screen should look like Fig. five.5.

Effigy 5.5. Windows 2003 Brandish Backdrop

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9781597494991000106

Microsoft Vista: Data Protection

In Microsoft Vista for IT Security Professionals, 2007

Controlling Device Use

One time you've controlled the installation and upgrading of device drivers for your users and your administrators, you may desire to go further and control the use of those device drivers that you have allowed to deploy.

The "big whammy" setting is All Removable Storage classes: Deny all admission. Enable this setting and (later on a reboot if the devices are currently in utilise) all removable storage is inaccessible to the OU—computer or user—on which you lot enable it.

None of these settings applies to processes running in the Organization context, such equally the aforementioned ReadyBoost technology.

All of the settings listed in Tabular array 5.2 reside nether the Group Policy subtree, Computer Configuration | Administrative Templates | System | Removable Storage. You tin can as well utilize these settings to users under User Configuration | Administrative Templates | Arrangement | Removable Storage.

Table five.two. Group Policy Objects Controlling Device Utilize

Policy Name Effect
All Removable Storage classes: Deny all access Enabled: All removable storage devices are inaccessible, for write or read.
Disabled (default): Removable storage devices are subject to form-specific settings.
All Removable Storage classes: Let direct access in remote sessions Enabled: Removable storage devices can be accessed by remote sessions.
Disabled (default): Removable storage devices may not exist accessed past remote sessions.
CD and DVD: Deny read admission Enabled: Read admission to CD/DVD storage devices is denied.
Disabled (default): CD/DVD storage devices may be read from.
CD and DVD: Deny write access Enabled: Write admission to CD/DVD burning devices is denied.
Disabled (default): CD/DVD burning devices are writeable.
Custom Classes: Deny read admission Enabled: A listing of class GUIDs must be provided; read access to devices matching the listed classes is denied.
Disabled (default): There is no custom listing of GUIDs for which read access is denied.
Custom Classes: Deny write access Enabled: A list of form GUIDs must be provided; write access to devices matching the listed classes is denied.
Disabled (default): There is no custom list of GUIDs for which read admission is denied.
Floppy Drives: Deny read access Enabled: Floppy drives may not exist read from.
Disabled (default): Floppy drives may be read from.
Floppy Drives: Deny write admission Enabled: Floppy drives may not exist written to.
Disabled (default): Floppy drives may be written to.
Removable Disks: Deny read access Enabled: Removable disks may not exist read from.
Disabled (default): Removable disks may be read from.
Removable Disks: Deny write access Enabled: Removable disks may not exist written to.
Disabled (default): Removable disks may be written to.
Tape Drives: Deny read admission Enabled: Record drives may non be read from.
Disabled (default): Tape drives may exist read from.
Tape Drives: Deny write access Enabled: Tape drives may not be written to.
Disabled (default): Tape drives may be written to.
WPD Devices: Deny read access Enabled: Devices marked as "Windows Portable Devices" (WPD) may not exist read from. This includes mobile phones, media players, cameras, and so on (i.e., devices that exercise more than than just provide storage).
Disabled (default): WPDs may be read from.
WPD Devices: Deny write admission Enabled: WPDs may not be written to.
Disabled (default): WPDs may exist written to.
Time (in seconds) to force reboot Enabled: The time spent waiting for a resource currently being accessed before rebooting the system to force a modify in this set of policies to be applied.
Disabled (default): If a removable storage device is currently in utilise, and policy changes cannot exist applied as a outcome, the policy modify will not have effect.

Tools and Traps…

Grouping Policy Restrictions Don't Utilize at Kick Fourth dimension

Group Policy restrictions such as those in Table 5.2 apply merely to access from within Windows. If you disable read access to CD and DVD drives, you lot have not protected your systems confronting beingness booted from a CD-ROM or DVD-ROM. To exercise that, you must alter the basic input/output system (BIOS) settings, and protect those BIOS settings with a BIOS countersign.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491396500091

Implementing Virtual Profiles into the Virtual Desktop

Gareth R. James , in Citrix XenDesktop Implementation, 2010

Configure Virtual Profiles – Step by Step

1.

