Archive for Author
Group Policy Processing In Windows Server 2003 Part II
In most cases, a user who logs on from a workstation should have his group policies applied based primarily on the settings defined by the user object in the Active Directory rather than their computer object. A user who logs on from a computer that’s part of the server’s OU, however, should take his settings from the computer’s object location rather than the user object. There can be many other situations in which you want the computer object’s GPO(s) to take precedence over the user object, as determined by your organization’s structure, computer function, and so on.
Group policy loopback is supported only in pure Windows 2000 and Windows Server 2003 environments (both clients and domain controllers). Group Policy loopback enables group policies to be applied based only on the computer from which the user logs on. Loopback provides for two processing modes:
- Merge mode: In this mode, Windows Server 2003 processes the group policies for the User Configuration first, followed by those for the Computer Configuration. In effect, this causes the Computer Configuration group policies to have precedence over any User Configuration settings. When the Computer Configuration object doesn’t specify a given policy, the User Configuration object defines the policy setting.
- Replace mode: In this mode, Windows Server 2003 processes only the Computer Configuration group policies, ignoring the User Configuration group policies.
Keep in mind that in either mode, the user might have several GPOs applied. For example, the user might be affected by a site GPO, a domain GPO, and two OU GPOs. When the client retrieves the GPO list from the DC, the contents of the list are determined by the loopback mode. With merge mode, the client requests the list normally (based on the user location in the AD) and then submits a second request based on the computer location. The result is that GPOs might actually be processed twice.
In this example, the initial GPO list and order of processing are GPO1, GPO2, GPO3, and GPO4. When the second request based on the computer location is fulfilled, the response is added to the list, resulting in a final GPO process list of GPO1, GPO2, GPO3, GPO4, GPO1, GPO2, GPO5, and GPO6. In the case of replace mode, the client requests the list based only on the computer location in the AD, giving the result GPO1, GPO2, GPO5, and GPO6.
Setting the loopback mode
To set the effective loopback mode, open the Active Directory Users And Computers console, right-click the container in which you want to apply the loopback setting (site, domain, or OU), and choose Properties. When the Properties window appears, click the Group Policy tab.
Select the group policy in which you want to define the loopback setting and choose Edit. Next, expand the Computer Configuration/Administrative Templates/System/Group Policy branch. Double-click User Group Policy Loopback Processing Mode, select Enabled, then select either Merge or Replace from the drop-down list. Click OK to close the dialog box, then close the Group Policy console.
Group Policy Processing In Windows Server 2003
In a previous series of articles on Windows Server 2003 group policy, I described what group policies are and how they work. The next question to ask is ‘How does Windows Server 2003 apply group policies?’
Before you can fully understand the implications of group policies, you need to see how Windows Server 2003 applies them. In this series of articles, I’ll look at how Windows Server 2003 applies the group policies you create.
Which comes first?
Windows Server 2003 processes the local group policy object (GPO) first, followed by the site, domain, and applicable organizational units (OUs). The client requests a GPO list from the domain controller (DC) and then processes that list to apply the policies contained in the GPO(s). The client processes the GPOs according to the priority in the DC-supplied list. Windows Server 2003 processes GPOs at startup, logon, and when the GPO refresh period is reached, which by default is 90 minutes.
One the client side, a group of DLLs — referred to as client-side extensions — perform the group policy processing. Each DLL is responsible for specific policies. Below is a list of the client-side extensions and the policies they process.
- Registry: Userenv.dll
- Disk Quota: Dskquota.dll
- Folder Redirection: Fdeploy.dll
- Scripts: Gptext.dll
- Software Installation: Appmgmts.dll
- Security: Scecli.dll
- IP Security: Gptext.dll
- EFS Recovery: Scecli.dll
- Internet Explorer Maintenance: Ledkcs32.dll
- Remote Installation Services: None
Each GPO can include policy settings for both User Configuration and Computer Configuration. The client gives precedence to the Computer Configuration policies over the User Configuration policies by processing the User Configuration policies first. In some situations, this precedence can cause unexpected results. For example, a user’s computer might reside in one OU and the user account in a different OU. So how do you determine which GPO is applied? Group policy loopback lets you control that behavior.
