Restricted groups policies allow you to control the membership of sensitive groups through Active Directory rather than through traditional group membership editing tools such as Active Directory Users and Computers or PowerShell.
The benefit of using restricted groups policies is that group membership is reset each time group policy refreshes. Thus the next group policy refresh will reset a group’s membership to an approved list if, for some reason, a user is added to a sensitive group where they should not have been.
Restricted Groups are configured through the Restricted Groups node of a Windows Server 2003 and Windows Server 2008 group policy object. These policies are primarily used at the domain level and you can use Group Policy Preferences to configure them at the local level.
The following screencast demonstrates how to use Restricted Groups policy and also demonstrates what happens when a user account who is not on the list of authorized users for a particular group is added to that group and then a policy refresh occurs.
Very few netbook computers support BitLocker, which means that they are vulnerable to utilities that allow you to boot from a USB device and reset the local administrator password. The way to ensure that this type of attack doesn’t work is to use SYSKEY to encrypt the SAM database.
SYSKEY is a tool that has been around for some time on Windows client operating systems, but most administrators don’t bother using it because it makes recovering a computer difficult in the event that a user forgets their password. In some cases you want to do all that you can do to protect the data on a netbook computer. To do this, you should use SYSKEY to encrypt the SAM database and use EFS to encrypt any locally stored files and folders. To accomplish this, perform the following steps:
Log on to Windows 7 with an account that has local administrator access
Type SYSKEY into the textbox on the start menu. Click OK at the UAC prompt.
Select the Encryption Enabled Option.
Select the Password Startup Option. Enter the Startup Password that must be entered each time.
Reboot the computer.
From now on the Startup Password must be entered to unlock the SAM database before local logon will be allowed.
BranchCache is a cool technology included with Windows Server 2008 R2 and the Enterprise and Ultimate editions of Windows 7 that allows clients in branch offices to create a peer-to-peer cloud of content that is usually stored at the head office location. Rather than having to pull content over a WAN link from a head office, BranchCache allows compatible clients to retrieve data hosted on head office servers from other clients in the branch office that have accessed the same content earlier.
BranchCache is only supported if the WSUS server is running Windows Server 2008 R2. Previous versions of Windows Server do not support BranchCache. BranchCache is also only supported by clients running Windows 7 Enterprise or Ultimate editions. You don't need to have a Windows Server 2008 R2 server in the branch office as you can use WSUS with BranchCache distributed mode.
To configure a Windows Server 2008 R2 WSUS server to support BranchCache, install the BranchCache feature on the server. Once the feature is installed, it will be used in deploying updates. You also need to configure BranchCache on the client computers. This can be accomplished through group policy. BranchCache policies are located in the Computer Configuration\Administrative Templates\Network\BranchCache node. You should configure two of the following three policies:
Turn on BranchCache. Enabling this policy enables BranchCache on the client. It is not necessary to install additional components on the client.
Set BranchCache Distributed Cache Mode. Configure this policy if there is no Windows Server 2008 R2 server at the branch office which can function as a hosted cache server. The cache is shared between the clients on the branch office network.
Set BranchCache Hosted Cache Mode. Configure this policy if there is a Windows SErver 2008 R2 server at the branch office which can function as the hosted cache server. This server will host the BranchCache cache. Hosting the BranchCache cache requires significantly less resources than deploying WSUS in a branch office.
Once these steps have been taken, all future updates retrieved by client computers in the branch office will leverage BranchCache. This will substantially reduce the amount of update traffic pulled across the WAN link.
To find out more about using BranchCache with WSUS, consult the following document on TechNet: http://technet.microsoft.com/en-us/library/dd939820(WS.10).aspx
Google has recently released an add on for Internet Explorer named Chrome Frame which alters the functionality of the Microsoft browser, ostensibly to allow specific applications, notably Google’s new Wave web application, to function for users of Internet Explorer.
Organizations that are reluctant to allow add-ons to be installed in Windows Internet Explorer can block these add-ons through the Add-On Management policy node of Group Policy. This node is located under the Administrative Templates\Internet Explorer\Security Features node of both the Computer Configuration and User Configuration group policy areas. These policies function as follows:
Add-on List. This policy allows you to specify which add-ons are allowed or denied by Internet Explorer. This policy can be used in conjunction with the Deny All add-ons unless … policy so that only specifically authorized add-ons can be used with Internet Explorer.
Deny All Add-Ons Unless Specifically Allowed In The Add-On List. If you enable this policy, add-ons cannot be used unless specifically allowed in the Add-On list policy. If you do not enable this policy, the block and allow rules in the Add-On list policy will apply, however add-ons not covered by the list will be able to be used.
