Windows Vista Security Guide

Chapter 1: Implementing the Security Baseline

Windows Vista™ is the most secure operating system that Microsoft has produced to date. However, you may need to make specific configuration changes to meet the network requirements of your environment. The purpose of this chapter is to demonstrate how relatively easy it is to configure security settings to harden client computers running the default operating system that are joined to a domain using the Active Directory® directory service.

This chapter provides a simple set of procedures to implement prescribed security settings to enhance the default security of the operating system. The streamlined procedures in this chapter offer a fast and efficient means for you to harden the Windows Vista–based client computers in your environment.

You can now harden the default operating system using only Group Policy objects (GPOs). Previous guidance from Microsoft required importing Security Template .inf files and extensive manual modification of the Administrative Templates portion of several GPOs. Working with these files and templates is no longer necessary. However, the Security Template .inf files still accompany this guide so that you can use them to harden stand-alone client computers. All of the recommended Group Policy settings are documented in Appendix A, "Security Group Policy Settings."

To deploy this guidance, you need to:

  • Create an organizational unit (OU) structure for your environment.
  • Run the GPOAccelerator.wsf script that accompanies this guide.
  • Use the Group Policy Management Console (GPMC) to link and manage the GPOs.

  Warning

It is essential to thoroughly test your OU and GPO designs before deploying them in a production environment. The "Implementing the Security Policies" section in this chapter provides procedural details you can use to create and deploy the OU structure and security GPOs during both the test and production phases of the implementation.

The baseline GPOs that accompany this guide provide a combination of tested settings that enhance security for client computers running Windows Vista in the following two distinct environments:

  • Enterprise Client (EC)
  • Specialized Security – Limited Functionality (SSLF)

This chapter is concerned with the EC environment. For an explanation of the SSLF environment and the process to apply the security settings that are specific to it, see Chapter 5, "Specialized Security – Limited Functionality."

On This Page

Enterprise Client Environment Enterprise Client Environment
Security Design and Implementation Security Design and Implementation
The GPOAccelerator Tool The GPOAccelerator Tool
More Information More Information

Enterprise Client Environment

The Enterprise Client (EC) environment referred to in this chapter consists of a domain using Active Directory® directory service in which computers running Microsoft® Windows Server® 2003 R2 or Windows Server 2003 with Service Pack 1 (SP1) and Active Directory manage client computers that can run either Windows Vista or Windows XP®. The client computers are managed in this environment through Group Policy, which is applied to sites, domains, and OUs. Group Policy provides a centralized infrastructure within Active Directory that enables directory-based change and configuration management of user and computer settings, including security and user data.

Top Of Page Top of page

Security Design and Implementation

The security design that this chapter recommends forms the starting point for the scenarios in this guide, as well as the mitigation suggestions for the scenarios. The following sections in this chapter detail the guide's core security design, and provide procedures to test and implement the design for computers running Windows Vista:

  • OU Design for Security Policies
  • GPO Design for Security Policies
  • Implementing the Security Policies

OU Design for Security Policies

An OU is a container within a domain that uses Active Directory. An OU may contain users, groups, computers, and other OUs. If an OU contains other OUs, it is a parent OU. An OU within a parent OU is a child OU.

You can link a GPO to an OU, which will then apply the GPO's settings to the users and computers that are contained in that OU and its child OUs. And to facilitate administration, you can delegate administrative authority to each OU.

OUs provide an easy way to group users and computers to provide an effective way to segment administrative boundaries. Microsoft recommends that organizations assign users and computers to separate OUs, because some settings only apply to users and other settings only apply to computers.

You can delegate control over a group or an individual OU by using the Delegation Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in tool. See the "More Information" section at the end of this chapter for links to documentation about how to delegate authority.

One of the primary goals of an OU design for any environment is to provide a foundation for a seamless Group Policy implementation that applies to all client computers in Active Directory. This ensures that the client computers meet the security standards of your organization. The OU design must also provide an adequate structure to accommodate security settings for specific types of users in an organization. For example, developers may require access to their computers that average users do not. Also, laptop users may have different security requirements than desktop users. The following figure illustrates a simple OU structure that is sufficient for the Group Policy discussion in this chapter. The OU structure may differ from the requirements for your organization's environment.