Using The Cipher Utility In Vista Part III
At this point, you may be wondering how to encrypt individual files. That’s the function of the /a switch. Using the syntax cipher /e /a <directory path\filename>, you can encrypt a single file. For example, the following command will encrypt a file named testdoc1.txt in a subdirectory named subsub within a subdirectory named subencrypted that resides in a directory named encrypted:
Cipher /e /a encrypted\subencrypted\subsub\ testdoc1.txt
You can encrypt all the files in a directory by switching to that directory and typing cipher /e /a. The command will output the results, showing you the names of the files that were encrypted. You’ll also see the warning reminder that encrypting individual files (rather than creating the files in encrypted folders) can leave remnants in plain text on the disk.
You can also use wildcards to encrypt (or decrypt) groups of files. For example, to decrypt all files in the working directory with names that begin with the letters "test," use the following command:
Cipher /d /a test*
By default, if an error occurs while Cipher is performing an encryption or decryption operation, it will stop. However, you can force the operation to continue even if errors occur by using the /i switch. The syntax is cipher /e [or /d] /i.
Normally, if there are files or folders within the path being encrypted that are already encrypted, the Cipher tool will skip the operation on those objects. However, if you want to force encryption (or decryption) of all the folders or files specified, you can use the /f switch (cipher /e [or /d] /f <directory or path>).
Using The Cipher Utility In Vista Part II
You can use the Cipher command to encrypt and decrypt data at the command line, in individual directories or in batches.
You can use the /d and /e switches with the Cipher command to encrypt or decrypt a directory, respectively. The syntax to encrypt a directory is cipher /e <directory name>. Note that these switches only work on directories-not on individual files. This is one of the most common mistakes made in using the tool, leading to complaints that "Cipher doesn’t work." No matter how many times you type cipher /e <filename>, your file won’t be encrypted. There is a clue in the message you get when you do this, shown below:
0 directorie(s) within 2 directorie(s) were encrypted.
As you might guess from this message, you need to be using the command with folder names, not file names.
Likewise, you can decrypt an encrypted directory using the command cipher /d<directory name>. Once again, it only works with directories.
You use the /s switch in conjunction with the /e or /d switch, and it makes it possible for you to perform the specified operation (encryption or decryption) on the subfolders within the folder you’re encrypting or decrypting. So if you have several layers of folders and want to quickly encrypt the entire tree, use the syntax cipher /e /s: <directory name>. You can decrypt the subdirectories within the directory in the same way, substituting /d for /e.
Note that you need to put a colon after the /s switch. The results of the command will name the subdirectories that have been encrypted or decrypted.
Using The Cipher Utility In Vista Part I
The Cipher utility is included with Microsoft’s most recent NT-based operating systems. It allows you to do the same tasks-encrypt and decrypt- that you can do through the Graphical User Interface, but also allows you to do much more. IT consultants can take advantage of the Cipher tool’s power to gather encryption information and more quickly perform encryption tasks.
Benefits of the command line encryption tool
What’s the need for a command line encryption tool if it’s so easy to encrypt and decrypt files using the GUI (other than the fact that some of us just like the character-based interface)? While encryption and decryption are easy attributes to set through each file or folder’s property sheet, other encryption-related tasks are difficult (or impossible) to accomplish through the GUI.
For example, what if a user wants to create a new file encryption key? You might think you could generate a new key pair by requesting a new EFS certificate by invoking the Certificate Request Wizard via the Certificates MMC (if you’re in an Active Directory domain) or via the certification authority’s Web page. But what we’re concerned with here is the file encryption key that is generated by EFS and then wrapped with the user’s public key during the encryption process. The Cipher tool allows you to create a new encryption key by simply typing cipher /k.
Using Cipher to gather encryption information
You can use the Cipher command without any switches to quickly ascertain which files and folders in a given directory are encrypted. All you have to do is switch to the desired drive or directory from the command prompt and type cipher.
Each file or folder is listed with either a U or E in front of the file or folder name. U indicates the file is unencrypted and E indicates that it is encrypted. None of the file’s other attributes (Hidden, Read Only, System, Compressed) are indicated.
You can also see which files are encrypted at a glance in Windows Explorer, if the option to show encrypted or compressed NTFS files in color is enabled (this is accomplished via the Folder Options window’s View tab by checking the appropriate check box). The GUI method uses green text to mark encrypted files and blue text to mark compressed ones.
After you encrypt a directory, you are no longer able to switch to the directory and use the Cipher command to view the encryption status of files within the directory. Instead, to see which files within a specified folder are encrypted, use the syntax cipher \*. To see the encryption status of the files in the directory named encrypted, you’d type the following command:
Cipher encrypted\*
This returns the list of files in the directory with the U or E status attribute for each.
