Threats and Countermeasures
Chapter 9: Windows XP and Windows Server 2003 Administrative Templates
The Administrative Template sections of Group Policy include registry–based settings that govern the behavior and appearance of the computers in your environment. These settings also govern the behavior of operating system components and applications. There are hundreds of these settings available for you to configure, and you can import additional .adm files to make more settings available. This chapter lists the Administrative Template settings that are under the Computer Configuration node of the Group Policy that is defined in this guide as well as those that are under the User Configuration node. This chapter does not examine every setting that is available in the Administrative Templates for Microsoft® Windows® XP and Microsoft Windows Server™ 2003. However, this chapter does provide guidance for all settings that relate to security on computers that run these operating systems. Some settings that are not covered are specific to the following: Application Compatibility, Task Scheduler, Windows Installer, Windows Messenger, and Windows Media® Player. Previous versions of this guide contained information about the Administrative Templates for Office XP. Microsoft Office 2003 contains a large number of new features and changes to the Administrative Templates that ship with the product. For more information about these changes, see the "More Information" section at the end of this chapter. On This Page
Computer Configuration SettingsThe following configuration settings apply to computers that are members of an Active Directory® directory service domain. Information about user configuration settings is provided later in this chapter. NetMeetingMicrosoft NetMeeting® allows users to conduct virtual meetings across the network in your organization. You can configure the NetMeeting Group Policy settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Disable remote Desktop SharingThis policy setting allows you to disable the remote desktop sharing feature of NetMeeting. You can enable this policy setting so that users cannot configure NetMeeting to automatically answer inbound calls and allow remote control of the local desktop. The possible values for the Disable remote Desktop Sharing setting are:
VulnerabilityWhen this policy setting is enabled, users will not be able to use the remote desktop sharing feature of NetMeeting. CountermeasureConfigure the Disable remote Desktop Sharing setting to Enabled. Potential ImpactUsers will be unable to configure remote desktop sharing through NetMeeting, although they may still be able to use the Windows Remote Assistance and Remote Desktop features if you have left them enabled. Internet Explorer Computer SettingsMicrosoft Internet Explorer is the Web browser that is included with Windows XP and Windows Server 2003, and you can manage many of its features through Group Policy. You can configure the Internet Explorer Computer Group Policy settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Disable Automatic Install of Internet Explorer componentsThis policy setting allows you to prevent the automatic download of components through Internet Explorer when users browse to Web sites that require the components to fully function. If you disable or do not configure this policy setting, users will be prompted to download and install components each time they visit Web sites that use them. This policy setting is intended to help the administrator control which components the user may install. The possible values for the Disable Automatic Install of Internet Explorer components setting are:
VulnerabilityMalicious Web site operators can host components that contain hostile code. Users in your organization could inadvertently download this code and run it on the computers in your environment, which could expose confidential data, cause data loss, and create instability. CountermeasureConfigure the Disable Automatic Install of Internet Explorer components setting to Enabled. Potential ImpactInternet Explorer will be unable to automatically download components when users browse to Web sites that need them. Disable Periodic Check for Internet Explorer software updatesIf you enable this policy setting, Internet Explorer will not be able to determine whether a later browser version is available and notify users of its availability. If you disable or do not configure this policy setting, Internet Explorer will check for updates every 30 days (the default setting) and notify users if a new version is available. This policy setting is intended to help administrators maintain version control for Internet Explorer, because it prevents users from being notified when a new browser version is available. The possible values for the Disable Periodic Check for Internet Explorer software updates setting are:
VulnerabilityAlthough Microsoft thoroughly tests all patches and service packs before they are published, some organizations want to carefully control all of the software that is installed on their managed computers. You can enable the Disable Periodic Check for Internet Explorer software updates setting to ensure that computers will not automatically download and install updates for Internet Explorer. CountermeasureConfigure the Disable Periodic Check for Internet Explorer software updates setting to Enabled. Potential ImpactInternet Explorer will not be able to automatically download and install hotfixes and service packs. Therefore, administrators should have another process in place to automatically distribute software updates to all managed computers. Disable software update shell notifications on program launchThis policy setting allows you to prevent user notification when programs that use the Microsoft Software Distribution Channel install new components. The Software Distribution Channel is a way to update software dynamically on user computers by using Open Software Distribution (OSD) technologies. If you enable this policy setting, users will not be notified when their programs are updated through Software Distribution Channels. If you disable or do not configure this setting, users will be notified before their programs are updated. This policy setting is intended for administrators who want to use Software Distribution Channels to update their users' programs without user intervention. The possible values for the Disable software update shell notifications on program launch setting are:
VulnerabilityOrganizations that use OSD tools and technologies may prefer that their users not know when patches and service packs are installed on their computers, because users may attempt to stop an installation process before it completes. CountermeasureConfigure the Disable software update shell notifications on program launch setting to Enabled. Potential ImpactUsers will not be notified when software updates are delivered through OSD technologies. Make proxy settings per-machine (rather than per-user)If you enable this policy setting, users will not be able to alter user-specific proxy settings. They must use the zones that are created for all users of the computers they access. The possible values for the Make proxy settings per-machine (rather than per-user) setting are:
VulnerabilityIf you disable or do not configure this policy setting, users of the same computer will be able to establish their own proxy settings. This policy setting is intended to ensure that proxy settings remain uniformly in effect on the same computer and do not vary from user to user. CountermeasureConfigure the Make proxy settings per-machine (rather than per-user) setting to Enabled. Potential ImpactAll users will be forced to use the proxy settings that are defined for the computer. Security Zones: Do not allow users to add/delete sitesThis policy setting allows you to disable the site management settings for security zones. (To see the site management settings for security zones, select Tools and then Internet Options from the menu bar in Internet Explorer. Click the Security tab, and then click Sites.) If you disable or do not configure this setting, users will be able to add or remove Web sites in the Trusted Sites and Restricted Sites zones. They will also be able to alter settings in the Local Intranet zone. The possible values for the Security Zones: Do not allow users to add/delete sites setting are:
Note: If you enable the Disable the Security page setting, which is located in VulnerabilityIf you do not configure this policy setting, users will be able to add or remove sites from the Trusted Sites and Restricted Sites zones at will and change settings in the Local Intranet zone. This configuration could allow sites that host malicious mobile code to be added to these zones, which users could execute. CountermeasureConfigure the Security Zones: Do not allow users to add/delete sites setting to Enabled. Potential ImpactUsers will not be able to change site management settings for security zones that have been established by the administrator. When users need to add or remove sites from these Internet Explorer security zones, an administrator will have to configure them. Security Zones: Do not allow users to change policiesThis policy setting allows you to effectively disable the Custom Level button and Security level for the zone slider on the Security tab in the Internet Options dialog box. If you disable or do not configure this policy setting, users will be able to change the security zone settings. This policy setting can be used to prevent changes to the security zone policy settings that are established by the administrator. The possible values for the Security Zones: Do not allow users to change policies setting are:
Note: If you enable the Disable the Security page setting, which is located in VulnerabilityUsers who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Internet and Web sites that were listed in the Restricted Sites zone in the browser. CountermeasureConfigure the Security Zones: Do not allow users to change policies setting to Enabled. Potential ImpactUsers will not be able to configure security settings for Internet Explorer zones. Security Zones: Use only machine settingsThis policy setting allows changes that the user makes to a security zone to apply to all users of that computer. If you disable or do not configure this policy setting, users of the same computer will be able to establish their own security zone settings. This policy setting is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. The possible values for the Security Zones: Use only machine settings setting are:
VulnerabilityUsers who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Internet and Web sites that were listed in the Restricted Sites zone in the browser. CountermeasureConfigure the setting for Security Zones: Use only machine settings to Enabled. Potential ImpactUsers will not be able to configure security settings for Internet Explorer zones. Turn off Crash DetectionThis policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet Explorer will be similar to one on a computer that runs Windows XP Professional with Service Pack 1 (SP1) and earlier: Windows Error Reporting will be invoked. If you disable this policy setting, the crash detection feature in add-on management will be functional. The possible values for the Turn off Crash Detection setting are:
VulnerabilityA crash report might contain sensitive information from the computer's memory. CountermeasureConfigure the policy setting for Turn off Crash Detection setting to Enabled. Potential ImpactInformation about crashes that are caused by Internet Explorer add-ons will not be reported to Microsoft. If you experience frequent repeated crashes and need to report them to help troubleshoot the problem, the setting should temporarily be changed to Disabled. Do not allow users to enable or disable add-onsThis policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add-ons. If you configure this policy setting to Enabled, users cannot enable or disable add-ons through Manage Add-ons. The only exception is if an add-on has been specifically entered into the Add-On List policy setting in a way that allows users to continue to manage the add-on through Manage Add-ons. If you configure this policy setting to Disabled, the user will be able to enable or disable add-ons. Note: For more information about how to manage Internet Explorer add-ons in Windows XP SP2, see KB article 883256, "How to manage Internet Explorer add-ons in Windows XP Service Pack 2" at http://support.microsoft.com/?kbid=883256. The possible values for the Do not allow users to enable or disable add-ons setting are:
VulnerabilityUsers often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. CountermeasureConfigure the value of the Do not allow users to enable or disable add-ons setting to Enabled. Potential ImpactWhen the Do not allow users to enable or disable add-ons setting is enabled, users will not be able to enable or disable their own Internet Explorer add-ons. If your organization uses add-ons, this configuration may affect their ability to work. Internet Explorer\Internet Control Panel\Security PageYou can configure the Internet Explorer Security Page Group Policy settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ The individual policy settings for the Security Page are thoroughly documented in the Windows XP and Windows Server 2003 Help systems, and also on the Microsoft Web site. Therefore, this information is not repeated in this guide. You should consider the following general guidelines. VulnerabilityIf you allow users to configure their own security settings in Internet Explorer, they may increase their computers vulnerability to malicious software (malware). Also, users will be able to avoid any standard organizational security policies that are in place. CountermeasureUse the settings in the Internet Explorer\Internet Control Panel\Security Page node of Group Policy to configure appropriate values for security zones and security zone-related behavior. Potential ImpactWindows XP SP2 and Windows Server 2003 SP1 introduce several new policy settings to help you secure Internet Explorer zone configuration across your environment. The default values for these policy settings provide enhanced security over earlier versions of Windows. However, you may need to customize these policy settings for your local environment. For example, you may want to add your business partners or suppliers to the Trusted Sites zone and not allow users to make their own changes to the zone lists. Internet Explorer\Internet Control Panel\Advanced PageThe settings in this portion of the Administrative Template are equivalent to the settings that are available on the Advanced tab of the Internet Options dialog box in Internet Explorer. The following two policy settings are available in both Windows Server 2003 with SP1 and Windows XP with SP2. Allow software to run or install even if the signature is invalidThis policy setting allows you to manage whether downloaded software can be installed or run by users if the signature is invalid. An invalid signature might indicate that someone tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature. The possible values for the Allow software to run or install even if the signature is invalid setting are:
VulnerabilityMicrosoft ActiveX® controls and file downloads often have digital signatures attached that certify the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified software is downloaded and that you can positively identify the signer to determine whether you trust them enough to run their software. The validity of unsigned code cannot be ascertained. CountermeasureConfigure the Allow software to run or install even if the signature is invalid setting to Disabled so that users cannot run unsigned ActiveX components. Potential ImpactSome legitimate software and controls may have an invalid signature. You should carefully test such software in isolation before it is allowed to be used on your organization's network. Allow active content from CDs to run on user machinesThis policy setting allows you to determine whether active content on CDs can run on users' computers. Security-conscious organizations may wish to prevent the execution of ActiveX controls or other active content that is delivered on a CD. The possible values for the Allow active content from CDs to run on user machines setting are:
VulnerabilityUsers may accidentally circumvent an organization's security policy if they run content that was delivered on a CD instead of over the network. CountermeasureYou can configure the Allow active content from CDs to run on user machines setting to Disabled. This configuration will prevent the execution of active content that is stored on CDs. Potential ImpactWhen this policy setting is enabled, applications that are designed to be installed from CD may not function properly without user intervention. Allow third-party browser extensions(This policy setting is only available in Windows Server 2003.) Users may install third-party browser extensions, which are known as browser helper objects (BHOs). The Allow third-party browser extensions setting controls whether installed BHOs will load when Internet Explorer starts. The possible values for the Allow third-party browser extensions setting are:
VulnerabilityThird-party browser extensions are potentially dangerous, because they may contain vulnerabilities or even malicious code. Also, their installation may violate organizational security policies. CountermeasureConfigure the Allow third-party browser extensions setting to Disabled. Potential ImpactWhen you configure the Allow third-party browser extensions setting to Disabled, users will be able to install third-party browser extensions, but they will not be loaded when Internet Explorer starts. This configuration may impair user workflow or generate help desk calls. Check for server certificate revocation(This policy setting is only available in Windows Server 2003.) When a Secure Sockets Layer (SSL) connection is established between the browser and a remote server, the server presents a certificate to the client computer to use in the initial security negotiation. When the Check for server certificate revocation setting is enabled, Internet Explorer will determine whether the presented certificate is on the issuing authority's certificate revocation list. The possible values for the Check for server certificate revocation setting are:
VulnerabilityUsers may accidentally communicate with a server whose certificate has expired or been revoked by the issuing authority. Such an occurrence may lead to information disclosure or even active attacks if the remote server has been compromised. CountermeasureConfigure the Check for server certificate revocation setting to Enabled. Potential ImpactWhen the Check for server certificate revocation setting is enabled, users may receive warnings for sites they formerly believed to be trustworthy; it is necessary to educate them to help them make good trust decisions when they browse the Internet. Check for signatures on downloaded programs(This policy setting is only available in Windows Server 2003.) Downloaded programs may be signed with Microsoft Authenticode® technology, which binds a digital signature to executable objects such as programs and ActiveX controls. When the Check for signatures on downloaded programs setting is enabled, Internet Explorer will check the digital signature of executable programs and display their identities before they are downloaded. The possible values for the Check for signatures on downloaded programs setting are:
VulnerabilityUsers might download inappropriate or malicious content without realizing it. CountermeasureConfigure the Check for signatures on downloaded programs setting to Enabled. Potential ImpactWhen the Check for signatures on downloaded programs setting is enabled, users will see identity information for executable programs that have been signed. Do not save encrypted pages to disk(This policy setting is only available in Windows Server 2003.) When Internet Explorer retrieves pages from a remote server, it stores the pages in its temporary file cache. This capability improves performance and provides the ability to go forward or backward in the browse history list without a reconnection to the host. The possible values for the Do not save encrypted pages to disk setting are:
VulnerabilityCached pages from SSL-secured connections may contain sensitive information, like passwords or credit card numbers. CountermeasureConfigure the Do not save encrypted pages to disk setting to Enabled. Potential ImpactPages that are retrieved over SSL connections will not be cached. This configuration may increase the use of network bandwidth as users' browsers re-download pages that would have been cached if this policy setting were not in effect. Empty Temporary Internet Files folder when browser is closed(This policy setting is only available in Windows Server 2003.) Pages that are retrieved by Internet Explorer are stored in its temporary file cache. Internet Explorer manages this cache according to the settings in the Temporary Internet Files Settings dialog box. After a file or object is downloaded, it remains in the cache until Internet Explorer removes it. The possible values for the Empty Temporary Internet Files folder when browser is closed setting are:
VulnerabilitySensitive information may remain in the \Temporary Internet Files folder after a user quits Internet Explorer and logs off. Another user on the same computer may be able to gain access to these files. CountermeasureConfigure the Empty Temporary Internet Files folder when browser is closed setting to Enabled. Potential ImpactInternet Explorer uses the \Temporary Internet Files folder as a cache to improve browser performance. If you disable this feature you may increase the amount of time and bandwidth that users need to browse the Web. Internet Explorer\Security FeaturesThe Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features portion of the Windows Administrative Templates includes several policy settings that control various security features that were added to Internet Explorer 6.0 in Windows Server 2003 SP1 and Windows XP SP2. Each of these policy settings contains three subordinate settings:
Binary Behavior Security RestrictionInternet Explorer contains dynamic binary behaviors, which are components that encapsulate specific functionality for HTML elements to which they were attached. These binary behaviors are not controlled by any Internet Explorer security setting, which means they work on Web pages in the Restricted Sites zone. In Windows XP SP2 and Windows Server 2003 SP1, there is a new Internet Explorer security setting for binary behaviors. This new security setting disables binary behaviors in the Restricted Sites zone by default, and provides a general mitigation to vulnerabilities in Internet Explorer binary behaviors. In addition to the Internet Explorer Processes, Process List, and All Processes settings that were described earlier, the Binary Behavior Security Restriction setting allows you to permit individual behaviors with the Admin-approved behaviors setting. To control these binary and script behaviors, you can now set the appropriate zones to Admin-approved and then use this setting to specify the individual behaviors that can be run in each zone. VulnerabilityPoorly written or malicious behaviors can be invoked by Web pages and cause instability or possible compromise. CountermeasureDisable the use of binary behaviors completely. Alternatively, you can specify a set of allowed behaviors with the Admin-approved behaviors setting. Potential ImpactApplications that rely on binary behaviors may not function properly if you disable the behaviors on which they depend. MK Protocol Security RestrictionThis policy setting blocks the seldom-used MK protocol to reduce the attack surface area of a computer. Some older Web applications use the MK protocol to retrieve information from compressed files. VulnerabilityVulnerabilities may exist in the MK protocol handler, or in applications that call it. CountermeasureBecause the MK protocol is not widely used, it should be blocked wherever it is not needed. Disable access to the MK protocol for all processes. Potential ImpactBecause resources that use the MK protocol will fail when you deploy this setting, you should ensure that none of your applications use the MK protocol. Local Machine Zone Lockdown SecurityWhen Internet Explorer opens a Web page, it places restrictions on what the page can do that are based on the Internet Explorer security zone to which the page belongs. There are several possible security zones, and each zone has different sets of restrictions. The security zone for a page is determined by its location. For example, pages that are located on the Internet will typically be in the more restrictive Internet security zone. They might not be allowed to perform some operations, such as access the local hard drive. Pages that are located on your organization's network would normally be in the Intranet security zone, and have fewer restrictions. The precise restrictions that are associated with most of these zones can be configured by the user through Internet Options on the Tools menu in Internet Explorer. Before Windows XP SP2 and Windows Server 2003 SP1, the content on the local file system was treated as secure and was assigned to the Local Machine security zone (except for the content that is cached by Internet Explorer). This security zone typically allowed content to run in Internet Explorer with relatively few restrictions. With the release of these Service Packs, the default configuration of Internet Explorer now provides additional protection for the user because it locks down the Local Machine zone. VulnerabilityAttackers often try to take advantage of the Local Machine zone to elevate privilege and compromise a computer. Many of the exploits that involve the Local Machine zone were mitigated by other changes to Internet Explorer in Windows XP SP2, and these changes were incorporated into Internet Explorer in Windows Server 2003 SP1. However, attackers may still be able to figure out ways to exploit the Local Machine zone. CountermeasureConfigure the Local Machine Zone Lockdown Security setting to Enabled. Potential ImpactInternet Explorer–based applications that use local HTML may not work properly if you configure the Local Machine Zone Lockdown Security setting to Enabled. Local HTML that is hosted in other applications will run under the less restrictive settings of the Local Machine zone that are used in previous version of Internet Explorer unless that application makes use of Local Machine Zone Lockdown. Consistent MIME HandlingInternet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine how to handle files that are downloaded from a Web server. The Consistent MIME Handling setting determines whether Internet Explorer requires that all file-type information that is provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME data indicates that the file is really an executable file, Internet Explorer changes its extension to reflect this executable status. This capability helps ensure that executable code cannot masquerade as other types of data that may be trusted. If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data that is provided by the file. Note: This setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings. VulnerabilityA malicious Web server could deliver executable content by using a non-executable MIME type, and a user who opened the content could be tricked and cause the content to execute. CountermeasureConfigure the Consistent MIME Handling setting to Enabled. Potential ImpactApplications that rely on the server to correctly set the MIME type of downloaded objects may fail when this setting is enabled if the server provides incorrect MIME type information. MIME Sniffing Safety FeaturesMIME sniffing is a term for the process that examines the content of a MIME file to determine its context—whether it is a data file, an executable file, or some other type of file. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. When this policy setting is enabled, MIME sniffing will never promote a file of one type to a more dangerous file type. If you configure this policy setting to Disabled, Internet Explorer processes will allow a MIME sniff that promotes a file of one type to a more dangerous file type. For example, it is dangerous to promote a text file to an executable file because any code in the purported text file would be executed. VulnerabilityA malicious Web site can provide content of one type with a MIME label that indicates it is safe. CountermeasureConfigure the MIME Sniffing Safety Features setting for All Processes to Enabled. Potential ImpactApplications that rely on mislabeled MIME types for correct function will break when this policy setting is enabled. Object Caching ProtectionIn previous versions of Internet Explorer, a Web page could reference an object that is cached from another Web site. The Object Caching Protection setting allows you to prevent such references to cached objects. VulnerabilityA malicious server could download an object to a user's computer and then activate it through code on another site, perhaps in a different Internet Explorer zone. For example, an attacker could use this method to create scripts that listen to events or content in another frame, such as credit card numbers or other sensitive data that is typed in the other frame. CountermeasureConfigure the Object Caching Protection for Internet Explorer Processes to Enabled. Potential ImpactProperly written applications should not rely on cross-domain object access. Those applications that do will not work when this policy setting is enabled. Scripted Window Security RestrictionsInternet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. The Scripted Window Security Restrictions setting restricts pop-up windows and prohibits the display of windows in which the title and status bars are not visible to the user or that hide other windows’ title and status bars. If you enable this policy setting, Windows will apply these restrictions for Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts can continue to create pop-up windows and windows that hide other windows. Note that there are many third-party tools that attempt to control Internet Explorer pop-up windows. Many of those tools restrict pop-up windows in a similar way to this setting. Third-party