From the Run control, execute gpedit.msc.

2.

Under Computer Configuration, right-click on Administrative Templates – select Add/Remove Templates… every bit shown in Figure 12.12.

Figure 12.12. Microsoft Group Policy editor.
iii.

Click Add together… and browse to Profile Management Folder every bit shown in Figure 12.13.

Figure 12.13. Add/Remove templates dialog box.
4.

Select ctxprofile2.1.0.adm – open up equally shown in Effigy 12.14.

Figure 12.xiv. Browse to ctxprofile2.i.0.adm file.
5.

Select Enable Profile direction – Set to Enabled as shown in Effigy 12.xv.

Figure 12.xv. Citrix binder in Group Policy Management Panel.
6.

Select Path to user store.

7.

Fix the path and click OK every bit shown in Figure 12.16.

Figure 12.sixteen. Path to user shop properties.

The default location is in the user's dwelling directory, under the Windows subdirectory. For a proof of concept or airplane pilot, you may want to isolate the virtual desktop environment from the current environment. In this case, utilise the following syntax: \\fileserver\sharename\%username%.

%username% is an environment variable that resolves to the user's logon name. The security settings for the "sharename" folder needs to include "Full Command" for "Creator Owner."

Profile Manager uses the user'southward logon credentials to Read/Write to the share, and 1 of the near common issues with Profile Managing director is simple file/folder permissions.

By default, all of the standard contour settings are at present saved to the specified location.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597495820000129

Mitigating Network Vulnerabilities

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from Stop to Edge and Beyond, 2013

Ascertain the Address Space of Your Intranet Network

i.

In the Group Policy Direction snap-in (gpmc.msc), open the Default Domain Policy.

2.

From the Grouping Policy Management Editor, expand Reckoner Configuration, Policies, Administrative Templates, Network and so click Network Isolation.

three.

In the right pane, double-click Private network ranges for apps.

4.

In the Private network ranges for apps dialog box, click Enabled. In the Private subnets text box, type the private subnets for your intranet (separated past commas).

v.

Double-click Subnet definitions are authoritative. Click Enabled if you want the subnet definitions that you previously created to be the single source for your subnet definition.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749980400011X

Microsoft Vista: Trusted Platform Module Services

In Microsoft Vista for IT Security Professionals, 2007

Preparing Your Longhorn Domain Controllers

The process of preparing your Windows Server 2007 domain controllers in an all-Longhorn environment is much simpler. There is no need to upgrade the Agile Directory schema. The merely things missing from these domain controllers are the authoritative templates that display the relevant Group Policy settings in the Group Policy Management MMC. Actually, they're not missing entirely. They are installed in the %systemroot%\PolicyDefinitions folder on both Windows Vista and Windows Server 2007 systems where the Local Computer Policy reads them from.

All we need to exercise is re-create them to the central store which is part of SYSVOL so that they are replicated to all domain controllers and are available for domain GPOs. We need to brand sure we copy both the authoritative templates and the linguistic communication-specific files. For English language, execute the following commands from a control prompt:

C:\>xcopy C:\WINDOWS\PolicyDefinitions\*

C:\WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\

C:\>xcopy C:\WINDOWS\PolicyDefinitions\EN-US\*

C:\WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\EN-US\

When the files accept been copied, yous may need to await for replication to distribute this modify throughout your network. However, on the domain controller on which y'all just performed the copy, y'all can start using the Group Policy Object Editor to create a GPO right away.

Read total chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B978159749139650008X

Controlling Access to Your Environment with Authentication and Authorization

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from End to Edge and Beyond, 2013

Picture Password Management Issues

Call back that you tin only employ Moving-picture show Password for local log on. That means you cannot use it over an RDP session.