To block the use of Chrome Frame, you can specifically block the add-on using the Add-On list. You need to know the CLSID of Chrome Frame (which you can locate using a search engine) and set the value in the Add-On list to 0, as shown in the exhibit. Setting the value to zero blocks the use of the add-on. A better approach is to know the CLSIDs of all authorized add-ons and to have these listed in the policy, blocking anything that you have not explicitly authorized.
This might seem hopelessly obvious, but if you look through the news headlines about administrators who go crazy and attack the organizations that they worked for you will find that in almost all cases the operative word is “worked”. In almost all cases the administrator had been let go before they launched their damaging attack. The main reason that they were able to successfully attack was that the organization that they worked for had not disabled or removed their administrator account once their employment had ceased.
Although large organizations tend to have excellent policies when it comes to deprovisioning user accounts when the users are let go, small to medium sized enterprises are less likely to be diligent when it comes to disabling or removing the user accounts of users once they have left the organization. Almost every administrator I know has stories of looking through the Active Directory database and seeing the fully enabled account of an administrator who has long since left the organization.
One reason that these accounts don’t get disabled is that there is a nagging fear in the back of people’s minds that there may be some job, in the bowels of some server on the network, that relies on that account being active in the domain. That disabling the account will cause something in the background to quietly go clunk. In reality if that is the case better that you know about it now because, at some point, you need to make sure that damn account is disabled – you can’t leave it there just in case!
Another thing the history of these sort of breaches shows is that it is not just employees that leave under acrimonious circumstances who turn around later and attack organizations. Employees who have moved on to greener pastures quite amicably have been known to come back and trash some servers when they find out that they still have access. Just because they left under a pink fluffy cloud doesn’t mean that they didn’t harbor some deep unresolved animosity and thirst for revenge.
So what can you do when an admin leaves the organization?
Step Zero. If they give notice, configure their account to expire at the time their employment ends. That way you don’t really need to remember to disable the account
Step One. When they do leave, manually disable the account. This is relatively straightforward. At some point you should delete the account, but it is safe to leave the account in a disabled state in the short to medium term.
Step Two. Configure the Logon Hours so that the user is denied logon at all times. This is particularly effective if you have group policy configured to forcibly log a user off when their log on hours expire. If a user is logged on with an account that is disabled after they are logged on, they remain logged on until they manually log themselves off. If you change their logon hours so that they aren’t authorized to log on at any time, then they will be forcibly booted during the next refresh cycle. You should also change the account properties so that the computers that the account can log on from is set to a null computer account. You probably only have to use step two in the case where an admin is getting fired as you may want to lock them out when they are still possibly logged on.
If you want to earn money through publishing content on the Internet you only have a few options. The first is to put up a paywall where people can only access the content after they have paid a subscription fee. The second is to tack on some advertisements and hope that you generate enough traffic and clicks to meet your costs. A third way is to publish sponsored content where someone pays for an author to write an article or whitepaper and the finished content is provided to the public free of charge. As you are aware, the second method is the most commonly used method of paying for content on the Internet. This is because most people won’t pay for something at a paywall that they can get “for free” by visiting a site that is supported by advertising.
The key concept here is the perception that content hosted on sites supported by advertising is “for free”.
Adblock Plus ( http://adblockplus.org/en/ ) is an extension for the Firefox web browser that configures the browser so that advertising on websites is blocked. Not every advertisement is blocked, but most of them are. If you tinker with Adblock Plus, you can have an advertisement free browsing experience. Adblock Plus, like the Firefox browser, is available free of charge to anyone that wants to download and install it. When you talk to most people about what annoys them about surfing the web, they’ll often talk about advertisements. Tell them about Firefox and Adblock Plus and they will want it installed on their computer. You will have to ask a lot of people before you find one who would choose to view Internet advertising if there was a trivial way to have it blocked. One of the main reasons that Adblock Plus isn’t more prevalent is that people aren’t really aware of it. Installing Adblock Plus requires a minimum level of technical skill.
What would happen if Adblock Plus, or a product that obtained a similar outcome, was used by the vast majority of web surfers? What if Microsoft included similar functionality in Internet Explorer and allowed you to enable it in the same way that you enable InPrivate browsing? What would happen to the content that is made available through “method two” then? How much are advertisers willing to pay on the Internet if the advertisements on the Internet are blocked for the majority of web surfers? How will providers of free content meet their costs if web based advertising suddenly becomes a whole lot less effective?
Users of Adblock Plus use the extension because they don’t want to see advertisements. Although they realize that the amount of content freely available on the Internet would be vastly reduced if everyone used Adblock Plus, things sort of work at the moment because the vast majority of users don’t block advertisements. If newspapers wanted to hit the online content industry hard right now, they would be running non-stop information about how to obtain and use Ad Block plus. From the perspective of traditional newspapers, free online content is trashing their business model, so turnabout would seem to be fair. A scorched earth approach that makes supporting online news content through advertisements problematic because everyone blocks the advertisements.
