Windows Vista Security Guide

Chapter 5: Specialized Security – Limited Functionality

The Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows Vista™. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.

  Warning

The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.

If you decide to test and deploy the SSLF configuration settings to the client computers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Terminal Services, which allows multiple users to connect interactively to desktops and applications on remote computers, and the Fax Service, which enables users to send and receive faxes over the network using their computers.

It is important to note that the SSLF baseline is not an addition to the EC baseline: the SSLF baseline provides a distinctly different level of security. For this reason, do not attempt to apply the SSLF baseline and the EC baseline to the same computers running Windows Vista. Rather, for the purposes of this guide, it is imperative to first identify the level of security that your environment requires, and then decide to apply either the EC baseline or the SSLF baseline. To compare the setting differences between the EC baseline and SSLF baseline, see Appendix A, "Security Group Policy Settings." The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.

Important   If you are considering whether to use the SSLF baseline for your environment, be prepared to exhaustively test the computers in your environment after you apply the SSLF security settings to ensure that they do not prohibit required functionality for the computers in your environment.

On This Page

Specialized Security EnvironmentSpecialized Security Environment
Limited Functionality EnvironmentLimited Functionality Environment
The GPOAccelerator ToolThe GPOAccelerator Tool
More Information More Information

Specialized Security Environment

Organizations that use computers and networks, especially if they connect to external resources such as the Internet, must address security issues in system and network design, and how they configure and deploy their computers. Capabilities that include process automation, remote management, remote access, availability 24 hours a day, worldwide access, and software device independence enable businesses to become more streamlined and productive in a competitive marketplace. However, these capabilities also expose the computers of these organizations to potential compromise.

In general, administrators take reasonable care to prevent unauthorized access to data, service disruption, and computer misuse. Some specialist organizations, such as those in the military, state and local government, and finance are required to protect some or all of the services, systems, and data that they use with a specialized security level. The SSLF baseline is designed to provide this level of security for these organizations. To preview the SSLF settings, see Appendix A, "Security Group Policy Settings."


Top Of Page Top of page

Limited Functionality Environment

The specialized security that the SSLF baseline implements may reduce functionality in your environment. This is because it limits users to only the specific functions that they require to complete necessary tasks. Access is limited to approved applications, services, and infrastructure environments. There is a reduction in configuration functionality because the baseline disables many property pages with which users may be familiar.

The following sections in this chapter describe the areas of higher security and limited functionality that the SSLF baseline enforces:

  • Restricted services and data access
  • Restricted network access
  • Strong network protection

Restricted Services and Data Access

Specific settings in the SSLF baseline can prevent valid users from accessing services and data if they forget or misspell passwords. In addition, these settings may lead to an increase in help desk calls. However, the security benefits that the settings provide help make it harder for malicious users to attack computers running Windows Vista in this environment. Setting options in the SSLF baseline that could potentially prevent users from accessing services and data include those that:

  • Disable administrator accounts.
  • Enforce stronger password requirements.
  • Require more strict account lockout policy.
  • Require more strict policy for the following User Rights Assignments settings:
    Log on as a Service and Log on as a Batch Job.

Note   Setting details for both the EC and the SSLF baselines are available in Appendix A, "Security Group Policy Settings." The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.

Restricted Network Access

Network reliability and system connectivity is paramount for successful business. Microsoft operating systems provide advanced networking capabilities that help to connect systems, maintain connectivity, and repair broken connections. Although this capability is beneficial to maintaining network connectivity, attackers can use it to disrupt or compromise the computers on your network.

Administrators generally welcome features that help to support network communications. However, in special cases, the primary concern is the security of data and services. In such specialized environments, some loss of connectivity is tolerated to help ensure data protection. Setting options in the SSLF baseline that increase network security but could potentially prevent users from network access include those that:

  • Limit access to client systems across the network.
  • Hide systems from browse lists.
  • Control Windows Firewall exceptions.
  • Implement connection security, such as packet signing.

Strong Network Protection

A common strategy to attack network services is to use a denial of service (DoS) attack. Such an attack prevents connectivity to data or services or over-extends system resources and degrades performance. The SSLF baseline protects access to system objects and the assignment of resources to help guard against this type of attack. Setting options in the SSLF baseline that help to prevent DoS attacks, include those that:

  • Control process memory quota assignments.
  • Control object creation.
  • Control the ability to debug programs.
  • Control process profiling.

All of these security considerations contribute to the possibility that the security settings in the SSLF baseline may prevent applications in your environment from running or users from accessing services and data as expected. For these reasons, it is important to extensively test the SSLF baseline after you implement it and before you deploy it in a production environment.