If you do not want users to employ Picture Password, you lot tin apply a Group Policy setting to block this characteristic. Use the computer group policy setting Plough off picture password sign-in, which is under the Authoritative Templates\Organization\Logon node of the Group Policy Management Editor. This is the simply Picture Password Group Policy selection available and yous cannot employ Grouping Policy to change how Motion-picture show Password works outside this pick.

There is no logging of the specifics of the Picture Password. There is no log information that contains the name of the picture file or that gives any indication of the gestures that were used with the motion picture file.

What if your users forget their gestures? They can sign in using a user name and password and then get back into the Film Password enrollment application. From at that place, they tin can click the Replay button. At that point, the user will be shown the password and will be asked to confirm the existing gestures. They also accept the choice to resample the gestures, which gives them a new Picture Password equally shown in Figure 7.10.

Figure seven.ten. Picture password.

Read total affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499804000078

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Enabling Group Policy Settings for BitLocker and TPM Active Directory Fill-in

Here are the steps to follow to configure Group Policies for clients and servers to use BitLocker Active Directory Backup.

1

Log on with a domain administrator to any Domain Controller.

2

Click Beginning, click All Programs, click Administrative Tools, and and so click Group Policy Direction.

3

In the Grouping Policy Management Console, aggrandize the wood tree down to the domain level.

4

Right-click the Default Domain Policy and select Edit.

5

In the Group Policy Direction Editor, open Computer Configuration, open Administrative Templates , open Windows Components, and then open BitLocker Drive Encryption.

6

In the correct pane, double-click Turn on BitLocker backup to Active Directory.

seven

Select the Enabled selection, select Require BitLocker backup to AD DS, and click OK.

To further enable storage of TPM recovery data:

eight

Open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services.

9

In the right pane, double-click Turn on TPM backup to Agile Directory.

10

Select the Enabled option, select Crave TPM fill-in to Advert DS, and click OK.

Warning

In this example, we use the Default Domain Policy to configure Active Directory backup for BitLocker and TPM recovery information. Still, in a existent-globe scenario you would create a new GPO that contains simply BitLocker specific settings!

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597492805000055

USB Device Overflow

Brian Anderson , Barbara Anderson , in Seven Deadliest USB Attacks, 2010

Group Policy

If y'all are an administrator of a Windows surround, yous may decide that the best arroyo for your workplace would be to disable drivers of external components on all machines without having to brand a change to each system. You lot may also want to disable certain drives types only for specific groups of computers inside your network. Windows 2003 server does not include this policy by default, and you will need to create a custom administrative template. The procedures outlined below were performed on a Windows Vista Ultimate system but should be similar to those experienced on a Windows 2003 domain environment.

Tip

You must cosign with administrative privileges in order to utilise Group Policy Editor.

Open up Notepad and enter the following text to the file, saving it with an adm extension (for example, File.adm). If you would similar to cut and paste this information into notepad, this information is available on the Microsoft Web site. SS

Form Motorcar

CATEGORY !!category

CATEGORY !!categoryname

POLICY !!policynameusb

KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

EXPLAIN !!explaintextusb

Office !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC three DEFAULT

Proper name !!Enabled VALUE NUMERIC 4

END ITEMLIST

Cease Function

End POLICY

POLICY !!policynamecd

KEYNAME "Organisation\CurrentControlSet\Services\Cdrom"

EXPLAIN !!explaintextcd

Role !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

Proper name !!Disabled VALUE NUMERIC i DEFAULT

Name !!Enabled VALUE NUMERIC 4

Terminate ITEMLIST

Stop PART

END POLICY

POLICY !!policynameflpy

KEYNAME "Arrangement\CurrentControlSet\Services\Flpydisk"

EXPLAIN !!explaintextflpy

Office !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Beginning"

ITEMLIST

Proper name !!Disabled VALUE NUMERIC 3 DEFAULT

NAME !!Enabled VALUE NUMERIC 4

END ITEMLIST

END Part

END POLICY

POLICY !!policynamels120

KEYNAME "System\CurrentControlSet\Services\Sfloppy"