Manage Access Control Lists Using ICACLS In Vista Part II
The previous installment of this article provided some basic examples for using the ICACLS command. However, in reality, the ICACLS command can accept any number of grant and remove commands stacked on the same command line. This means that the syntax of the command can look like:
ICACLS userfile.doc /grant Sales:(r) /grant Readers:(r) /grant Managers:(f)
Another option you should be aware of is the /deny option. This option causes a deny access control entry to be added to the access control list for the specified user or group. Because security is such that any deny takes priority over any allow, you can effectively prevent a user or group from having access to a file. So, if you wanted to explicitly deny access to a file from the user account baduser, you could execute:
ICACLS userfile.doc /deny BadUser
On a similar note, if your user names or groups have spaces in them, you will need to enclose them in quotes. This will prevent them from being processed as more than one parameter. For example, if you wanted to grant the Domain Admins group full access to a file, you could execute:
CACLS userfile.doc /grant “Domain Admins”:(F)
Manage Access Control Lists Using ICACLS In Vista Part I
Although the Graphical User Interface (GUI) can be a powerful and easy way to set permissions and access control lists in Vista, Vista also ships with a utility called ICACLS. This utility replaces the CACLS utility found in XP.
The ICACLS utility lets you display, modify, backup and restore Access Control Lists (ACLs) for files and folders. ICACLS can apply the same permissions to an entire tree, as well as edit existing permissions. This allows you to precisely control how permissions are added or removed one group (or user) at a time without disturbing other permissions that exist on the system.
The basic format of the ICACLS command is ICACLS <name> [Options], where <name> is the name of the file or directory to be modified. The filename can contain wildcards, allowing the same command to be run across multiple files. If you run ICACLS on a file without any options, instead of changing the access control list on the file, ICACLS will display the existing access control list. There are several options for ICACLS.
The option for adding a new group or user is the /grant option. The /grant option is followed by the name of the group or user, a colon, and the kind of access to be granted. The kind of simple access that can be granted includes:
- “r” for read only
- “w” for write access
- “f ” for full access
- “m” for modify
- “rx” for read and execute
For example, to give a group called Sales read permissions to a file named userfile.doc, the command would look like this:
ICACLS userfile.doc /grant Sales:(r)
Removing a user from access to a file is similar. Instead of /grant, you use /remove. Thus, the command to remove access from user-file.doc for the Sales group would be:
ICACLS userfile.doc /remove Sales:(r)
IE7’s Security Zones User Interface Part V
So far, you have learned about IE7’s Security Zones and some of the individual security settings that are available. A new feature in IE7, found on the Security Zones user interface, is ‘Protected Mode’. The Protected Mode feature is designed to prevent hackers from damaging your computer through your browser.
When IE7 runs in Protected Mode, Vista cannot modify any user or system files without your consent. Before something is put on your machine or another program is launched, you will need to consent to the activity. Protected Mode therefore, reduces the chances of unwanted software being installed on your computer and ensures that you are aware of what a Web site is trying to do — giving you the chance to stop it.
Protected Mode is enabled by default for all security zones, except the Trusted Site zone. You can disable Protected Mode from the Security tab within the Internet Options window. However, be aware that if you do disable Protected Mode, your computer will be more vulnerable to malware and other types of damaging software.
IE7’s Security Zones User Interface Part IV
So far, we have looked at four categories of security settings that you can configure for IE7’s Security Zones: .NET Framework, Active X Controls and Plug-ins, Downloads, and Java VM. Now let’s take a look at the Miscellaneous, Scripting, and User Authentication categories.
Miscellaneous
The Miscellaneous category contains a hodgepodge of settings, most of which were added as the result of various security patches and fixes that have been integrated into Internet Explorer over the last couple of years. Each of these settings can be configured as Enable, Disable, or Prompt.
- Access Data Sources Across Domains: Controls cross-domain data access, which can open the door to various spoofing attacks.
- Allow META REFRESH: Controls whether Web pages can use meta-refreshes to reload pages after a preset delay.
- Allow scripting of Internet Explorer web browser control.
- Allow script-initiated windows without size or position constraints.
- Allow Web pages to use restricted protocols for active content.
- Allow Web sites to open windows without address or status bars.
- Display Mixed Content: Controls whether Web pages can display content from both secure and nonsecure servers.
- Don’t Prompt For Client Certificate When No Certificates Or Only One Certificate Exists: Controls whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.