Implementing the Security Policies

The SSLF solution described in this guide uses the Group Policy Management Console (GPMC), and GPMC-based scripts. GPMC is integrated into the Windows Vista operating system, so you do not have to download and install the console each time you need to manage GPOs on a different computer.

Important   You must perform all of the procedures in this guide on a client computer running Windows Vista that is joined to a domain using the Active Directory® directory service. In addition, the user who performs the procedures must have Domain Administrator privileges. If you use the Microsoft Windows® XP or Windows Server® 2003 operating systems, the Windows Vista–specific security settings will not be visible in the GPMC.

To implement the security design, there are three key tasks to complete:

  1. Create the SSLF environment.
  2. Use the GPMC to link the VSG SSLF domain policy to the domain.
  3. Use the GPMC to check your results.

This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator.wsf script, which automatically creates the prescribed GPOs.

The GPOAccelerator.wsf Script

The GPOAccelerator.wsf script that accompanies this guide will create all the GPOs you need. You do not need to spend a lot of time manually editing policy settings or applying templates. To establish the SSLF environment, the script creates the following four GPOs:

  • VSG SSLF Domain Policy for the domain.
  • VSG SSLF Users Policy for users.
  • VSG SSLF Desktop Policy for desktop computers.
  • VSG SSLF Laptop Policy for laptop computers.

Important   To successfully implement the security design for the SSLF environment, ensure that you thoroughly test the design before deploying it in your production environment.

Use the GPOAccelerator.wsf script to:

  • Test the design in a lab environment. In your test environment, use the GPOAccelerator.wsf script to create an OU structure, create the GPOs, and then automatically link the GPOs to the OUs. After you complete the test phase of the implementation, you can use the script in your production environment.
  • Deploy the design in a production environment. When you start working in your production environment to implement the solution, you must first create a suitable OU structure or modify an existing set of OUs. You can then use the GPOAccelerator.wsf script to create the GPOs, and then link the newly created GPOs to the appropriate OUs in your environment.

Test the Design in a Lab Environment

The GPOs provided with this guide have been thoroughly tested. However, it is important to perform your own testing in your own environment. To save time, you can use the GPOAccelerator.wsf script to create the prescribed GPOs and the sample OU structure, and then automatically link the GPOs to the OUs.

Task 1: Create the SSLF Environment

The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates.

Note   The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment

  1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.
  2. On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.
  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full domain administrative privileges.

    Note   If prompted for logon credentials, type your user name, password, and press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /SSLF /LAB, and then press ENTER.
  6. In the Click Yes to continue, or No to exit the script message box, click Yes.

    Note   This step can take several minutes.

  7. In The SSLF Lab Environment is created message box, click OK.
  8. In the Make sure to link the SSLF Domain GPO to your domain message box, click OK, and then complete the next task to link the VSG SSLF Domain Policy.

    Note   The domain level Group Policy includes settings that apply to all computers and users in the domain. It is important to be able to decide when to link the domain GPO, because this GPO applies to all users and computers. For this reason, the GPOAccelerator.wsf script does not automatically link the domain GPO to the domain.

You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a client computer running Windows Vista to link the VSG SSLF Domain Policy to the domain.

To link the VSG SSLF Domain Policy

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run. (Or press the Windows logo key+R.)
  2. In the Open text box, type gpmc.msc and then click OK.
  3. Under the Domains tree, right-click the domain and then click Link an existing GPO.
  4. In the Select GPO dialog box, click the VSG SSLF Domain Policy GPO, and then click Yes.
  5. In the details pane, select the VSG SSLF Domain Policy and click the Move link to top button.

Important   Ensure that the VSG SSLF Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the Windows Vista Security Guide settings.

Task 3: Use the GPMC to Check Your Results

You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs and OU structure that the GPOAccelerator.wsf script creates for you.

To verify the results of the GPOAccelerator.wsf script

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.
  2. In the Open text box, type gpmc.msc and then click OK.
  3. Click the appropriate forest, click Domains, and then click your domain.
  4. Click and expand the Vista Security Guide SSLF Client OU, and then click each of the five OUs below it to open them.
  5. Verify your OU structure and GPO links match those in the following figure.

    Figure 5.1 The GPMC view of the OU structure and GPO links that the GPOAccelerator.wsf script creates

All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings."

Deploy the Design in a Production Environment

To save time, you can use the GPOAccelerator.wsf script to create the GPOs for the SSLF environment. Then you can link the GPOs to the appropriate OUs in your existing structure. In larger domains with large numbers of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs.

