“AlwaysInstallElevated” is Equivalent to Granting Administrative Rights

When removing administrative rights from end users, it’s important to ensure that there are no easy paths by which a user (or malware running as the user) can gain administrative rights. For example, don’t relax default permissions on system resources such as files, folders and registry keys, and don’t grant users any “admin-equivalent” privileges such…


Script a Custom Power Management Policy

Author: Paul Fox, Senior Consultant Scenario: A customer wants a custom power plan for their laptop images. This is a frequent request to meet new Green initiatives in Federal and State governments. Here are the steps to incorporate a scripted power configuration. The resulting install.cmd can be embedded into a task sequence of Microsoft Deployment Toolkit….


Sample Files for Apply_LGPO_Delta

Apply_LGPO_Delta used to come with a bunch of sample files to address some common needs for policy adjustment, as well as a batch file to run Set_FDCC_LGPO and Apply_LGPO_Delta in sequence.  Those samples inadvertently got omitted from an upload at one point.  I’ve updated those sample files and added some new ones.  They are attached…


Set_FDCC_LGPO – Source code

The source code and Visual Studio project files for the Set_FDCC_LGPO utility are included at an attachment to this post. To build the project, you need Visual Studio 2005 and the Windows SDK.  The current NIST FDCC policy files are included in the attachment; to build with updated policy files, the attachment includes a PowerShell…


Sticking with Well-Known and Proven Solutions

I work with a lot of customers, and there are some problems I see over and over.  One problem that I’ve seen and been thinking about a lot lately is the way that a number of customers paint themselves into a corner through excessive customization of their environment.  Lately I’ve been making the case that…



Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal Desktop Core Configuration (FDCC) as the United States Government Configuration Baseline (USGCB).  NIST’s spreadsheets, Group Policy Objects (GPOs) and virtual hard disks (VHDs) for Windows 7 can be downloaded from http://usgcb.nist.gov.  From this point forward, “FDCC” is just a four-letter…


Set_FDCC_LGPO.exe v1.05, source code

Visual Studio 2005 project files and source code for Set_FDCC_LGPO.exe v1.05 is attached to this blog post. (This blog doesn’t support multiple file attachments per post…) [Attachment removed, as a newer version is available — bookmark the landing page for the most up-to-date-links.]


LGPO.exe – Local Group Policy Object Utility, v1.0

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. Features: Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced…


Viewing and Comparing IE Security Zone Settings – enhanced

I’ve enhanced the IE security zone comparison utility that I posted here a few weeks ago.  The new version shows the effective settings for a selected zone, based on the precedence rules for User and Computer policies and preferences (as described here) and whether only Machine settings are used.  Pick an IE security zone (such as Intranet),…


FDCC and Internet Explorer 7, Part 1: Security Zones

This multi-part series will discuss various issues regarding Microsoft Internet Explorer 7, particularly with regard to its use on Federal Desktop Core Configuration (FDCC) compliant systems.  The FDCC is based on Microsoft’s security guidance for Windows XP and Windows Vista, so this series will likely be of interest to audiences beyond those impacted by FDCC. …