- Drag And Drop Or Copy And Paste Files: Controls whether users can drag and drop files or copy and paste files.
- Include local directory path when uploading files to a server.
- Installation Of Desktop Items: Controls whether users can download and install Active Desktop content.
- Launching applications and unsafe files
- Launching Programs And Files In An IFRAME: Controls whether applications may be run and files may be downloaded from within a floating frame (IFRAME).
- Navigate Subframes Across Different Domains: Designed to prevent frame spoofing, which is defined as inserting a page containing malicious content within a frame on a legitimate Web site.
- Open files based on content, not file extension.
- Software Channel Permissions: Controls whether an e-mail message can be sent with notification of available software for download or whether that software can be installed.
- Submit Nonencrypted For Data: Controls whether data in HTML forms may be submitted. (Keep in mind that this only affects non-SSL form data-any data submitted with SSL encryption is always allowed.)
- Use Phishing Filter.
- Use Pop-Up Blocker.
- Userdata Persistence: Controls how objects persist to data, such as page state in user data.
- Web sites in less privileged web content zone can navigate into this zone.
Scripting
The Scripting category contains three settings, which allow you to clamp down on malicious scripting activities. Each of these settings can be configured as Enable, Disable, or Prompt.
- Active Scripting.
- Allow programmatic clipboard access.
- Allow status bar updates via script.
- Allow Web sites to prompt for information using scripted windows.
- Scripting Of Java Applets.
User Authentication
Many Web sites and intranet sites require user authentication to gain access. The Logon security setting allows you to control the transmission of authentication information via Internet Explorer with the selection of one of four options.
- Anonymous Logon: Disables authentication and uses guest access.
- Automatic Logon Only with Intranet Zone: Automatically logs on all sites in the Intranet zone with the current session username and password; also issues prompts for username and password for sites in all other zones.
- Automatic Logon With Username And Password: Configures Internet Explorer with the current session username and password.
- Prompt For Username And Password: Configures Internet Explorer to always prompt for a username and a password.
IE7’s Security Zones User Interface Part III
The process of adding sites to the Local Intranet, Trusted Sites, and Restricted Sites zones is easy. So, too, is selecting one of the four broad security level settings. The tricky part is adjusting the individual security settings because you really need to have a thorough understanding of what each of these settings controls. In Part II of this article, we looked at some of the individual security settings. In this installment, we’ll continue looking at some of the remaining settings that you can configure.
Downloads
The settings in the Downloads category allow you to control how you want the browser to deal with the download of files and fonts. The Font Download option can be set to Enable, Disable, or Prompt; the File Download option can only be set to Enable or Disable.
Java VM
There is only one setting available under the Java VM (Virtual Machine) category: Java Permissions. When a Java applet runs, it typically requests permission to access items on your system, such as folders, files, printers, system information, or network connections. Obviously, controlling the amount of security applied to Java applets is very important.
To configure Java security, you’ll use one of five settings:
- Custom
- Disable Java
- High Safety
- Low Safety
- Medium Safety
Keep in mind that if a Java applet doesn’t need a higher level of permission than what you have set, it will run without requesting permissions. If it does need a higher level of permission, Internet Explorer will display a dialog box that prompts you to grant the necessary additional privileges needed for the applet to run.
IE7’s Security Zones User Interface Part II
The process of adding sites to the Local Intranet, Trusted Sites, and Restricted Sites zones is easy. So, too, is selecting one of the four broad security level settings. The tricky part is adjusting the individual security settings because you really need to have a thorough understanding of what each of these settings controls. Let’s take a closer look at some of those security settings.
.NET Framework
The settings in the .NET Framework category are specifically designed for the .NET Framework 3.0. The four security settings include:
- Loose XAML: Controls whether IE7 can navigate to and loose XAML files.
- XAML browser applications: Controls whether IE7 can navigate to and run XBAPs.
- XPS documents: Controls whether IE7 can navigate to and load XML Paper Specification (XPS) documents.
- Enable .NET Framework setup: Controls whether the .NET Framework 3.0 can be installed via IE7.
ActiveX Controls And Plug-ins
The settings in the ActiveX Controls And Plug-ins category allow you to control whether signed or unsigned controls are downloaded and executed. An ActiveX control or plug-in is basically a program object that can be inserted into a Web page by the developer and used to provide some interactive function on the page. For example, an ActiveX control could be used to insert a live stock ticker in a Web page.