Figure 1.1 Example OU structure for computers running Windows Vista

Figure 1.1 Example OU structure for computers running Windows Vista

Department OU

Because security requirements often vary within an organization, it may make sense to create department OUs in your environment. You can use this OU to apply security settings through a GPO to computers and users in their respective department OUs.

Windows Vista Users OU

This OU contains the user accounts for the EC environment. The settings that you apply to this OU are described in detail in Appendix A, "Security Group Policy Settings."

Windows Vista Computers OU

This OU contains child OUs for each type of client computer running Windows Vista in the EC environment. This guide focuses on security guidance for desktop and laptop computers. For this reason, the engineers for this guide created the following computer OUs:

  • Desktop OU. This OU contains desktop computers that constantly remain connected to the network. The settings that are applied to this OU are described in detail in Appendix A, "Security Group Policy Settings."
  • Laptop OU. This OU contains laptop computers for mobile users that are not always connected to the network. Appendix A also provides details about the settings that apply to this OU.

GPO Design for Security Policies

A GPO is a collection of Group Policy settings that are essentially the files created by the Group Policy snap-in. The settings are stored at the domain level and affect users and computers contained in sites, domains, and OUs.

You can use GPOs to ensure that specific policy settings, user rights, and computer behavior apply to all client computers or users in an OU. Using Group Policy instead of a manual configuration process makes it simple to manage and update changes for many computers and users. Manual configuration is not only inefficient, because it requires a technician to visit each client computer, but it is also potentially ineffective. This is primarily because if the policy settings in domain-based GPOs are different than those applied locally, the domain-based GPO policy settings will overwrite the locally applied policy settings.

Figure 1.2 GPO order of precedence

Figure 1.2 GPO order of precedence

The previous figure shows the order of precedence in which GPOs are applied to a computer that is a member of the Child OU, from the lowest order (1) to the highest order (5). Group Policy is applied first from the local security policy of each client computer running Windows Vista. After the local security policy is applied, GPOs are next applied at the site level, and then at the domain level.

For Windows Vista–based client computers that are nested in several OU layers, GPOs are applied in order from the parent OU level in the hierarchy to the lowest child OU level. The final GPO is applied from the OU that contains the client computer. This order of GPO processing for Group Policy—local security policy, site, domain, parent OU, and child OU—is significant because GPOs that are applied later in the process will overwrite those applied earlier. User GPOs are applied in the same manner.

The following considerations apply when you design Group Policy:

  • An administrator must set the order in which you link multiple GPOs to an OU, or Group Policy will be applied by default in the order it was linked to the OU. If the same setting is configured in multiple policies, the policy that is highest on the policy list for the container will take precedence.

  • You may configure a GPO with theEnforcedoption. If you select this option, other GPOs cannot override the settings that are configured in this GPO.

    Note   In Windows 2000, theEnforced option is referred to as theNo Override option.

  • You may configure an Active Directory, site, domain, or OU with the Block policy inheritance option. This option blocks GPO settings from GPOs that are higher in the Active Directory hierarchy unless they have theEnforced option selected. In other words, theEnforced option has precedence over theBlock policy inheritance option.

  • Group Policy settings apply to users and computers, and are based on where the user or computer object is located in Active Directory. In some cases, user objects may need policy applied to them based on the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy settings based on which computer the user is logged on to. The "Loopback Processing of Group Policy" article provides more information about this option.

To implement the OU design described above requires a minimum of four GPOs:

  • A policy for the domain
  • A policy for the Windows Vista Users OU
  • A policy for the Desktop OU
  • A policy for the Laptop OU

The following figure expands on the preliminary OU structure to show the linkage between these GPOs and the OU design.

Figure 1.3 Example OU structure and GPO links for computers running Windows Vista

Figure 1.3 Example OU structure and GPO links for computers running Windows Vista
See full-sized image

In the example in Figure 1.3, laptop computers are members of the Laptop OU. The first policy that is applied is the local security policy on the laptop computers. Because there is only one site in this example, no GPO is applied at the site level, which leaves the Domain GPO as the next policy that is applied. Finally, the Laptop GPO is applied.

Note   The Desktop Policyis not applied to any laptops because it is not linked to any OUs in the hierarchy that contains the Laptop OU.

