LGPO.exe – Local Group Policy Object Utility, v1.0

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. Features: Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced…

4

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Microsoft has published its security guidance and baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.  If you have been reluctant to evaluate or deploy these technologies in the absence of specific USGCB guidance, NIST essentially says, “Use the vendor’s guidance.”  Here is the vendor’s guidance.  Please see these three new blog…

1

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

Although the US Government has not published a US Government Configuration Baseline (USGCB) standard for Windows 8 or Windows 8.1, Microsoft has just published a beta release of Microsoft security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.  It includes documentation, GPOs, and scripts for installing the recommended settings to local group…

1

IEZoneAnalyzer update: v3.5.0.5

I just posted a minor update to IEZoneAnalyzer.  Version 3.5.0.5 fixes an issue in which IE10 was reported as version “9.10.9200.16614”; it now reports a 10.* version number.  (*) Version 3.5.0.5 also adds text corresponding to new IE security zone settings, adds back in a set of sample files that capture default settings on various…

2

Legacy Web App Security and Sysinternals at TechEd North America + Europe 2012

I’m presenting a couple of sessions at TechEd North America 2012 in Orlando (June 11-14) and at TechEd Europe 2012 in Amsterdam (June 26-29). The first session is “Sysinternals Primer: Gems“, the latest in the Sysinternals Primer series (*). In the latest edition of the popular Sysinternals Primer series, join Aaron (Mark Russinovich’s co-author of…

0

Correction posted for IE Explicit Security Zone Mappings and IEZoneAnalyzer’s Zone Map Viewer

I received some questions and comments about Internet Explorer’s Explicit Security Zone Mappings and about the latest version of IEZoneAnalyzer containing the Zone Map Viewer.  I hadn’t had time to dig into the questions so they lingered, but I finally carved some time to post answers to those questions in the Comments sections of those…

1

Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed.  Microsoft’s security guidance, the US Government Configuration Baseline (USGCB) and other security guidance currently mandate only that it be locked down in the Internet and Restricted Sites zones, which are of course the highest risk…

15

Top Ten Deployment Blockers

My colleague Shelly Bird, a highly esteemed Architect in Microsoft Public Sector Services, has years of experience in desktop and server deployments.  She has seen what works and a whole lot of what doesn’t.  Now she is bringing her observations to the blogosphere, kicking off with a Top Ten list of deployment blockers.  I was…

0

Alert: Java’s Forward-Compatibility Promise Has Been Revised

Java’s Forward-Compatibility Promise Writing forward-compatible software is really hard. You carefully write your programs strictly according to the current specifications for your target platform, and it works perfectly well on that platform.  But eventually that platform and its specifications will be updated.  It will effectively become a different platform, and you really have no way…

2