A signed ActiveX control is one that includes a certificate stating who created the control and which Certification Authority, such as VeriSign, has credentialed the control. A signed ActiveX control can be considered safe under most circumstances. An unsigned ActiveX control contains neither the author’s name nor a credential. The settings in this category are:
- Allow previously unused ActiveX controls to run without prompt
- Allow scriptlets
- Automatic prompting for ActiveX controls
- Binary and Script behaviors
- Display video and animation on a Web page that does not use external media player
- Download Signed ActiveX Controls
- Download Unsigned ActiveX Controls
- Initialize And Script ActiveX Controls Not Marked As Safe
- Run ActiveX Controls And Plug-ins
- Script ActiveX Controls Marked Safe For Scripting
These can be set to one of three values: Enable, Disable, or Prompt. The latter setting configures Internet Explorer to display a dialog box asking you whether you want to run the control.
It’s important to point out that the Run ActiveX Controls And Plug-ins setting has an additional option called Administrator Approved, which gives corporate administrators the ability to allow specific ActiveX controls to be run, while locking out all others.
IE7’s Security Zones User Interface Part I
In a previous article entitled Secure Computers with Internet Explorer 7’s Security Zones, you learned about the four security zones in Internet Explorer 7. In this series of articles, we’ll look more closely at the user interface for configuring IE7’s Security Zones.
The user interface for configuring IE7’s Security Zones feature is very straightforward. To begin configuring IE7’s Security Zones, pull down the Tools menu and select the Internet Options command. When you see the Internet Options dialog box, select the Security tab.
Each of the four Security Zones is represented by an icon in the panel at the top of the tab. As you click each icon, you’ll see the preset security level setting that applies to that zone. You can adjust the security level by moving the slider to the notches that apply to each of the four predefined settings.
The Sites button is unavailable in the Internet zone; clicking that button in any of the other zones will display another dialog box with which you can add specific sites to that zone. For example, selecting the Trusted Sites zone and clicking the Sites button will display the dialog box that lets you add specific Web sites to the Trusted Sites zone. You can then easily add a Web site to the zone by typing the address and then clicking the Add button.
At the bottom of the Security Level For This Zone panel you will see the Custom Level button. When you click this button, you’ll see the Security Settings dialog box where you can configure individual security settings listed. In the next installment of this article, we’ll take a closer look at some of these individuals security settings.
Track Your Items In Outlook With Categories
Do you struggle locating items in Outlook? Do you spend too much time searching through your various folders in Outlook trying to find specific items? If so, you might want to consider using Categories.
A category is a specific word or phrase that you can use to group your Outlook items so you can easily find them later on. I should say ‘logically’ group items because they can be stored in different folders. For example, if you are working on a business project, you can assign all related items (e-mails, notes, contacts, and so on), to the same category (such as business). When you want to bring up items related to your business project, you can do so using the category you assigned the items to.
When it comes to using Categories, Outlook includes a Master Category List. You can group your items using the predefined categories or you can create your own. Both of these processes are described below.
Once you have Outlook open, select the item/items you want to assign to a specific category. An item can include e-mails, contacts, tasks, journal entries, notes, appointments, and so on. You can select more than one item by holding down the CTRL key as you select them. From the Edit menu, click the Categories option. From the list of Available Categories, select the category you want to assign to the items. Keep in mind that you can assign an item to more then one category.
Alternatively, using a few simple steps, you can create your own custom categories. For example, if you are working on a specific project, you may want to create a category using the project name. You can then assign this category to all the items that relate to that particular project.
Creating a new category is very easy to do. Once you have Outlook open, select the item or items you want to assign a new category to. From the Edit menu, click the Categories option. From the Categories dialog box, click the Master Category List button. Type in a name for the new category that you want to create in the New category field and click the Add button. You can repeat this step for any additional categories that you want to create. Click OK to close the Master Category List dialog box and click OK to close the Categories dialog box.
If you want to search for items based on a category, click the Advanced Find button from the Tools menu. Select the More Choices tab and type in the name of the category or click the Categories button to select the appropriate one. Click Find Now and all the items assigned to the category will be displayed.
Protecting Against Hoaxes Part III
Helping users to understand what hoaxes look will go along way in protecting against them. Most e-mail hoaxes (and almost all of the really successful ones) come in several recognizable categories:
- The technical warning. Many successful hoaxes use highly technical language to describe a threat. The description is often complete nonsense.
