Problems with FDCC’s XP File Permissions

A few months ago I blogged about a case in which an ill-advised registry hack caused application failure.  I also referred to KB 885409, which lists some of the problems that can arise when relatively untested third party security guidance around file and registry permissions settings are applied, like the Recycle Bins of administrator accounts…


Viewing and Comparing IE Security Zone Settings – enhanced

I’ve enhanced the IE security zone comparison utility that I posted here a few weeks ago.  The new version shows the effective settings for a selected zone, based on the precedence rules for User and Computer policies and preferences (as described here) and whether only Machine settings are used.  Pick an IE security zone (such as Intranet),…


Viewing and Comparing IE Security Zone Settings

The Security tab of the Internet Explorer Properties dialog shows security settings for the Internet, Intranet, Trusted Sites and Restricted Sites zones.  However: It doesn’t show settings for the Local Machine (Computer) zone, nor for Local Machine Zone Lockdown (LMZL). When machine settings or other policies are in effect, most of the Security Zones UI…


The Case of the Unexplained Installation Failure (and an ill-advised registry hack)

Since Mark Russinovich hasn’t trademarked his “Case of the Unexplained…” series, I’m appropriating the title to describe the results of some troubleshooting I did for a customer.  The root cause turned out to be a widely-adopted but ill-advised registry hack that many organizations have built into their standard desktop images.  If you’re not interested in…


Source code for New and Updated Local Group Policy utilities

Visual Studio 2008 source and project files for the new ImportRegPol utility and the updated Set_FDCC_LGPO and Apply_LGPO_Delta utilities for managing Local Group Policy Objects. Note that these are all now Visual Studio 2008 projects. [Update Jan 15 2010:  new versions released — see the LGPO Utilities page]


New and Updated Local Group Policy Utilities

A customer requested an addition to the local group policy toolset posted on the FDCC blog.  While working on the new utility, I needed to upgrade the other two.  The full set is attached to this post, with documentation.  The source code for all of them is attached to a separate post. The new utility,…

FDCC Vista Application Development Requirements

Overview NOTE: This entry only focuses on the Windows Vista version of the FDCC and desktop applications. Since its infancy, common themes have emerged which have delayed or prevented enterprise customers from deploying the FDCC. By the 80/20 rule, the two most common problems, in order, are: 1. Data and Settings Management 2. Application Installation…

FDCC and Internet Explorer 7, Part 3 – Protected Mode

This is the [long-delayed] third installment in a series discussing various issues regarding the intersection of Microsoft Internet Explorer 7 and the Federal Desktop Core Configuration (FDCC). The FDCC bears close resemblance to Microsoft’s security guidance for Windows XP and Windows Vista, so this series will be of interest to any customers who are locking…

Set_FDCC_LGPO.exe v1.06, Visual C++ project sources

Visual Studio 2005 project files and source code for Set_FDCC_LGPO.exe v1.06 is attached to this blog post. [Removed, as a newer version is available — bookmark the landing page for the most up-to-date-links.]


Set_FDCC_LGPO updated: v1.06

Set_FDCC_LGPO has been updated to reflect the updated GPO content on NIST’s download page.  The FDCC settings have not changed.  The updates contain only corrections to the downloads to more closely adhere to the FDCC settings. The updated Set_FDCC_LGPO is attached to this blog post.  (This time I also remembered to include the readme.htm in…