The Lazy Admin : Security, daniel.nerenberg

Windows 7 App Locker

daniel.nerenberg — Thu, 21 May 2009 15:31:00 GMT

Window 7 RC has been out for a few weeks now the TLA team has been busy learning and testing all the great new features. Your tip for today is on Windows 7 App Locker. Many of you know about Software Restriction Policies. They allow you to block the execution of a program by file name or hash calculation. Many of you probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

Windows 7 introduces a great new feature called App Locker. App locker works under the premise that it’s easier to allow the applications you want and block the rest. If you’re running a Windows 7 machine you can see App Locker by typing gpedit.msc into your search bar and pressing enter.

You can define policies based on Executables, Windows Installers, and scripts. Creating a new policy is really simple. right click on any of the 3 categories and click new.

You can create a policy to allow or deny an executable. You can also select witch groups the rule will apply to.

You can choose to create a rule based on a publisher (the program needs to be signed) or a program path, or a file hash (usually a good choice if the program isn’t signed)

For this example I chose publisher. the Rule wizard uses the information stores application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application.

In the above example I set the level to allow any version of Internet Explorer. (regardless of the file name used or the version)

You can use the same steps to create exceptions for specific applications. One of the best features is the ability to automatically generate rules.

This scans your applications in the program files directory and creates permissions for those programs to run. Perfect for quickly creating a baseline set of rules for a gold image.

Windows 7 Password Vault

daniel.nerenberg — Tue, 10 Mar 2009 03:31:00 GMT

Oh boy is this a feature designed for lazy admins. When I’m not writing and keeping the site up to date I’m usually onsite working for clients. Often I’m required to have multiple emails accounts active when working with various partners.

Now this isn’t usually a problem except as many know you can’t have multiple exchange accounts open in outlook at the same time. This means that you need to create separate profiles for each Exchange account. This also means that you need to type in a password every time you change profiles. Being that retyping passwords can be a drag on productivity, (fat finger errors and typos) wouldn’t it be great if you could have Windows remember your different accounts associated with your already logged on user account?

In the control panel choose Users Accounts and Family Safety

Then click on Credentials Manager

You can now see credentials that you have already entered in for various sites. If you check “Save Username and Password” in the checkbox the information will be stored here.

Once a credential has been added and stored here it will automatically be supplied when you next access the resource in question. In my case each time I open Outlook and choose a different profile I will skip having to re-enter the password for the specific Exchange account.

IMPORTANT NOTE: Your default Windows account should be secured with a strong password, and ideally it should also be secured with multifactor authentication.

Recovering BitLocker keys from the Active Directory

daniel.nerenberg — Wed, 23 Jul 2008 16:07:00 GMT

Here at the LazyAdmin we have talked quite a bit about using BitLocker with Windows Vista. With the introduction of Server 2008 you can now also leverage Bitlocker with your 2008 servers. This is particularly attractive when deploying Read Only Domain Controllers (RODC) to remote locations where physical security is questionable.

One BitLocker features is the ability to backup your Bitlocker encryption key to the Active Directory. In previous articles we have talked about enabling GPOs that can automatically backup BitLocker to AD. However how do you see the BitLocker keys in the event that you need to access them?

The answer is the BitLocker Recovery Password Viewer:

http://www.microsoft.com/downloads/details.aspx?familyid=2786FDE9-5986-4ED6-8FE4-F88E2492A5BD&displaylang=en

The Password Viewer will work on any computer that is runs the Active Directory users and Computers console (ADUC). In fact the viewer integrates into the ADUC console. In order to integrate the add on the you must register the viewer component. In order to properly register the component you must run the installation as an Enterprise Administrator. After the component has been registered a standard domain account will suffice to view BitLocker keys.

After downloading the MSU package and running it, open a command prompt and change directory to "%systemroot%\Windows\"

Type: regsvr32.exe bdeaducext.dll

Once the DLL has successfully been integrated a confirmation message will appear. Click OK and exit the command prompt.

Open ADUC and open the properties dialog of a Computer object.

Notice there is a new tab called BitLocker, this tab is where you can access the BitLocker recovery key. Below is a screen from a computer that has BitLocker enabled, and one that does not.

You can also search for the BitLocker Recovery Password.

With the addition of the Bitlocker Recovery Viewer, the Bitlocker is truly a complete and very well integrated solution for securing the contents on mobile computers, and servers in less secure branch locations.

Extending your AD schema for Vista and Windows 2008

daniel.nerenberg — Mon, 21 Jul 2008 16:25:00 GMT

We have talked about enabling BitLocker Active Directory integration in a previous post now we will take a look at prepping your domain to implement this integration. To take advantage of the several of the more compelling feature such as RODCs and Windows 2008 domain controllers we first need to extend the AD schema in our current environment. These additions also allow you to add take advantage of feature in Windows Vista such as group policy client side extensions, and storing BitLocker keys in Active Directory.

WARNING: Extending the Active Directory Schema makes permanent irreversible changes to Active Directory. Make sure that you have made proper backups, and tested the update steps in a test environment before proceeding to apply these changes in a live environment.

The schema updates are located on the Windows Vista and Windows Server 2008 DVDs. They are located in the:

[DVD-DRIVE]\sources\adprep folder.

The first schema updates need to be applied to the Active Directory Forest. In order to apply them you need to run the adprep application from the domain controller that holds the schema role master. To run the forest schema updates use the following command:

adprep /forestprep

You will be asked to confirm that all domain controllers have been upgraded to at least Windows 2000 Server with SP4. Once confirmed the ldf files will be applied to the forest schema.

After Adprep has completed the schema updates:

Once the forest updates have been updates, the next step is to run the adprep for each domain in the forest. This should be run on the domain controller that holds the Infrastructure operations master role. The command to run is:

adprep /domainprep

Finally if you plan on taking advantage of RSOP planning mode you will need to run adprep /domainprep /gpprep to fix the permissions for GPO objects in the domain. Again this should be run from the Infrastructure Master.

That's it! Now your environment is ready for Windows Server 2008 domain controllers, Bitlocker, Client Side Extensions and more!