LGPO.exe - Local Group Policy Object Utility, v1.0

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. Features: Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced…

4

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Microsoft has published its security guidance and baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.  If you have been reluctant to evaluate or deploy these technologies in the absence of specific USGCB guidance, NIST essentially says, “Use the vendor’s guidance.”  Here is the vendor’s guidance.  Please see these three new blog…

1

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

Although the US Government has not published a US Government Configuration Baseline (USGCB) standard for Windows 8 or Windows 8.1, Microsoft has just published a beta release of Microsoft security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.  It includes documentation, GPOs, and scripts for installing the recommended settings to local group…

1

IEZoneAnalyzer update: v3.5.0.5

I just posted a minor update to IEZoneAnalyzer.  Version 3.5.0.5 fixes an issue in which IE10 was reported as version “9.10.9200.16614”; it now reports a 10.* version number.  (*) Version 3.5.0.5 also adds text corresponding to new IE security zone settings, adds back in a set of sample files that capture default settings on various…

2

Correction posted for IE Explicit Security Zone Mappings and IEZoneAnalyzer's Zone Map Viewer

I received some questions and comments about Internet Explorer’s Explicit Security Zone Mappings and about the latest version of IEZoneAnalyzer containing the Zone Map Viewer.  I hadn’t had time to dig into the questions so they lingered, but I finally carved some time to post answers to those questions in the Comments sections of those…

1

Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed.  Microsoft’s security guidance, the US Government Configuration Baseline (USGCB) and other security guidance currently mandate only that it be locked down in the Internet and Restricted Sites zones, which are of course the highest risk…

15

IEZoneAnalyzer v3.5 with Zone Map Viewer

IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone.  Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings…

25

Internet Explorer’s Explicit Security Zone Mappings

[Updated 15 May 2012 to correct a bug involving precedence of Computer policies over User policies.] I recently worked with some customers who wanted to enumerate which web sites had been assigned to which Internet Explorer security zones.  I.e., they wanted to know which web sites had been assigned to the Intranet zone, which to…

7

Set_FDCC_LGPO for Windows 7…

… is not needed and will not be created.  I had kind of blogged about this a while back but it was hidden under a more general title, so the question about Set_FDCC_LGPO on Windows 7 continues to get asked. This post offers another easy and flexible way for you to apply NIST’s GPOs and…

2