In larger domains with large numbers of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs. If possible, you should keep computer OUs distinct from user OUs. Laptop and desktop computers also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs. You can use the settings reference in Appendix A, "Security Group Policy Settings," to help you decide what modifications may be necessary.

Note   As discussed in the previous section, you can use the GPOAccelerator.wsf script with
the /LAB option in a test environment to create the sample OU structure. However, environments with a flexible OU structure can also use the option in a production environment to create a basic OU structure, and automatically link the GPOs. Then you can manually modify the OU structure to meet the requirements of your environment.

Task 1: Create the GPOs

You create the SSLF GPOs described in this guide using the GPOAccelerator.wsf script. The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates for you.

Note   You can also simply copy the GPOAccelerator Tool directory from a computer where the directory is installed to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs in a production environment

  1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.
  2. On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.
  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full domain administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. Switch to the GPOAccelerator Tool\Security Group Policy Objects folder.
  6. At the command prompt, type cscript GPOAccelerator.wsf /SSLF, and then press ENTER.
  7. In the Click Yes to continue,or No to exit the script message box, click Yes.

    Note   This step can take several minutes.

  8. In The SSLF GPOs are created message box, click OK.
  9. In the Make sure to link the SSLF GPOs to the appropriate OUs message box, click OK.
Task 2: Use the GPMC to Check Your Results

You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs that the GPOAccelerator.wsf script creates for you.

To verify the results of the GPOAccelerator.wsf script

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.
  2. In the Open text box, type gpmc.msc and then click OK.
  3. Click the appropriate forest, click Domains, and then click your domain.
  4. Click and expand the Group Policy Objects, and then verify that the four VSG SSLF GPOs match those in the following figure.

    Figure 5.2 The GPMC view of the SSLF GPOs that the GPOAccelerator.wsf script creates

You can now use GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this.

The following procedure describes how to use the GPMC on a client computer running Windows Vista to accomplish this task.

To link the GPOs in a production environment

  • Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.
  • In the Open text box, type gpmc.msc and then click OK.
  • Under the Domains tree, right-click the domain and then click Link an existing GPO.
  • In the Select GPO dialog box, click the VSG SSLF Domain Policy GPO, and then click OK.
  • In the details pane, select the VSG SSLF Domain Policy and click the Move link to top button.

    Important   Ensure that the VSG SSLF Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the Windows Vista Security Guide settings.

  • Right-click the Windows Vista Users OU node, and then click Link an existing GPO.
  • In the Select GPO dialog box, click the VSG SSLF Users Policy GPO, and then click OK.
  • Right-click the Desktop OU node, and then click Link an existing GPO.
  • In the Select GPO dialog box, click the VSG SSLF Desktop Policy GPO, and then click OK.
  • Right-click the Laptop OU node, and then click Link an existing GPO.
  • In the Select GPO dialog box, click the VSG SSLF Laptop Policy GPO, and then click OK.
  • Repeat these steps for any additional user or computer OUs that you created to link these additional OUs to the appropriate GPOs.

Note   You also can drag a GPO from under the Group Policy Objects node to an OU. However, you can only perform this drag-and-drop operation within the same domain.

To confirm the GPO linkages using the GPMC

  • Expand the Group Policy Objects node, select the GPO, then in the details pane, click the Scope tab and note the information in the Link Enabled and Path columns.

– Or –

  • Select the OU, and then in the details pane, click the Linked Group Policy Objects tab and note the information in the Link Enabled and GPO columns.

Note   You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need. To completely undo all Active Directory modifications made by the GPOAccelerator.wsf script, you must manually delete the SSLF-VSGAuditPolicy.cmd file, the SSLF-ApplyAuditPolicy.cmd, and the SSLF-AuditPolicy.txt file from the NETLOGON share of one of your domain controllers. For additional details on these files, refer to the Audit Policy section in Appendix A, "Security Group Policy Settings."

All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings."

Migrating GPOs to a Different Domain (Optional)

If you have modified the GPOs in this solution, or you have created your own GPOs and you want to use them across more than one domain, you will need to migrate the GPOs. Migrating a GPO that works in one domain to another domain requires some planning, but the basic procedure is fairly straightforward. There are two important data aspects of GPOs to consider during the planning process:

  • Complex data. The data that comprises a GPO is complex and it is stored in multiple locations. Using the GPMC to migrate a GPO ensures that all relevant data is properly migrated.
  • Domain-specific data. Some data in the GPO can be domain-specific and may be invalid if you copy it directly to another domain. To solve this, the GPMC uses migration tables that allow you to update domain-specific data in a GPO to new values as part of the migration process. You only need to do this if the GPO contains security identifier (SIDs), or Universal Naming Convention (UNC) paths that are specific to a domain.

