IEZoneAnalyzer v3.5 with Zone Map Viewer

IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone.  Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings…

25

Utilities for automating Local Group Policy management

Update, 21 January 2016: LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. Features: Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol),…


Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed.  Microsoft’s security guidance, the US Government Configuration Baseline (USGCB) and other security guidance currently mandate only that it be locked down in the Internet and Restricted Sites zones, which are of course the highest risk…

15

Apply_LGPO_Delta 1.0: utility to apply custom changes to Local Policy

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  Apply_LGPO_Delta v1.0 is a non-interactive tool that is designed to help make automated changes to Local Group Policy.  It can make changes to registry-based policy as well as apply security templates.  The primary intended scenario is to apply custom changes to FDCC policies after having…


Updated LGPO utility sources

The updated sources corresponding to the updated versions of the Apply_LGPO_Delta and ImportRegPol utilities are attached to this post. LGPO-Utilities-sources.zip

11

Set_FDCC_LGPO: Updated for 2008 Q3

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  Set_FDCC_LGPO is a utility that we originally released in December that applies the Group Policy Objects provided by NIST on their web site to the Local Group Policy on the Windows XP or Windows Vista computer you run the tool on. NIST recently released FDCC…

11

IEZoneAnalyzer v3

Announcing a major update to the IE security zone analyzer! IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings. It is particularly valuable on systems controlled through Group Policy, on which the standard security settings dialog does not allow viewing of settings. IEZoneAnalyzer version 3 represents a total rewrite, adding a…

11

Set_FDCC_LGPO: Utility to apply FDCC settings to local group policy

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  As promised in our webcast last week, we are publishing a utility that applies NIST’s current set of GPOs to the Local Group Policy of the computer on which you run it.  It — and the accompanying ReadMe.htm — are included as an attachment to…

10

Why don’t all of the FDCC settings appear in the Group Policy Editor?

Author: Mandy Tidwell, Senior Consultant    As many of you may have noticed, the FDCC Group Policy settings spreadsheet and FDCC Group Policy Objects (GPOs) downloaded from NIST (http://csrc.nist.gov/fdcc) contain settings that are not exposed by default in the Group Policy Editor interface.  These settings are easily identified in that they all begin with MSS….

8

Internet Explorer’s Explicit Security Zone Mappings

[Updated 15 May 2012 to correct a bug involving precedence of Computer policies over User policies.] I recently worked with some customers who wanted to enumerate which web sites had been assigned to which Internet Explorer security zones.  I.e., they wanted to know which web sites had been assigned to the Intranet zone, which to…

7