- The Good Samaritan ploy. Hoaxes don’t just warn you of a mythical threat, they play on your desire to help your friends, or to appear important, and cajole you into sending the fake warning to everyone you know. This lends the warning an air of authenticity because it comes from someone users know.
- The too-good-to-be-true offer. Among other common ploys are those get rich quick schemes that clearly sound too good. They’re usually pretty stupid, but people fall for them every day.
The e-mail hoax is just the technological equivalent of the chain letter and follows the age-old three-part pattern of all successful cons:
- The hook
First, there will be an appeal to greed or compassion or the chance to show off by being the first to warn your friends. The hook is the virus warning, the dying child announcement, the offer to make Big Money at Home While Sleeping, or a similar catchy subject line that is expanded in the first several paragraphs if you open the e-mail. - The threat or warning
The message will quickly move on to warn of severe damage that could occur to your computer (or some other dire consequences that might befall you) if you don’t take a certain action. - The action
Although a few hoaxes will simply rely on your inherent desire to share good or bad news, nearly all of them will include a final plea to send copies of the original message to as many people as you can.
Certainly the most easy-to-identify feature shared by all hoaxes is this: They come in an e-mail, not from a trusted Web site or a mailing list you have subscribed to, but from an untrusted source. That should be such a gigantic red flag that no other warning is needed.
Protecting Against Hoaxes Part II
As you learned in the previous installment of this article, educating users is one way you can reduce the threat of hoaxes. Another way, which would also cut the number of incidents that you have to respond to, is to ban user access to outside e-mail accounts from work. This is usually done via Web mail, Outlook Express, or even users who’ve loaded AOL software on their work computers. You’ll get a lot of complaints about a policy like this at first, but you should point out that this is akin to the normal ban on personal phone calls at work, except for emergencies or other urgent incidents.
If you decide on such a policy, you will also have to remind workers that their company e-mail account is not private, and they should never use it for any non-business purpose. Make sure they understand that it’s for business use only, and that their account may be routinely accessed by others in the company for legitimate reasons, such as when they are out sick or on vacation.
A policy banning access to personal e-mail accounts, complete with rigorously enforced sanctions against violators, will not only eliminate many of the threats from time-wasting hoax e-mails, but will also help mitigate a cause of real virus and worm infections: Employees opening infected attachments disguised as everything from lottery tips to nude photos of some actress or actor.
Protecting Against Hoaxes Part I
Hoaxes can be a major drain on an IT department’s resources. Unfortunately, many hoaxes are simply time-wasting pranks intended to make fun of novice or clueless users, but others include instructions that, if followed, will wreak havoc on a personal system or even a network. And many of the hoax e-mails that don’t contain malicious payloads or damaging directions are used by spammers to collect new victims’ addresses.
Just because hoaxes may not contain anything damaging does not mean they should be ignored. Not only will they get you on spam lists, the original hoax can be hijacked and turned into a malicious attack.
As usual, educating users is the best way to combat any threats from hoaxes. One way to educate used is by having a detailed usage policy that all users have to read and follow. Part of the guide could be a brief explanation of the basic threats and problems faced by businesses using the Internet.
A brief introductory talk to staff and new workers covering the following topics would be suffice for most employees:
- Virus threats are not announced by e-mails. These are always hoaxes and the IT department is usually notified about new viruses long before you could get an e-mail warning.
- E-mail addresses can be hijacked. If a message appears to be from someone you trust but the message seems somehow odd, it is probably a fake message that was automatically forwarded by a virus.
- Never open any unexpected e-mail attachments.
- Never forward any virus threat e-mails or attempt to deal with the supposed threat by following instructions contained in an e-mail. Contact the IT department if you have a concern, and it will take any necessary actions.
Distributing Security Zone Settings Using Group Policy
Once you have configured Security Zone to meet security requirements, you may need to distribute settings to workstations throughout a network. While you can use the Internet Explorer Administration Kit’s Profile Manager to do the job, you can avoid having to install additional software if you use the method provided by the Group Policy editor.
Deploying security zone settings using group policy is a two-step procedure that involves exporting the Security Zone settings as an INS configuration file and then configuring your Windows Vista clients to use the Automatic Browser Configuration feature to import those settings. The beauty of this distribution method is that you can regularly update the Security Zone settings and then easily distribute the updates.
To begin, launch the Group Policy editor by typing group policy in the Search field on the Start Menu and press Enter. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings. Right-click on Internet Explorer Maintenance icon and select the Export Browser Settings command from the shortcut menu. When you see the Save .INS File And .CAB Files dialog box, type the full path and name of the .INS file and click OK. Once you save the INS file, copy it to the root directory of a local intranet server.