Explain !!explaintextls120

Office !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"

ITEMLIST

NAME !!Disabled VALUE NUMERIC 3 DEFAULT

Proper noun !!Enabled VALUE NUMERIC 4

Stop ITEMLIST

Finish Part

End POLICY

Cease CATEGORY

Terminate CATEGORY

[strings]

category="Custom Policy Settings"

categoryname="Restrict Drives"

policynameusb="Disable USB"

policynamecd="Disable CD-ROM"

policynameflpy="Disable Floppy"

policynamels120="Disable High Capacity Floppy"

explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"

explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"

explaintextflpy="Disables the computers Floppy Bulldoze by disabling the flpydisk.sys driver"

explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"

labeltextusb="Disable USB Ports"

labeltextcd="Disable CD-ROM Drive"

labeltextflpy="Disable Floppy Bulldoze"

labeltextls120="Disable High Capacity Floppy Drive"

Enabled="Enabled"

Disabled="Disabled"

The steps below outline how to add a template allowing the disablement of typical removable device drivers using Grouping Policy editor. These procedures assume y'all already have Group Policy editor installed on the target auto.

one.

Click Commencement, and so Run, and type gpedit.msc.

2.

Browse to locate the Computer Configuration object, as seen in Effigy 4.3.

FIGURE iv.3. Group Policy Editor
3.

Right-click Administrative templates and choose Add together/Remove template.

4.

Click the Add push button in the lower-left corner of the pane provided, as seen in Figure 4.4.

FIGURE iv.4. Group Policy Editor: Add together/Remove Templates
5.

Browse to locate the .adm file you but created and select Open up.

half dozen.

Highlight Administrative Templates again and so in the View menu click Filtering.

7.

Clear the check mark adjacent to Only show policy settings that can exist fully managed, every bit seen in Figure 4.5, and then printing OK.

Effigy 4.5. Group Policy Editor: Filtering
8.

Nether Computer Configuration, become to Administrative Templates\Classic Authoritative Templates\Custom Policy Settings\Restrict Drives. You lot should now run across the policies entries that were just created in the correct pane, as seen in Figure 4.6.

Figure 4.6. Group Policy Editor: Restrict Drives
ix.

Double-click to select which bulldoze type you would like to disable. Click Enabled, then select Enabled to disable the USB port in the policy setting, every bit seen in Figure 4.7.

FIGURE 4.7. Group Policy Editor: Disable USB Properties

You lot have now created a custom policy that volition allow you to regulate the computers who are members of your domain. Apply the policy to the appropriate containers that comprise the target systems in order to enable the enforcement. TT Be mindful when making such a sudden and drastic change to your environment. Proper requirements gathering should be done prior to implementing whatever sort of corporate- or domain-wide policy to ensure you don't break functionality that is deemed critical to the business. UU Rigorous testing should besides be done on all relevant systems to ensure compliance and compatibility. Likewise keep in mind, this policy volition not exist enforced on standalone systems or alternate operating systems that are non part of the domain. It will also non apply to the respective devices that are currently installed on the target systems.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495530000044

Security Guidance for Citrix XenApp Server

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Shadowing through Group Policy Objects

Like many other Windows settings for Terminal Services, remote command (shadowing) settings can exist configured through Group Policy as shown in Figure 5.8. To configure remote command in a Grouping Policy Object (GPO) in Active Directory, you need to navigate to Computer Configuration | Authoritative Templates | Windows Components | Terminal Services. In the Last Services folder you'll find the option, Sets rules for remote command of Terminal Services user session. (The same policy exists in the User Configuration tree. Whether you want to use the Calculator Configuration or User Configuration depends on how you choose to apply your policy.) Once again, here you lot have the ability to enable or disable remote command, specify notification, and specify what level of command is allowed for the session.

Figure five.8. Configuring Shadowing via Group Policy

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597492812000056