As a precedence example, consider a scenario in which the policy setting for Allow logon through Terminal Servicesis set to apply to the following OUs and user groups:

  • Windows Vista Computers OU –Administratorsgroup
  • Laptop OU – Remote Desktop UsersandAdministrators groups

In this example, a user whose account is in the Remote Desktop Users group can log on to a laptop through Terminal Services because the Laptop OU is a child of the Windows Vista Computers OU and the child policy takes precedence.

If you enable the No Override policy option in the GPO for the Windows Vista Computers OU, only users with accounts in the Administrators group can log on to the laptop computer through Terminal Services. This is because theNo Override option prevents the child OU policy from overwriting the policy applied earlier in the process.

Implementing the Security Policies

Implementing the security design for the two environments described in this guide requires you to use the Group Policy Management Console (GPMC), and GPMC-based scripts. GPMC is integrated into the Windows Vista operating system, so you do not have to download and install the console each time you need to manage GPOs on a different computer. Unlike security guidance for previous Windows operating systems, the prescriptive guidance in this guide for Windows Vista greatly automates the process to test and implement the security design for the EC environment. This guidance has been developed and tested to provide you with the most efficient process possible to reduce overhead associated with the implementation process.

Important   You must perform all of the procedures in this guide on a client computer running Windows Vista that is joined to a domain using Active Directory. In addition, the user who performs the procedures must have Domain Administrator privileges. If you use the Microsoft Windows® XP or Windows Server® 2003 operating systems, the Windows Vista–specific security settings will not be visible in the GPMC.

To implement the security design, there are three key tasks to complete:

  1. Create the EC environment.
  2. Use the GPMC to link the VSG EC domain policy to the domain.
  3. Use the GPMC to check your results.

This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator.wsf script, which automatically creates the prescribed GPOs.

The GPOAccelerator.wsf Script

The key tool that the Windows Vista Security Guide.msi file installs for you is the GPOAccelerator.wsf script. The main feature of this script is that it automatically creates all the GPOs you need to apply this guidance. You do not need to spend a lot of time manually editing policy settings and applying templates. For the client computers in the EC environment, the script creates the following four GPOs:

  • VSG EC Domain Policy for the domain.
  • VSG EC Users Policy for users.
  • VSG EC Desktop Policy for desktop computers.
  • VSG EC Laptop Policy for laptop computers.

Important   To successfully implement the security design in this guide for the EC environment, ensure that you thoroughly test the design before deploying it in your production environment.

Use the GPOAccelerator.wsf script to:

  • Test the design in a lab environment. In your test environment, use the GPOAccelerator.wsf script to create an OU structure, create the GPOs, and then automatically link the GPOs to the OUs. After you complete the test phase of the implementation, you can use the script in your production environment.
  • Deploy the design in a production environment. When you start working in your production environment to implement the solution, you must first create a suitable OU structure or modify an existing set of OUs. You can then use the GPOAccelerator.wsf script to create the GPOs, and then link the newly created GPOs to the appropriate OUs in your environment.

Test the Design in a Lab Environment

The GPOs provided with this guide have been thoroughly tested. However, it is important to perform your own testing in your own environment. To save time, you can use the GPOAccelerator.wsf script to create the prescribed GPOs and the recommended OU structure, and then automatically link the GPOs to the OUs.

Task 1: Create the EC Environment

The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\
GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates.

Note The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs and link them to the appropriate OUs in a lab environment

  1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.

  2. On the desktop, click the Windows VistaStartbutton, click All Programs, and then click Windows Vista Security Guide.

  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.

  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full domain administrative privileges.

    Note   If prompted for logon credentials, type your user name, password, and press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /LAB and then press ENTER.

  6. In the Click Yes to continue, or No to exit the script message box, click Yes.

    Note   This step can take several minutes.

  7. In The Enterprise Lab Environment is created message box, click OK.

  8. In the Make sure to link the Enterprise Domain GPO to your domain message box, click OK, and then complete the steps in the next task to link the VSG EC Domain Policy.

    Note   The domain level Group Policy includes settings that apply to all computers and users in the domain. It is important to be able to decide when to link the domain GPO, as this GPO apply to all users and computers. For this reason, the GPOAccelerator.wsf script does not automatically link the domain GPO to the domain.