At this point, you’ll need to enable Automatic Browser Configuration on all of your Windows Vista clients. You can e-mail these instructions to your users or deploy them manually.
Launch the Group Policy editor by typing group policy in the Search field on the Start Menu. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings | Internet Explorer Maintenance | Connection. Double-click Automatic Browser Configuration. In the Automatic Browser Configuration dialog box, select both the Automatically Detect Configuration Settings and the Enable Automatic Configuration check boxes. Then, type the URL to the INS configuration file in the Auto-config URL (.INS File) text box.
Secure Computers With Internet Explorer 7’s Security Zones
Malicious active content on the Internet has always been a cause for concern for the IT professional. The Security Zones feature of Internet Explorer 7 (IE7) is designed to protect users from inadvertently downloading this type of content from the Internet.
IE7 includes four predefined Security Zones:
- Internet: The Internet zone is an all-inclusive zone designed to include all Web sites on the Internet.
- Local Intranet: The Local Intranet zone is designed to include all computers that are connected to a local network.
- Trusted Sites: The Trusted Sites zone can be configured to include any sites containing active content that you completely trust.
- Restricted Sites: The Restricted Sites zone can be configured to include any sites containing active content that you absolutely do not trust.
There is actually a hidden, fifth zone, the My Computer zone, which includes most of the files on your computer. This special zone doesn’t appear in the dialog box with the others and can only be reconfigured by editing the registry or by using the Internet Explorer Administration Kit. As a general rule, the default security level in the My Computer zone is sufficient for most situations.
Each of these Security Zones is by default configured to use one of four predefined security levels. For example, the Restricted Sites zone is set at High, the Internet zone is set at Medium-high, the Local Intranet zone is set at Medium-low, and the Trusted Sites zone is set at Medium.
In most circumstances, these default Security Zone settings are sufficient, but you do have a lot of latitude — possibly more than you’re comfortable with. IE7’s Security Zone feature is highly customizable and gives you a mechanism for adjusting the amount of security in each of the Security Zones at a granular level. In other words, you can configure each and every active content feature that IE7 is capable of processing by choosing to enable or disable the feature and configuring Internet Explorer to prompt the user for a choice before accessing the active feature.
Installing And Configuring Certificate Services On Windows Server 2008 Part V
You can begin configuring a CA from its properties window. Within the Certificate Authority console, right click the CA and select Properties.
By default, the General tab should already be the active tab in the window. This tab just provides some basic information about the CA such as the common name and Cryptographic setting. If you recall, these settings were configured during the installation of Certificate Services.
Policy Modules determine whether certificate requests are issued, denied, or marked as pending. The Policy Module tab can be used by an Administrator to specify what the CA should do when a certificate request is received.
Conversely, you can use the Exit Module tab to specify what the CA should do after a certificate has been issued. A CA can be configured to publish issued certificates to Active Directory and/or a file system.
The Extensions tab is used to configure CRL settings. By clicking the Add button, you can specify a CRL distribution point. The Storage tab displays information about where the Certificate database and the Request log are stored. Configuration data can be stored in Active Directory or in a shared folder. On an Enterprise CA, configuration data is automatically stored within Active Directory.
The Security tab enables you to configure access privileges and implement role based administration. The roles include:
- CA administrator - Assigned the Manage CA permission
- Certificate Manager - Assigned the Issue and Manage Certificates permission
- Backup Operator - Assigned the Back up file and directories and the Restore file and directories permissions
- Auditor - Assigned the Manage auditing and security log permission
- Enrollees - Assigned the Read and Enroll permissions
The options available on the Recovery Agents tab are used to configure whether private keys are archived. In Windows Server 2008, private keys for specific certificates can be archived so they can be recovered in the event that they are lost. The CA will store the private key within its database. The process of recovering a private key includes two different phases: key archival and key recovery. Once a key has been archived, it can be recovered by a key recovery agent.
Certificate Services can be configured to log events to the Security log. From the Auditing tab you can pick which types of events you want to audit. When an event occurs it will be written to the Windows Server Security log and you can use the Windows Event Viewer to examine the contents of the log file.
