How to configure specific services with GPO

Hi!

If you want to configure specific services for a lot of computers you can do this with GPO.

In the GPMC go to Computer Configuration\Preferences\Control Panel Settings\Services. There you can configure all services that you want.

Captura1

Captura2

ALso, If you want to configure standard services, go to Computer Configuration\Policies\Windows Settings\Security Settings\System Services

Imagen

Regards

Anuncios

GPO Settings to improve performance, security and connections on a RDS Server

Hi!

A few months ago, I have audited a Remote Desktop Service Infrastructure with RDS Host and RemoteApp.

These are the settings I have configured via GPO:

  • Settings for recovery RD and RemoteApp disconnected sessions:

keep-alive

keep-alive2

  • Settings to improve bandwidth and mapping for RD Clients:

map_drives

map_drives2

  • To improve the security of the RD Clients and Remoteapp experience I did the following:

This setting remove a prompt to connect with RemoteApp to a WebApp. I put the certificate thumbprint.

remoteapp

And with these configs I hide the Server Drives.notmapdrives

This is in the Remote Desktop console in the server configuration, not in GPO and is used to improve the security of the user credential validations.

nla

Regards

How to create a security template for hardening

Hi!

To create and apply a customized security template I did the following:

Use a template based in Security Compliance Manager

http://technet.microsoft.com/en-us/library/cc677002.aspx

Deploy a temporal standalone WS 2012 R2 to do tests

Import the .inf file exported from GPO Backup (folder) option in SCM to a Security Template mmc and then modify all options you want.

Add Security Configuration and Analysis snapin, import your template .inf and then execute the analyze option, remember to use a new database.

http://technet.microsoft.com/en-us/library/bb742512.aspx#EFAA

Save configurations as inf file and it will be your security template for hardening.

Regards

Disable install certificates on a desktop computer for users

Hi!

Below I put how to block that a user cannot install certificates on a desktop.

Regards!

In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:

Imagen

The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System

Imagen

There we add the following exe´s:

%SystemRoot%\system32\certutil.exe

%SystemRoot%\system32\CertEnrollCtrl.exe

%SystemRoot%\system32\certmgr.msc

%SystemRoot%\system32\certreq.exe

%SystemRoot%\system32\cryptext.dll

Imagen

And add a new user group denying permissions.

Imagen

When user will do double click will appear the following message.

Imagen

Regards

Configure Outlook Anywhere with GPO for Outlook 2003

Hi!

In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:

Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:

“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″=  For specifying Exchange proxy server name
“001f6625″=  For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM

Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.

Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.

Ah, this gpo is only for user!

Regards and best practices!