You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a client computer running Windows Vista to link the VSG EC Domain Policy to the domain.

To link the VSG EC Domain Policy

  1. Click the Windows Vista Start button, click All Programs, clickAccessories, and then click Run. (Or press the Windows logo key+R.)
  2. In the Open text box, type gpmc.msc and then click OK.
  3. Under the Domains tree, right-click the domain and then clickLink an existing GPO.
  4. In the Select GPO dialog box, click theVSG EC Domain Policy GPO, and then click OK.
  5. In the details pane, select the VSG EC Domain Policy and click the Move link to top button.

Important   Ensure that the VSG EC Domain Policy has its Link Order set to1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the Windows Vista Security Guide settings.

Task 3: Use the GPMC to Check Your Results

You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs and OU structure that the GPOAccelerator.wsf script creates for you.

To verify the results of the GPOAccelerator.wsf script

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.
  2. In the Open text box, typegpmc.msc and then click OK.
  3. Click the appropriate forest, click Domains, and then click your domain.
  4. Click and expand the Vista Security Guide EC Client OU, and then click each of the five OUs below it to open them.
  5. Verify your OU structure and GPO links match the following figure. Figure 1.4 The GPMC view of the OU structure and GPO links that the GPOAccelerator.wsf script creates Figure 1.4 The GPMC view of the OU structure and GPO links that the GPOAccelerator.wsf script creates

All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings."

Deploy the Design in a Production Environment

To save time, you can use the GPOAccelerator.wsf script to create the GPOs for the EC environment. Then you can link the GPOs to the appropriate OUs in your existing structure. In larger domains with large numbers of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs.

If possible, you should keep computer OUs distinct from user OUs. Laptop and desktop computers also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs. You can use the settings reference in Appendix A, "Security Group Policy Settings" to help you decide what modifications may be necessary.

Note   As discussed in the previous section, you can use the GPOAccelerator.wsf script with
the /LAB option in a test environment to create the sample OU structure. However, environments with a flexible OU structure can also use the option in a production environment to create a basic OU structure, and automatically link the GPOs. Then you can manually modify the OU structure to meet the requirements of your environment.

Task 1: Create the GPOs

You create the EC GPOs described in this guide using the GPOAccelerator.wsf script. The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates for you.

Note   You can also simply copy the GPOAccelerator Tool directory from a computer where the directory is installed to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure.

To create the GPOs in a production environment

  1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.

  2. On the desktop, click the Windows VistaStartbutton, click All Programs, and click  Windows Vista Security Guide.

  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.

  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full domain administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise and then press ENTER.

  6. In the Click Yes to continue,or No to exit the script message box, click Yes.

    Note   This step can take several minutes.

  7. In The Enterprise GPOs are created message box, click OK.

  8. In the Make sure to link the Enterprise GPOs to the appropriate OUs message box, click OK.

Task 2: Use the GPMC to Check Your Results

You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs that the GPOAccelerator.wsf script creates.

To verify the results of the GPOAccelerator.wsf script

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.
  2. In the Open text box, type gpmc.msc and then click OK.
  3. Click the appropriate forest, click Domains, and then click your domain.
  4. Click and expand the Group Policy Objects, and then verify that the four VSG EC GPOs have been created according to those listed in the following figure. Figure 1.5 The GPMC view of the EC GPOs that the GPOAccelerator.wsf script creates Figure 1.5 The GPMC view of the EC GPOs that the GPOAccelerator.wsf script creates

You can now use GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this.

The following procedure describes how to use the GPMC on a client computer running Windows Vista to accomplish this task.

To link the GPOs in a production environment

  1. Click the Windows Vista Start button, click All Programs, click Accessories, and then click Run.

  2. In the Open text box, type gpmc.msc and then click OK.

  3. Under the Domains tree, right-click the domain and then click Link an existing GPO.

  4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.

  5. In the details pane, select the VSG EC Domain Policy and click the Move link to topbutton.

    Important   Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the Windows Vista Security Guidesettings.

  6. Right-click the Windows Vista Users OU node, and then choose the Link an existing GPO option.

  7. In the Select GPO dialog box, click the VSG EC Users Policy GPO, and then click OK.

  8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.

  9. In the Select GPO dialog box, click the VSG EC Desktop Policy GPO, and then click OK.

  10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.