Finally, the Certificate Managers Restrictions tab can be used to apply further restrictions to certificate managers. A certificate manager is any user that has been assigned the Issue and Manage certificates permission (you can use the Security tab to assign this permission). You can use the Certificate Managers Restrictions tab to then define which users, groups, or computers a certificate manager is allowed to manage.
That’s all there is to it.
Installing and configuring a Certificate Authority is not a difficult task, as long as you have some basic understanding of CAs. Setting up a CA without doing some pre-planning will more than likely result in a few problems. Having an idea of the steps involved in the setup process and how to configure the CA afterwards can help to ensure that you only have to complete the procedure once. In other words, do it properly the first time.
Installing And Configuring Certificate Services On Windows Server 2008 Part IV
After Certificate Services is installed, you can manage it using the Certificate Authority snap-in. The console allows you to perform a number of different tasks including:
- Stop and start the service
- Backup and restore a CA
- Renew a CA certificate
- Configure the policy and exit modules
- Manage certificates that have been issued and revoked
- Manage certificate requests
- Configure event auditing
- Set security permissions
- Create and view CRLs
- Set the publication interval for the Certificate Revocation List
To open the Certificate Authority snap-in on the local computer:
- If this is the first time you are using the Certification Authority snap-in on this computer, click Start, click Run, type mmc, and then press Enter.
- On the File menu, click Add/Remove Snap-in.
- Add the Certification Authority snap-in to the list on the right.
- Select the computer hosting the CA that you want to administer, and then click OK.
You can save the console by clicking File | Save As. Type in an appropriate file name for the console so you can easily identify it and then click Save.
The Certificate Authority snap-in can also be used to administer a CA on another computer. Within the snap-in, click Retarget Certification Authority from the Action menu. Click Another Computer and type the name of the computer.
When you open the Certificate Authority console, you will see your CA. Expand the CA by clicking the plus sign beside it and the following containers will appear:
- Revoked Certificates - Provides information about the certificates that have been revoked by the CA.
- Issued Certificates - Provides information about the certificates that have been issued by the CA.
- Pending Requests - Provides information about certificate requests for the CA that are still awaiting approval.
- Failed Requests - Provides information about all failed certificate requests including why each request failed.
- Certificate Templates - Lists the type of certificates that the CA can issue. This container is only available on Enterprise CAs.
© 1996-2006, Lockergnome LLC. ISSN: 1095-3965. All Rights Reserved. Please read our Privacy Policy and Terms of Service. Email newsletters powered by WhatCounts. Domain registered at GnomeDOMAINS. T-shirts and Screen Printing at CustomInk. Computer service from Comtec.
- Add to iTunes
- Add to YouTube
- Add to Google
- Add to Yahoo!
- Add to AOL
- Add to Bloglines
- Add to NewsGator
- Blog Feed
- Video Feed
- Audio Feed
- Live Feed
-
-
Search
-
About
Information Technology aid for Windows, Linux, and OS X users, solid SysAdmin advice, troubleshooting links, job assistance, and more for technology pros.
- Laser Triggers Electrical Activity In Thunderstorm
- Computer Game Helps COPD Patients Breathe Better
- Getting Wired For Terahertz Computing
- High Blood Pressure May Protect Against Migraine
- No Wonder Many People Are Disappointed With Hybrids
- Location Spoofing Possible With Wi-Fi Devices
- Scientists Debate The Accuracy Of Al Gore’s Documentary “An Inconvenient Truth”
- Popcorn-Ball Design Doubles Efficiency Of Dye-Sensitized Solar Cells
- Human Values Key To The Development Of New Technologies
- Can Micro-Scaffolding Help Stem Cells Rebuild The Brain After Stroke?
- Breakthrough At Stonehenge Dig
- Nanotechnology Could Solve Lithium Battery Charging Problems
- The Future Of Solar-Powered Houses Is Clear
- Study Sheds New Light On Habits, Roles Of Blog Readers
- Revolutionary CO2 Maps Zoom In On Greenhouse Gas Sources
- Evolution On The Table Top
- Computer System Consistently Makes Most Accurate NCAA Picks
- Hybrid Computer Materials May Lead To Faster, Cheaper Technology
- Are Animals Stuck In Time?
- Foldable And Stretchable, Silicon Circuits Conform To Many Shapes
- Online Web Conferencing for Meetings
- Network Tools for Windows
- Trade in Your Cell Phones for Money
- Get Your Own Web Site
- Get a Free Audio Book
- VMware and Parallels for Virtual Machines
- Screenshots and Capture Software
- Shopping Coupons and Codes
-
Meta