pop-up blockers do not usually interfere with this setting, and this setting should have no effect on those blockers. VulnerabilityDisreputable Web sites will resize windows to either hide other windows or force users to interact with a window that contains malicious code. CountermeasureConfigure the Scripted Window Security Restrictions setting for Internet Explorer Processes to Enabled. Potential ImpactWeb applications that need to resize or position windows may not work correctly when this setting is in effect. Protection From Zone ElevationInternet Explorer places restrictions on each Web page it opens that depend on the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes the Local Machine security zone a prime target for malicious attackers. If you enable the Internet Explorer Processes – Protection from Zone Elevation setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach stops content that runs in one zone from gaining the elevated privileges of another zone. VulnerabilityMalicious Web pages may attempt to elevate themselves from their current zone into another zone with higher privileges. CountermeasureConfigure the Protection from Zone Elevation setting for Internet Explorer Processes to Enabled. Potential ImpactNone. Restrict ActiveX InstallThis setting allows you to block ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, users will not be prompted when a page includes an ActiveX control that has to be manually installed; they will not be able to install the control from the Web page. If you disable this policy setting, ActiveX control installation prompts will not be blocked. VulnerabilityUsers often choose to install software such as ActiveX controls that are not permitted by their organization’s security policy. Such software can pose significant security and privacy risks to networks. CountermeasureConfigure the Restrict ActiveX Install setting for Internet Explorer Processes to Enabled. Potential ImpactIf you enable this policy setting, users will not be able to install authorized legitimate ActiveX controls, such as those that are used by Windows Update. If you enable this policy setting, ensure that you implement some alternative way to deploy security updates such as Windows Server Update Services (WSUS). For more information about WSUS, see the Windows Server Update Services Product Overview page at www.microsoft.com/windowsserversystem/updateservices/evaluation/overview.mspx. Restrict File DownloadWhen the Restrict File Download setting is enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. VulnerabilityIn certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' computers if they click the wrong button and accept the download. CountermeasureConfigure the Restrict File Download value for Internet Explorer Processes to Enabled. Potential ImpactNone. There is no legitimate reason for a Web site to start transferring a file to a user's workstation without a user request to do so. Add-on ManagementThis policy setting, along with the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting. If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List. If you disable this setting, users may use Add-on Manager to allow or deny any add-ons. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. VulnerabilityPoorly written or malicious add-ons may destabilize or compromise user computers. CountermeasureConfigure the Add-on List setting to the list of trusted Internet Explorer add-ons to which your users should have access. Then configure the Deny all add-ons unless specifically allowed in the Add-on list to Enabled. Potential ImpactIf you configure the Deny all add-ons unless specifically allowed in the Add-on list setting to Enabled, users will not be able to install or configure their own add-ons. Network Protocol LockdownWindows Server 2003 SP1 and Windows XP SP2 add the capability for administrators to prevent the execution of active content that is downloaded through specific network protocols. Administrators can specify individual protocols (including HTTP and HTTPS) in the Network Protocol Lockdown setting to control which protocols may be used to obtain active content. VulnerabilityUsers may download and execute malicious content from untrusted sources. CountermeasureUse the Restricted Protocols Per Security Zone setting to define which protocols may be used to download content in each zone. Then configure the Network Protocol Lockdown setting for Internet Explorer Processes to Enabled. Potential ImpactUsers may not be able to run applications or use pages that include active content if the per-zone controls are set. You must thoroughly test applications in each zone to ensure that they work properly when protocol lockdown is used. Internet Information ServicesMicrosoft Internet Information Services (IIS) 6.0, the Windows Server 2003 built-in Web server, makes it easy to share documents and information across a company intranet and the Internet. You can configure the IIS setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Prevent IIS installationIIS 6.0 is not installed by default in Windows Server 2003. You can enable the Prevent IIS installation setting to prevent the installation of IIS to install on computers in your environment. The possible values for the Prevent IIS installation setting are:
VulnerabilityPrevious versions of IIS and applications that relied on it for network access had some serious security vulnerabilities that could be exploited remotely. Although IIS 6.0 is much more secure than its predecessors, it is possible that there are new vulnerabilities that have yet to be discovered and publicized. Therefore, organizations may want to ensure that IIS cannot be installed on computers other than those that are specified as Web servers. CountermeasureConfigure the Prevent IIS installation setting to Enabled. Potential ImpactYou will not be able to install Windows components or applications that require IIS. Users who install Windows components or applications that require IIS may not see an error message or warning that IIS cannot be installed because of this Group Policy setting. This policy setting will have no effect if it is enabled on a computer on which IIS is already installed. Terminal ServicesThe Terminal Services component of Windows Server 2003 builds on the solid foundation that was provided by the application server mode in Windows 2000 Terminal Services, and now includes the new client and protocol capabilities in Windows XP. Terminal Services allow you to deliver Windows-based applications, or the Windows desktop itself, to almost any computing device—including those that cannot run Windows. Terminal Services in Windows Server 2003 can enhance an organization’s software deployment capabilities for a variety of scenarios, because it allows substantial flexibility in application and management infrastructure. When a user runs an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Each user sees only his or her individual session, which is managed transparently by the server operating system, and each session is independent of any other client session. You can configure the Terminal Server Group Policy settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Deny log off of an administrator logged in to the console sessionThis policy setting specifies whether an administrator who attempts to connect to the console of a server can log off an administrator who is currently logged on to the console. The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. The possible values for the Deny log off of an administrator logged in to the console session setting are:
If you enable the Deny log off of an administrator logged in to the console session setting, no one will be able to log off an administrator who is connected to the computer. If you disable this policy setting, one administrator will be allowed to log off another administrator. If you do not configure this policy setting, one administrator can log off another administrator, but this permission can be revoked at the local computer policy level. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If a connected administrator is logged off, they will lose any unsaved data. VulnerabilityAn attacker who has managed to establish a Terminal Server session and acquired administrative privileges could make it even more difficult to regain control of the computer if they forcibly log off an administrator who attempts to log on to the server at the Session 0 console. The value of this countermeasure is diminished by the fact that an attacker who has gained sufficient privileges to log off other users has almost complete control of the computer already. CountermeasureConfigure the Deny log off of an administrator logged in to the console session setting to Enabled. Potential ImpactAn administrator will not be able to forcibly log off other administrators from the Session 0 console. Do not allow local administrators to customize permissionsThis policy setting allows you to control administrators' rights to customize security permissions in the Terminal Services Configuration (TSCC) tool. If you enable this policy setting, administrators will not be able to make changes to the security descriptors for user groups in the TSCC Permissions tab. In the default configuration, administrators are able to make such changes. If you enable the Do not allow local administrators to customize permissions setting, the TSCC Permissions tab cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors become Read Only. If you disable or do not configure this policy setting, server administrators have full Read/Write privileges to the user security descriptors in the TSCC Permissions tab. The possible values for the Do not allow local administrators to customize permissions setting are:
Note: The preferred way to manage user access is to add users to the Remote Desktop Users group. VulnerabilityAn attacker who gains administrative permissions on a server that runs Terminal Services can modify permissions by using the TSCC tool to prevent other user connections to the server and create a DoS condition. The value of this countermeasure is diminished by the fact that an attacker who has gained administrative privileges has already taken over complete control of the computer. CountermeasureConfigure the Do not allow local administrators to customize permissions setting to Enabled. Potential ImpactThe TSCC Permissions tab cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. Sets rules for remote control of Terminal Services user sessionsThis policy setting specifies the level of remote control that is permitted in a Terminal Server session. Remote control can be established with or without the session user's permission. You can use this policy setting to select one of two levels of remote control: View Session permits the remote control user to watch a session, and Full Control permits the remote control user to interact with the session. If you enable the Sets rules for remote control of Terminal Services user sessions setting, administrators can remotely interact with a user's Terminal Server session in accordance with the specified rules. To set these rules, select the desired level of control and permission in the Options list. To disable remote control, select No remote control allowed. If you disable or do not configure this policy setting, the server administrator can determine the remote control rules by using the TSCC tool. By default, remote control users can have full control with the session user's permission. The possible values for the Sets rules for remote control of Terminal Services user sessions setting are:
Note: This setting exists in both the Computer Configuration and User Configuration nodes. When it is configured in both places, the Computer Configuration setting takes precedence over the same setting in User Configuration. VulnerabilityAn attacker who gains administrative privileges on the server could use the remote control feature of Terminal Services to observe the actions of other users. Such a situation could result in the disclosure of confidential information. The value of this countermeasure is diminished by the fact that an attacker who gains administrative privileges has already established complete control of the computer. CountermeasureConfigure the Sets rules for remote control of Terminal Services user sessions setting to Enabled and select the No remote control allowed option. Potential ImpactAdministrators will not be able to use the remote control feature to assist other Terminal Services users. Client/Server Data RedirectionTerminal Services allows data and resources from the client and server to be redirected. For example, data that is printed from a server application can be redirected to the client, or the client clipboard can be used in server applications. The settings in the "Client/Server data redirection" section of Group Policy allow you to customize which types of redirection are permitted. The Terminal Server Data Redirection settings can be configured in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Allow Time Zone RedirectionThis policy setting specifies whether to allow the client computer to redirect its time zone settings to the Terminal Server session. By default, the session time zone is the same as the server time zone, and the client computer cannot redirect its time zone information. If you enable the Allow Time Zone Redirection setting, clients that are capable of time zone redirection can send their time zone information to the server. The server base time is then used to calculate the current session time. Current session time is the server base time plus the client time zone. Currently, Remote Desktop Connection and Windows CE 5.1 are the only clients that are capable of time zone redirection. Session 0, the console session, always has the server time zone and settings. To change the computer's time and time zone, connect to Session 0. If you disable the Allow Time Zone Redirection setting, time zone redirection cannot occur. If you do not configure this policy setting, time zone redirection is not specified at the Group Policy level, and the default configuration is for time zone redirection to be turned off. When an administrator changes this policy setting, only new connections display the behavior that is specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting. Microsoft recommends that all users log off the server after this policy setting is changed. The possible values for the Allow Time Zone Redirection setting are:
Note: Time zone redirection is only possible for connections to a Windows Server family Terminal Server. VulnerabilityTime zone data could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Allow Time Zone Redirection setting to Disabled. Potential ImpactTime zone redirection will not be possible. Do not allow clipboard redirectionThis policy setting controls whether clipboard contents can be shared (clipboard redirection) between a remote computer and a client computer in a Terminal Server session. You can use this setting to prevent the redirection of clipboard data between the remote computer and the local computer. By default, Terminal Services allows this clipboard redirection. If you enable the Do not allow clipboard redirection setting, users cannot redirect clipboard data. If you disable this policy setting, Terminal Services will always allow clipboard redirection. If you do not configure this policy setting, clipboard redirection is not specified at the Group Policy level. However, an administrator can still disable clipboard redirection by using the TSCC tool. The possible values for the Do not allow clipboard redirection setting are:
VulnerabilityData could be forwarded from a user's terminal server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Do not allow clipboard redirection setting to Enabled. Potential ImpactClipboard redirection will not be possible. Allow audio redirectionThis policy setting specifies whether users can choose where to play the remote computer's audio output during a Terminal Server session. Users can click the Remote computer sound option button on the Local Resources tab of Remote Desktop Connection to choose whether to play audio on the remote computer or the local computer. Users can also choose to disable the audio. By default, users cannot apply audio redirection when they connect through Terminal Services to a server that runs Windows Server 2003. Users who connect to a computer that runs Windows XP Professional can apply audio redirection by default. If you enable the Allow audio redirection setting, users can apply audio redirection. If you disable this policy setting, users cannot apply audio redirection. If you do not configure this policy setting, audio redirection is not specified at the Group Policy level. However, an administrator can still enable or disable audio redirection by using the TSCC tool. The possible values for the Allow audio redirection setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Allow audio redirection setting to Disabled. Potential ImpactAudio redirection will not be possible. Do not allow COM port redirectionThis policy setting can be used to prevent the redirection of data to client communication ports from the remote computer in a Terminal Server session. If you enable this policy setting, users cannot redirect data to COM port peripherals or map local COM ports while they are logged on to a Terminal Server session. By default, Terminal Services allows COM port redirection. If you enable the Do not allow COM port redirection setting, users will not be able to redirect server data to the local COM port. If you disable this policy setting, Terminal Services COM port redirection is always allowed. If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. However, an administrator can still disable COM port redirection by using the TSCC tool. The possible values for the Do not allow COM port redirection setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Do not allow COM port redirection setting to Enabled. Potential ImpactCOM port redirection will not be possible. Do not allow client printer redirectionThis policy setting specifies whether client printers can be mapped in Terminal Server sessions. You can use this policy setting to prevent print job redirection to users' local (client) computers from the remote computer. By default, Terminal Services allows client printers to be mapped. If you enable the Do not allow client printer redirection setting, users cannot redirect print jobs from the remote computer to a local client printer in Terminal Server sessions. If you disable this policy setting, users can redirect print jobs with client printer mapping. If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. However, an administrator can still disable client printer mapping by using the TSCC tool. The possible values for the Do not allow client printer redirection setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Do not allow client printer redirection setting to Enabled. Potential ImpactPrinter redirection will not be possible. Do not allow LPT port redirectionThis policy setting specifies whether to prevent the redirection of data to client parallel ports (LPT) during a Terminal Server session. You can use this setting to prevent users from mapping local LPT ports to redirect data from the remote computer to local LPT port peripherals. By default, Terminal Services allows LPT port redirection. If you enable the Do not allow LPT port redirection setting, users in a Terminal Server session cannot redirect server data to their local LPT port. If you disable this policy setting, LPT port redirection is always allowed. If you do not configure this setting, LPT port redirection is not specified at the Group Policy level. However, an administrator can still disable local LPT port redirection by using the TSCC tool. The possible values for the Do not allow LPT port redirection setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Do not allow LPT port redirection setting to Enabled. Potential ImpactLPT port redirection will not be possible. Do not allow drive redirectionBy default, Terminal Services maps client drives automatically upon connection. