If you want to configure specific services for a lot of computers you can do this with GPO.
In the GPMC go to Computer Configuration\Preferences\Control Panel Settings\Services. There you can configure all services that you want.
ALso, If you want to configure standard services, go to Computer Configuration\Policies\Windows Settings\Security Settings\System Services
A few months ago, I have audited a Remote Desktop Service Infrastructure with RDS Host and RemoteApp.
These are the settings I have configured via GPO:
- Settings for recovery RD and RemoteApp disconnected sessions:
- Settings to improve bandwidth and mapping for RD Clients:
- To improve the security of the RD Clients and Remoteapp experience I did the following:
This setting remove a prompt to connect with RemoteApp to a WebApp. I put the certificate thumbprint.
And with these configs I hide the Server Drives.
This is in the Remote Desktop console in the server configuration, not in GPO and is used to improve the security of the user credential validations.
With the WS 2012 GPMC you can do a remote gpudate /force. This is great because if we make a gpo for multiple servers we do not have to logon to each of them to execute this command.
To create and apply a customized security template I did the following:
Use a template based in Security Compliance Manager
Deploy a temporal standalone WS 2012 R2 to do tests
Import the .inf file exported from GPO Backup (folder) option in SCM to a Security Template mmc and then modify all options you want.
Add Security Configuration and Analysis snapin, import your template .inf and then execute the analyze option, remember to use a new database.
Save configurations as inf file and it will be your security template for hardening.
If you have a domain controller without SYSVOL and NETLOGON shared folders, you can force to generate with the following solution: http://support.microsoft.com/kb/315457/en-us
Regards and best practices!
Below I put how to block that a user cannot install certificates on a desktop.
In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:
The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System.
There we add the following exe´s:
And add a new user group denying permissions.
When user will do double click will appear the following message.
In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:
Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:
“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″= For specifying Exchange proxy server name
“001f6625″= For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM
Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.
Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.
Ah, this gpo is only for user!
Regards and best practices!