The only reason that the vast majority of users do not block advertisements is because they do not know how to block advertisements. No one wants to view advertisements.
I’ve seen arguments published that suggest that users of Adblock Plus wouldn’t “be forced” to use the product if web based advertisements weren’t so intrusive. This argument is a little specious. Yes, big flashy multi-colored banner advertisements are annoying. As with any annoyance there is a princess/pea/mattress issue. That is once you’ve got rid of the big annoyances, the ones that used to appear small now suddenly become all consuming. Once you get rid of flashy Internet advertising, people will still want to block the non-flashy stuff. People use Adblock Plus because they do not want to see advertisements.
If you can block it, people will block it. The technology exists. At some point the advertisement blocking genie is going to really get out of the bag and “method two” will be dead in the water.
People have become conditioned to accessing content for free on the Internet and people also don’t want to see advertisements on the Internet. At some point in the not too distant future, Ad blocking will become a necessary browser feature like Tabs are today. Any browser that does not include the feature will suffer a dramatic downturn in market share as people move to platforms that “block those darn advertisements”. Within five years, all browsers will block advertisements by default because, in the end, it is a feature that most people want.
Although browser manufacturers are cognizant of the reasons why they shouldn’t include advertisement blocking functionality in their browsers by default, as the browser wars become more intense, the temptation to ship a browser that blocks advertisements is going to become overwhelming. At that point, the competition will be about which browser blocks the most advertisements. It won’t be which browser blocks annoying flash advertisements, but which browser blocks almost every type of advertisement.
At present Firefox and Adblock Plus are quietly ticking upwards in terms of overall market share. Slowly, but inevitably, a tipping point is being reached. After that tipping point, Internet advertising will be under siege. Seeing an advertisement on a web-page will be like finding spam in your inbox. At once point you saw a lot of spam in your inbox. Today, while your spam is still present, your inbox is most likely pretty clean.
The pandora’s box of internet advertisement blocking is already wide open. Unless human nature, which tends to find advertisements an annoyance rather than a necessary evil, changes, when people find out about advertisement blocking technology they are going to want to have it. If other people can look at Internet pages without advertisements, why can’t they? At some point, just like with tabbed browsing, almost everyone is going to have advertisement blocking technology.
What happens to “free” content on the Internet then?
Most organizations, when they are about to sack an administrator, give little thought to what to do if things go horribly wrong. This is because most sacking decisions tend to be made hastily rather than at leisure. When a regular employee is fired, their password can be changed and they can be escorted out of the building. Administrators aren’t regular employees and although 99.9% of administrators will go quietly if they suddenly lose their job, position, 0.1% of administrators might decide to take a parting swipe if they feel they have been treated shabbily.
Management in most organizations does not recognize how thoroughly dependent their business is on their IT infrastructure. They realize that IT is important, but don’t spend a lot of time wondering about what would happen if critical systems stopped working. This is because they’ve employed systems administrators to worry about these things. What they don’t seem to spend time thinking about is the sort of damage that the person who is paid to look after these systems is capable of doing. If they did think about this, they would probably be a lot more circumspect when planning to change the employment status of anyone with administrative privileges on the network.
Organizations should put a lot of thought into how they deal with terminating the employment of systems administrators. It is all about risk management. In most cases they have nothing to worry about because the person that they employed will act professionally even if the change in employment status is not necessarily handled in a professional manner. But a risk exists, however remote, that the person will not behave professionally. Just as an organization takes regular backups to guard against a one in a thousand chance of hardware failure, they need to take precautions when preparing to let go of a systems administrator.
There are a couple of important things to remember when thinking about firing a sysadmin. The first is that if an organization has employed a truly nefarious systems administrator, and by that I mean someone who is crazy smart and who will lash out if fired, they are probably up the creek. This is because the true evil genius administrator has already prepared everything in advance before you started thinking about this sort of thing. This is the sort of person who has put deadman scripts into the system that wipe data when they don’t receive a regular disarm message. If an organization suspects that it has this sort of administrator, they need to find a way to get that person to go on vacation so that they can have someone else go through everything looking for possible tripwires and backdoor administrative accounts. A nefarious administrator who has gone away on holiday expects to return to work won’t have things up so that the system falls apart because they are away. If the person checking for these tripwires and backdoor accounts is unable to find anything, the most likely reason is because the suspicions that such a thing had been setup were groundless.
The second thing to remember is that a rogue administrator will dip their toe into the pool before trying something. If you’ve got alerts set up to detect the creation of extra administrator accounts and the systems administration team is aware that such alerts exist, this will work as a preventative. IT systems come with a whole lot of ways that you can audit the behavior of systems administrators. Most organizations should do this as a matter of course. Once you have a good set of logs, you can track the activities of a systems administrator before you fire them.