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the format <drive_letter> on <computer_name>. You can use the Do not allow drive redirection setting to override this behavior. You can enable the Do not allow drive redirection setting to prevent client drive redirection in Terminal Server sessions. If you disable this policy setting, client drive redirection is always allowed. If you do not configure this policy setting, client drive redirection is not specified at the Group Policy level. However, an administrator can still disable client drive redirection by using the TSCC tool. The possible values for the Do not allow drive redirection setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure the Do not allow drive redirection setting to Enabled. Potential ImpactDrive redirection will not be possible. Do not set default client printer to be default printer in a sessionThis policy setting directs Terminal Services to not specify the default client printer as the default printer for Terminal Server sessions. By default, Terminal Services automatically designates the default client printer as the default printer. This setting can override the default configuration. If you enable the Do not set default client printer to be default printer in a session setting, the Terminal Server cannot set the default client printer as the default printer for the session. Instead, the server specifies the default at the server. If you disable this policy setting, the default printer is always the default client printer. If you do not configure this setting, the default printer designation is not enforced at the Group Policy level. However, an administrator can configure the default printer for client sessions by using the TSCC tool. The possible values for the Do not set default client printer to be default printer in a session setting are:
VulnerabilityData could be forwarded from the user's Terminal Server session to the user's local computer without any direct user interaction. CountermeasureConfigure this policy setting to Enabled. Potential ImpactA client computer's default printer will not be the default printer during its Terminal Server session. Encryption and SecurityYou can configure the Terminal Server Encryption and Security settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Set Client Connection Encryption LevelThis policy setting specifies whether to enforce an encryption level for all data that is sent between the client and the remote computer during a Terminal Server session. If you enable the Set Client Connection Encryption Level setting you can specify the level of encryption for all connections to the server. By default, encryption is set to High Level. If you disable or do not configure this policy setting, no encryption level is enforced through Group Policy. However, administrators can set the encryption level on the server by using the TSCC tool. The possible values for the Set Client Connection Encryption Level setting are:
Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting, you cannot change the encryption level through this policy setting or with the TSCC tool. VulnerabilityIf Terminal Server client connections are allowed that use low level encryption, it is more likely that an attacker will be able to decrypt any captured Terminal Services network traffic. CountermeasureConfigure the Set Client Connection Encryption Level setting to High Level. Potential ImpactClients that do not support 128-bit encryption will be unable to establish Terminal Server sessions. Always prompt client for a password on connectionThis policy setting specifies whether Terminal Services always prompts the client for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on if they entered a password in the Remote Desktop Connection client. If you enable the Always prompt client for a password on connection setting, users will not be able to automatically log on to Terminal Services, even if they supplied their passwords in the Remote Desktop Connection client. They will be prompted for a password to log on. If you disable this policy setting, users can always log on automatically to Terminal Services automatically if they supply their passwords in the Remote Desktop Connection client. If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the TSCC tool. The possible values for the Always prompt client for a password on connection setting are:
VulnerabilityUsers have the option to store both their username and password when they create a new Remote Desktop connection shortcut. If the server that runs Terminal Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Terminal Server through the Remote Desktop connection shortcut, even though they may not know the user's password. CountermeasureConfigure the Always prompt client for a password on connection setting to Enabled. Potential ImpactUsers will always have to enter their password when they establish new Terminal Server sessions. RPC Security PolicyYou can configure the Terminal Server RPC Security setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\RPC Security Policy Secure Server (Require Security)This policy setting specifies whether a Terminal Server requires secure remote procedure call (RPC) communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients if you allow only authenticated and encrypted requests. If you enable the Secure Server (Require Security) setting, the Terminal Server will only accept requests from RPC clients that support secure requests. It will not allow unsecured communication with clients that are not trusted. If you disable this policy setting, the Terminal Server will always accept requests at any level of security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If you do not configure this policy setting, unsecured communication will be allowed. The possible values for the Secure Server (Require Security) setting are:
Note: Use the RPC interface to administer and configure Terminal Services. VulnerabilityUnsecure RPC communication exposes the server to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server, modifies them, and then allows the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information. CountermeasureConfigure the Secure Server (Require Security) setting to Enabled. Potential ImpactClients that do not support secure RPC will be unable to remotely manage the server. SessionsYou can configure additional Terminal Server RPC Security settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services Encryption and Security\Sessions Set time limit for disconnected sessionsThis policy setting specifies a time limit for disconnected Terminal Server sessions. You can use this setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Terminal Services allows users to disconnect from a remote session but does not require them to log off and end the session. When a session is in a disconnected state, programs may continue to run even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. You can enable the Set time limit for disconnected sessions setting to delete disconnected sessions from the server after a specified amount of time. To enforce the default behavior that sustains disconnected sessions for an unlimited time, select Never. If you disable or do not configure this policy setting, no time limit is specified for disconnected sessions at the Group Policy level. The possible values for the Set time limit for disconnected sessions setting are:
Note: This policy setting does not apply to console sessions such as Remote Desktop sessions with computers that run Windows XP Professional. This policy setting exists in both the Computer Configuration and User Configuration nodes. When it is configured in both places, the Computer Configuration setting takes precedence over the same setting in the User Configuration node. VulnerabilityEach Terminal Server session uses system resources. Unless sessions that have been disconnected for an extended period of time are forcibly terminated, your servers may run low on resources. CountermeasureConfigure the Set time limit for disconnected sessions setting to Enabled and select 1 day as the option in the End a disconnected session list box. Potential ImpactUsers who forget to log off of Terminal Server sessions will have those sessions forcibly terminated after 24 hours of inactivity. Allow reconnection from original client onlyThis policy setting allows you to prevent Terminal Services reconnections to disconnected sessions by users who use different computers than the original client computer from which they created the session. By default, Terminal Services allows users to reconnect to disconnected sessions from any client computer. If you enable the Allow reconnection from original client only setting, users will be able to reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead. If you disable this setting, users can always connect to a disconnected session from any computer. If you do not configure this setting, no session reconnection rules are specified at the Group Policy level. The possible values for the Allow reconnection from original client only setting are:
Important: This setting is only supported for Citrix ICA clients that provide a serial number when they connect; the setting is ignored if the user connects with a Windows client. This setting exists in both the Computer Configuration and User Configuration nodes. When it is configured in both places, the Computer Configuration setting takes precedence over the same setting in the User Configuration node. VulnerabilityBy default, users can re-establish disconnected Terminal Server sessions from any computer. If you enable this setting, you ensure that users can only reconnect from the computer that was originally used to establish the connection. The value of this countermeasure is diminished by the fact that it is only enforced by users who connect with Citrix ICA clients. CountermeasureConfigure the Allow reconnection from original client only setting to Enabled. Potential ImpactUsers who connect with Citrix ICA clients will only be able to re-establish disconnected sessions with the computer that they used to establish the session. Windows ExplorerYou can configure the following Windows Explorer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Turn off shell protocol protected modeThis policy setting allows you to configure the amount of functionality for the shell protocol. Full functionality of this protocol allows applications to open folders and launch files. The protected mode reduces functionality and only allows applications to open a limited set of folders. Applications are not able to open files when this protocol is in its protected mode. Microsoft recommends that you leave this protocol in the protected mode to increase the security of Windows. If you enable the Turn off shell protocol protected mode setting, the protocol allows any application to open any folders or files. If you disable or do not configure this policy setting, the protocol is in protected mode and applications can only open a limited set of folders. The possible values for the Turn off shell protocol protected mode setting are:
VulnerabilityFull shell protocol functionality allows applications to open files and folders. This capability can result in accidental invocation of malicious or destructive software and unauthorized information disclosure. It could also result in a denial of service condition. CountermeasureConfigure the Turn off shell protocol protected mode setting to Enabled. Potential ImpactIf you enable the Turn off shell protocol protected mode setting, Web pages that depend on use of the shell protocol will not function properly. Windows MessengerWindows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments. You can configure the prescribed Windows Messenger setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Do not allow Windows Messenger to be runThe Do not allow Windows Messenger to be run setting allows you to disable Windows Messenger. You can configure this setting to Enabled to prevent the use of Windows Messenger. Note: If you configure this setting to Enabled, Remote Assistance cannot use Windows Messenger and users cannot use MSN® Messenger. Windows UpdateWindows Update is used to download items such as security fixes, critical updates, the latest Help files, drivers, and Internet products. You can configure the Windows Update settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Configure Automatic UpdatesThis policy setting specifies whether computers in your environment will receive security updates and other important downloads through the Windows automatic update service. If you enable the Configure Automatic Updates setting, Windows determines when the computers are online and uses their Internet connection to search the Windows Update Web site for updates that apply to them. If you disable this policy setting, updates must be manually downloaded and installed from the Windows Update Web site at http://windowsupdate.microsoft.com. If you do not configure this setting, no use of Automatic Updates is specified at the Group Policy level. However, an administrator can still configure Automatic Updates through the Control Panel. The possible values for the Configure Automatic Updates setting are:
To enable this setting, click Enabled, and then select one of the options (2, 3, or 4). If you select 4, you can set a recurring schedule. If you don't specify a schedule, installations will occur daily at 3:00 A.M. VulnerabilityAlthough Windows Server 2003 and Windows XP were thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed. CountermeasureConfigure the Configure Automatic Updates setting to Enabled and select 4. Automatically download updates and install them on the schedule specified below from the Configure automatic updating list box. Potential ImpactCritical operating system updates and service packs will automatically download and install at 3:00 A.M. daily. No auto-restart for scheduled Automatic Updates installationsThis policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart computers automatically during scheduled installations. Instead, Automatic Updates notifies users to restart their computers to complete the installations. You should note that Automatic Updates will not be able to detect future updates until restarts occur on the affected computers. If you disable or do not configure this setting, Automatic Updates will notify users that their computers will automatically restart in 5 minutes to complete the installations. The possible values for the No auto-restart for scheduled Automatic Updates installations setting are:
Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect. VulnerabilitySometimes updates require updated computers to be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. CountermeasureConfigure the No auto-restart for scheduled Automatic Updates installations setting to Disabled. Potential ImpactIf you enable this policy setting, the operating systems on the servers in your environment will restart themselves automatically. For critical servers this could lead to temporary but unexpected, DoS conditions. Reschedule Automatic Updates scheduled installationsThis policy setting specifies the amount of time for Automatic Updates to wait (after startup) before it proceeds with a scheduled installation that was previously missed. If you enable this setting, the installation that did not take place earlier will commence a specified number of minutes after the computer is next started. If you disable or do not configure this setting, scheduled installations that were missed previously will occur with the next scheduled installation. The possible values for the Reschedule Automatic Updates scheduled installations setting are:
Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect. VulnerabilityIf Automatic Updates is not forced to wait a few minutes after a restart, computers in your environment might not have enough time to completely start all of their applications and services. If you specify enough time after a restart, new update installations should not conflict with the computer's startup procedures. CountermeasureConfigure the Reschedule Automatic Updates scheduled installations setting to Enabled and specify 10 minutes. Potential ImpactAutomatic Updates will not start until 10 minutes after the computer restarts. Specify intranet Microsoft update service locationThis policy setting allows you to specify an intranet server to host updates from the Microsoft Update Web site. You can then use this update service location to automatically update computers on your network. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use the Specify intranet Microsoft update service location setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If you enable the Specify intranet Microsoft update service location setting, the Automatic Updates client will connect to the specified intranet Microsoft update service server (instead of Windows Update) to search for and download updates. This configuration allows end users in your organization to avoid firewall issues, and provides you with an opportunity to test updates before you deploy them. If you disable or do not configure this policy setting, the Automatic Updates client will connect directly to the Windows Update site on the Internet (if Automatic Updates is not disabled by Group Policy or user preference). The possible values for the Specify intranet Microsoft update service location setting are:
Note: If you configure the Configure Automatic Updates setting to Disabled, this policy setting has no effect. VulnerabilityBy default, Automatic Updates will attempt to download updates from the Microsoft Windows Update Web site. Some organizations want to verify that all new updates are compatible with their particular environment before they are deployed. Also, if you configure an internal WSUS server you will help reduce the load on perimeter firewalls, routers, and proxy servers, as well as the load on external network links. CountermeasureConfigure the Specify intranet Microsoft update service location setting to Enabled. Then specify the intranet update server's name and the statistics server's name in the Properties dialog box. Potential ImpactCritical updates and service packs will have to be proactively managed by the organization's IT staff. SystemYou can configure the prescribed System computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System Turn off AutoplayAutoplay starts reading from a drive as soon as you insert media in the drive, which causing the setup file for programs or audio media to start immediately. You can enable the Turn off Autoplay setting to prevent Autoplay functionality. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but it is enabled by default on CD-ROM drives. Note: You cannot use this setting to enable Autoplay on computer drives that are disabled by default, such as floppy disk and network drives. VulnerabilityAn attacker could use this feature to launch a program to damage a client computer or data on the computer. CountermeasureConfigure the Turn off Autoplay setting to Enabled. Potential ImpactUsers will have to manually launch setup or installation programs that are provided on removable media. LogonYou can configure the prescribed Logon computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Logon Don't display the Getting Started welcome screen at logonThis policy setting hides the welcome screen that Microsoft Windows 2000 Professional and Windows XP Professional displays each time that the user logs on. Users can still display the welcome screen if they select it on the Start menu. The Don't display the Getting Started welcome screen at logon setting applies only to Windows 2000 Professional and Windows XP Professional. It does not affect the Configure Your Server setting in Windows 2000 Server or Windows Server 2003. The possible values for the Don't display the Getting Started welcome screen at logon setting are:
Note: This policy setting appears in both the Computer Configuration and User Configuration nodes. If both settings are configured, the Computer Configuration setting takes precedence over the setting in the User Configuration node. VulnerabilityThe Getting Started welcome screen encourages users to explore the Windows XP desktop. Some organizations want to provide their users with training that is focused on their particular role and job tasks, and to guide their users away from other sources of information. CountermeasureConfigure the Don't display the Getting Started welcome screen at logon setting to Enabled. Potential ImpactUsers will not see the Getting Started welcome screen when they log on to their computers. Do not process the legacy run listThe Do not process the legacy run list setting causes the run list (a list of programs that Windows XP runs automatically when it starts) to be ignored. The customized run lists for Windows XP are stored in the registry at the following locations:
The possible values for the Do not process the legacy run list setting are:
VulnerabilityA malicious user could configure a program to be run each time Windows starts that could compromise data on the computer or cause other harm. CountermeasureConfigure the Do not process the legacy run list setting to Enabled. Potential ImpactIf you enable this setting, certain computer programs such as antivirus software and software distribution and monitoring software are also prevented from execution. You should evaluate the threat level to your environment that this setting is designed to safeguard against before you decide on a strategy to use this setting for your organization. Do not process the run once listThis policy setting causes the run once list (the list of programs that Windows XP runs automatically when it starts) to be ignored. It differs from the Do not process the legacy run list setting in that programs on this list will run one time only the next time the client restarts. Setup and installation programs are sometimes added to this list to complete installations after a client restarts. If you enable this policy setting, attackers cannot use the run-once list to launch rogue applications, which was a common method of attack in the past. Note: Customized run once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. The possible values for the Do not process the run once list setting are:
VulnerabilityA malicious user can exploit the run once list to install a program that may compromise the security of Windows XP clients. CountermeasureConfigure the Do not process the run once list setting to Enabled. Potential ImpactIf you enable the Do not process the run once list setting you should experience minimal functionality loss for users in your environment, especially if the clients have been configured with all of your organization's standard software before you apply this setting through Group Policy. However, this configuration may prevent some setup and installation programs, such as Internet Explorer, from working properly. Group PolicyTo modify how Group Policy is processed, you can configure settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Group Policy Internet Explorer Maintenance policy processingThis policy setting determines when Internet Explorer Maintenance policies are updated. It affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those that are located in Windows Settings\Internet Explorer Maintenance. This setting takes precedence over customized settings that the Internet Explorer Maintenance program implemented when it was installed. If you enable the Internet Explorer Maintenance policy processing setting you can use the check boxes that are provided to change the options. There is no impact on the computer if you disable or do not configure this policy setting. The possible values for the Internet Explorer Maintenance policy processing setting are:
VulnerabilityYou can enable this setting and select the Process even if the Group Policy objects have not changed option to ensure that the policies will be reprocessed even if they have not changed. This approach will enforce established domain–based policies, even if unauthorized changes are made locally. CountermeasureConfigure the Internet Explorer Maintenance policy processing setting to Enabled. Then clear both of the check boxes for Allow processing across a slow network and Do not apply during periodic background processing, and select the check box for Process even if the Group Policy objects have not changed. Potential ImpactGroup Policies will be reapplied every time they are refreshed, which could have a slight impact on performance. IP security policy processingThis policy setting determines when IP security (IPsec) policies are updated. It affects all policies that use the IPsec component of Group Policy. This policy setting takes precedence over customized settings that the program implemented set when it was installed. If you enable IP security policy processing setting you can use the provided check boxes to change the options. There is no impact to the computer if you disable or do not configure this setting. The possible values for the IP security policy processing setting are:
The Allow processing across a slow network connection setting updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line or low-bandwidth WAN link. Updates across slow connections can cause significant delays. The Do not apply during periodic background processing setting prevents updates to affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data. The Process even if the Group Policy objects have not changed setting updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies periodically to reapply desired settings that may have been changed by users. VulnerabilityYou can enable this setting and then select the Process even if the Group Policy objects have not changed option to ensure that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes that might have been configured locally are forced to match the domain–based Group Policy settings again. CountermeasureConfigure the IP security policy processing setting to Enabled. Then clear the Do not apply during periodic background processing check box, and select the Process even if the Group Policy objects have not changed check box. Potential ImpactIP security Group Policies will be reapplied every time they are refreshed, which could have a slight impact on performance and could interfere with existing network connectivity. Registry policy processingThis policy setting determines when registry policies are updated. It affects all policies in the Administrative Templates folder and any other policies that store values in the registry. This policy setting takes precedence over customized settings that the registry policy program implemented set when it was installed. If you enable the Registry policy processing setting you can use the check boxes that are provided to change the options. There is no impact to the computer if you disable or do not configure this setting. The Do not apply during periodic background processing option can be used to ensure that the computer does not update affected policies in the background while it is in use. Background updates can disrupt the user, cause programs to stop or operate abnormally, and (in rare cases) damage data. The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if they have not changed. Many Group Policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies to reapply a desired setting in case a user has changed it. The possible values for the Registry policy processing setting are:
VulnerabilityYou can enable this setting and then select the Process even if the Group Policy objects have not changed option to ensure that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes that might have been configured locally are forced to match the domain–based Group Policy settings again. CountermeasureConfigure the Registry policy processing setting to Enabled. Then clear the Do not apply during periodic background processing check box, and select the Process even if the Group Policy objects have not changed check box. Potential ImpactGroup Policies will be reapplied every time they are refreshed, which could have a slight impact on performance. Security policy processingThis policy setting determines when security policies are updated. It takes precedence over customized settings that the security policy program implemented when it was installed. If you enable the Security policy processing setting you can use the check boxes that are provided to change the options. There is no impact to the computer if you disable or do not configure this setting. The Do not apply during periodic background processing option can be used to ensure that the computer does not update affected policies in the background while the computer is in use. Background updates can disrupt the user, cause programs to stop or operate abnormally, and (in rare cases) damage data. The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if they have not changed. Many Group Policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies to reapply a desired setting in case a user has changed it. The possible values for the Security policy processing setting are:
VulnerabilityYou can enable this setting and then select the Process even if the Group Policy objects have not changed option to ensure that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes that might have been configured locally are forced to match the domain–based Group Policy settings again. CountermeasureConfigure the Security policy processing setting to Enabled. Then clear the Do not apply during periodic background processing check box, and select the Process even if the Group Policy objects have not changed check box. Potential ImpactGroup Policies will be reapplied every time they are refreshed, which could have a slight impact on performance. Remote AssistanceConfigure the prescribed Remote Assistance computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Remote Assistance Offer Remote AssistanceThis policy setting determines whether a support person or an IT "expert" administrator can offer remote assistance to computer users in your environment without an explicit request for assistance through another channel (such as e-mail or instant messaging). Note: The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection and provide view-only privileges to the workstation. The user has to explicitly click Yes to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled. If you enable the Offer Remote Assistance setting you have the following options:
When you configure this setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance. To configure the list of helpers
|
