USGCB Policy Bug: Turn off desktop gadgets

The US Government Configuration Baseline (USGCB) group policy object (GPO) for Windows 7 Computer Settings includes the setting: Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets Turn off desktop gadgets = Enabled This setting is not included in the settings spreadsheet or the associated SCAP content.  It was mistakenly included in the GPO and is expected to be…

0

Windows XP Remote Assistance and DontDisplayLastUserName

While implementing Remote Assistance during a Windows 7 deployment I found that a RA connection to older Windows XP workstations would behave like a Remote Desktop connection: the user would not be prompted to allow the administrator to connect, and the administrator would be prompted to logon.  I eventually traced the issue to the presence…

0

Maximizing Security in Configuration Manager

This post details my experience and lessons learned with hardening a System Center Configuration Manager system.  I’ll review the risks and then describe the various technical components of a ConfigMgr system: Windows Server host, Internet Information Service (IIS), SQL Server and ConfigMgr itself.  Make sure to review the current product documentation on Security for Configuration…

0

Explicit rights for Preinst

I recently had to manually remove a secondary site (S01) from a ConfigMgr 2007 SP1 hierarchy.  It deleted ok from the parent site (P01), but since that doesn’t replicate up the hierarchy, I had to go to the Hierarchy Maintenance Tool (Preinst.exe) on the central (C01) site to fully remove it.  However, when logged on…

0

Debug programs right needed to uninstall ConfigMgr Console

I recently discovered an interesting issue when trying to uninstall the ConfigMgr Console from a Windows Server 2003 system to which the SSLF member server baseline policy is applied.  When running through setup to uninstall the console, all of the components all show the status “Not Started” and the wizard lets you click Next, i.e.,…

0

ConfigMgr 2007 and SCW

The Security Configuration Wizard is new to Windows Server 2003 SP1 and provides very detailed ability to lockdown a server based on the roles, services and applications.  With SMS 2003, the toolkit provided security templates that would allow SMS to function when used in the context of the Enterprise Client (EC) or Specialized Security Limited…

0

How to generate a custom LGPO based on FDCC

One of my customers requires additional security settings beyond the OMB-mandated Federal Desktop Core Configuration (FDCC) and I need to apply the settings as local policy during the MDT build process so that disconnected systems still get a baseline of policy.  So here’s the process I used to generate the policy objects and then apply…

1

Script to set Windows Vista audit policy

There’s probably a sexier way to do it, but the attached script (rename to .cmd) can be used to set Windows Vista SP1 audit policy using auditpol.  The current settings are based on the FDCC 2008 Q1 settings.  It must be run elevated.  I suggest using something like the following command line:CustomSetAuditPolicy-v2.cmd > C:\Windows\security\logs\CustomSetAuditPolicy.log 2>&1…

1

Short File Name Prerequisite for SCCM 2007

A common security/performance setting is to disable short file names (aka 8.3 file names), and is recommended as part of the Microsoft Solutions for Security (MSS) (Disable Auto Generation of 8.3 File Names [NtfsDisable8dot3NameCreation]).  However, as one of my customer’s recently discovered, this is an as-of-yet-undocumented prerequisite for System Center Configuration Manager (SCCM) 2007.  The SCCM…

0