Finally, before you let even the most trusted systems administrator go from a company, make sure that a complete backup has been taken. In fact if you plan ahead, you perform a disaster recovery trial to ensure that all the backups work as advertised so that you know for a fact that if you have missed something and you lose some of your data to a revenge attack, you know that you will be able to recover it properly.
Organizations need a plan to deal with systems administrators who leave under less than ideal circumstances. If they don't have one and something bad happens, they will wish they had thought of it before they let that person go.
A recent debate erupted in the security community about the utility of password masking. Password masking is the process by which a password is displayed as a series of non representative characters, such as ******** when you enter the password.
The argument was made that in the vast majority of circumstances password masking is not necessary because there is no-one standing behind us when we enter our passwords. If there was someone standing behind us, we could just wait until they left to before we entered our password. In the event that we were unaware of someone standing behind us, only someone with a photographic memory could remember that password if they saw it displayed on the screen for the amount of time it takes to enter the password. Of course such a person could probably work out and remember a password by viewing us typing it on the keyboard anyway, so if you are dealing with someone who is determined to learn your password but who has a photographic memory, you are out of luck.
So the basic argument was that password masking is not a very effective means of security, though there were caveats for things like cameras (which again could be pointed at keyboards as well as screens).
The next point was that this form of security that was perhaps not fully effective was causing organizations a lot of money because when passwords were masked people were more likely to make mistakes entering them. This would lead to account lockouts which required direct intervention from someone in the IT department to resolve the issue.
Password masking is not something that you can directly enable or disable in current versions of Windows, so there is no easy practical solution to this problem.
One solution proposed is to disable account lockout policies or set them to a high number. Windows can be configured to an account lockout threshold of up to 999 invalid attempts. Rather than locking users out after 3 or five invalid attempts, if your concern is someone trying some sort of automated attack, you can choose a number like 50 invalid attempts. There are few users who will fail when entering their password 50 times before calling IT support and the users who may have been locked out after 3 invalid attempts might have correctly remembered after a few more.
Another solution that has been proposed is to get people to write down their passwords and keep them in their wallet. The theory goes that people are good at keeping things in their wallet, like their credit card, secret and they are probably more worried about someone learning their credit card number than they are with someone learning their password.
Our current approach to passwords has a lot of inertia. The main question raised by this debate is whether the current approach is the best approach to dealing with the problems that passwords are supposed to solve. Making users rotate their passwords frequently does ensure that if someone discovers a user’s password, that the password only remains compromised for a certain amount of time. An important question is, in organizations where user security is not critical, does this solve more problems than it causes. Administrators should have rigorous password policies applied to their accounts, yet interestingly enough administrators are one of the first people to configure the password never expires setting on their own account whilst merrily forcing less privileged users to constantly rotate their passwords.
Perhaps with Project Natal’s people recognition technology on the horizon we might be able to move beyond passwords. Any attacker who is sophisticated enough to get around person and voice recognition that is available in Natal will not have much in the way of problems getting around an old fashioned username and password combination.
Chrome will initially be targeted at Netbook computers and Google is already in discussion with hardware manufacturers about shipping the OS with their netbook products. Google OS is designed to run on x86 and ARM processors. Chrome OS is separate from Android and Google will be relying substantially on the infrastructure of the open source community to develop and promote their operating system.
Chrome OS won’t just be a challenge to Microsoft, but will also be a substantial challenge to Linux distributions. Now people who want an alternative to Microsoft have another alternative to Linux. Chrome OS sounds like a lightweight Linux operating system that comes from a major player. What this means for the popularity of Ubuntu is yet to be seen. It will also be interesting to see how things pan out given that Chrome OS will be released after giving Microsoft’s Windows 7 OS a year to entrench itself in the netbook market. Linux on Netbooks had a big head start and was crushed in the marketplace by Windows XP. Chrome OS will be coming into the market after Windows 7 has been available on netbooks for almost 12 months.
Not only will you need to buy 3 (yes 3) separate products to get the whole StarCraft 2 experience (want to play Zerg, buy the Zerg product, want to play Protoss, sorry you need to buy the Protoss edition), you won’t be able to set up a direct LAN connection.
In those few spare moments I have in life, I play RTS games with my brother in law. We set up an ad-hoc wireless network with our laptops and go hammer and tong at one another. When a new game comes out, like Red Alert 3 or Supreme Commander, I always buy 2 copies so that we can get down to business straight away. The problem with my brother in law’s place is that while he has a great amount of space for gaming, he only has an old dial-up Internet connection – which we don’t connect to anyway when we are playing over an ad-hoc wireless network.
Certainly looks like we won’t be able to play StarCraft II over an ad-hoc network (can you imagine trying to play across the room by making a connection over a shared dialup connection?). Luckily there are a host of other great RTS games that we can spend our money on. Even Dawn Of War II, which has its own multiplayer setup joys, allows direct LAN play
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