More information on GPO migration appears in the GPMC Help. The "Migrating GPOs Across Domains with GPMC" white paper also provides additional information on migrating GPOs between domains.


Top Of Page Top of page

The GPOAccelerator Tool

The tools and templates that accompany this guide include scripts and Security Templates. This section provides background information about these resources. The key tool that runs the core script for this security guidance is GPOAccelerator.wsf, which is located in the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objects folder. This section includes information about how to modify the GPMC to view GPO settings, and the subdirectory structure and types of files that accompany this guide. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.

GPMC and SCE Extensions

The solution presented in this guide uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows Vista or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

Important   The SCE extensions, and the GPOAccelerator.wsf script, are designed for you to run them from a Windows Vista-based computer. These tools will not work correctly if you attempt to run them from a computer using Windows XP or Windows Server 2003.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator.wsf script automatically updates your computer while it creates the GPOs. If you want to administer the Windows Vista Security Guide GPOs from another computer running Windows Vista, use the following procedure to update the SCE on that computer.

To modify the SCE to display MSS settings

  1. Ensure that you have met the following prerequisites:

    • The computer you are using is joined to the domain using Active Directory where the GPOs have been created.
    • The Windows Vista Security Guide GPOAccelerator Tool directory is installed.

    Note   You can also simply copy the GPOAccelerator Tool directory from a computer on which you have installed the directory to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in this procedure.

  2. Log on to the computer as an administrator.
  3. On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.
  4. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  5. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name, password, and press ENTER.

  6. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press ENTER.
  7. In the Click Yes to continue,or No to exit the script message box, click Yes.
  8. In The Security Configuration Editor is updated message box, click OK.

Important   This script only modifies the SCE to display MSS settings; it does not create GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings in Windows Vista.

To reset the SCE tool to the default settings in Windows Vista

  1. Log on to the computer as an administrator.
  2. On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.
  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press ENTER.
  6. In the Click Yes to continue,or No to exit the script message box, click Yes.

    Note   Completing this procedure reverts the Security Configuration Editor on your computer to the default settings in Windows Vista. Any settings added to the default Security Configuration Editor will be removed. This will only affect the ability to view the settings with the Security Configuration Editor. Configured Group Policy settings remain in place.

  7. In The Security Configuration Editor is updated message box, click OK.

Previous Security Settings

Security Templates are provided so that if you want to build your own policies, rather than use or modify the policies supplied with this guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in. Unlike previous versions of the Windows operating system, Windows Vista does not come with predefined Security Templates, although you can still use the existing Security Templates as required.

Security Templates are included in the Windows Installer (.msi) file that accompanies this guide. The following templates for the EC environment are located in the GPOAccelerator Tool\Security Templates folder:

  • VSG SSLF Desktop.inf
  • VSG SSLF Domain.inf
  • VSG SSLF Laptop.inf

Important   You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates

If you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the templates, you can use the following procedure to import them into the GPOs that you have created as needed.

To import a Security Template into a GPO

  1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the GPMC, right-click the GPO, and then click Edit.
  2. In the Group Policy Object Editor, browse to the Windows Settings folder.
  3. Expand the Windows Settings folder, and then select Security Settings.
  4. Right-click the Security Settings folder, and then click Import Policy.
  5. Browse to the Security Templates folder in the Windows Vista Security Guide folder.
  6. Select the Security Template that you want to import, and then click Open.

    The result of the last step in this procedure imports the settings from the file into the GPO.

You can also use the Security Templates supplied with this guide to modify the local security policy on stand-alone client computers running Windows Vista. The GPOAccelerator.wsf script simplifies the process to apply the templates.

To apply the Security Templates to create local Group Policy on a stand-alone client computer running Windows Vista

  1. Log on as an administrator to a computer running Windows Vista.
  2. On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.
  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /SSLF /Desktop or cscript GPOAccelerator.wsf /SSLF /Laptop and then press ENTER.

    Completing this procedure modifies the local security policy settings using the values in the Security Templates for the EC environment.

To restore local Group Policy to the default settings in Windows Vista

  1. Log on as an administrator to a client computer running Windows Vista.
  2. On the desktop, click the Windows Vista Start button, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    Note   If prompted for logon credentials, type your user name and password, and press ENTER.

  3. Switch to the GPOAccelerator Tool\Security Group Policy Objects folder.
  4. At the command prompt, type cscript GPOAccelerator.wsf /Restore, and then press ENTER.

    Completing this procedure restores the local security policy settings to their default values in Windows Vista.


Top Of Page Top of page

More Information

The following links provide additional information about Windows Vista security-related topics.


Top Of Page Top of page