  11. In the Select GPO dialog box, click the VSG EC Laptop Policy GPO, and then click OK.

  12. Repeat these steps for any additional user or computer OUs that you created to link these additional OUs to the appropriate GPOs.

Note   You also can drag a GPO from under the Group Policy Objects node to an OU. However, you can only perform this drag-and-drop operation within the same domain.

To confirm the GPO linkages using the GPMC

  • Expand the Group Policy Objects node, select the GPO, then in the details pane, click the Scope tab and note the information in the Link Enabled and Pathcolumns.

– Or –

  • Select the OU, and then in the details pane, click the Linked Group Policy Objects tab and note the information in the Link Enabled and GPO columns.

Note   You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need. To completely undo all Active Directory modifications made by the GPOAccelerator.wsf script, you must manually delete the EC-VSGAuditPolicy.cmd file, the EC-ApplyAuditPolicy.cmd, and the EC-AuditPolicy.txt file from the NETLOGON share of one of your domain controllers. For additional details on how to completely remove the implementation of the Audit policy, refer to the "Audit Policy" section in Appendix A, "Security Group Policy Settings."

All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings."

Migrating GPOs to a Different Domain (Optional)

If you have modified the GPOs in this solution, or you have created your own GPOs and you want to use them across more than one domain, you will need to migrate the GPOs. Migrating a GPO that works in one domain to another domain requires some planning, but the basic procedure is fairly straightforward. There are two important data aspects of GPOs to consider during the planning process:

  • Complex data. The data that comprises a GPO is complex and it is stored in multiple locations. Using the GPMC to migrate a GPO ensures that all relevant data is properly migrated.
  • Domain-specific data. Some data in the GPO can be domain-specific and may be invalid if you copy it directly to another domain. To solve this, the GPMC uses migration tables that allow you to update domain-specific data in a GPO to new values as part of the migration process. You only need to do this if the GPO contains security identifier (SIDs), or Universal Naming Convention (UNC) paths that are specific to a domain.

More information about GPO migration appears in the GPMC Help. The "Migrating GPOs Across Domains with GPMC" white paper also provides additional information about migrating GPOs between domains.

Top Of Page Top of page

The GPOAccelerator Tool

The tools and templates that accompany this guide include scripts and Security Templates. This section provides background information about these resources. The key tool that runs the core script for this security guidance is GPOAccelerator.wsf, which is located in the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objects folder. This section also includes information about how to modify the GPMC to view GPO settings, and the subdirectory structure and types of files that accompany this guide. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.

GPMC and SCE Extensions

The solution presented in this guide uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows Vista or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

Important   The SCE extensions, and the GPOAccelerator.wsf script, are designed for you to run them from a Windows Vista-based computer. These tools will not work correctly if you attempt to run them from a computer using Windows XP or Windows Server 2003.

For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator.wsf script automatically updates your computer while it creates the GPOs. If you want to administer the Windows Vista Security Guide GPOs from another computer running Windows Vista, use the following procedure to update the SCE on that computer.

To modify the SCE to display MSS settings

  1. Ensure that you have met the following prerequisites:
    • The computer is joined to the domain using Active Directory where you created the GPOs.

    • The Windows Vista Security Guide GPOAccelerator Tool directory is installed.

      Note   You can also simply copy the GPOAccelerator Tool directory from a computer on which you have installed the directory to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in this procedure.

  2. Log on to the computer as an administrator.
  3. On the desktop, click the Windows Vista Start button, click All Programs, and click  Windows Vista Security Guide.
  4. Open the GPOAccelerator Tool\Security Group Policy Objects folder.
  5. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.
  6. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press ENTER.
  7. In the Click Yes to continue,or No to exit the script message box, click Yes.
  8. In The Security Configuration Editor is updated message box, click OK.

Important   This script only modifies SCE to display MSS settings; it does not create GPOs or OUs.

The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings in Windows Vista.

To reset the SCE tool to the default settings in Windows Vista

  1. Log on to the computer as an administrator.

  2. On the desktop, click the Windows Vista Start button, click All Programs, and click  Windows Vista Security Guide.

  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.

  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press ENTER.

  6. In the Click Yes to continue,or No to exit the script message box, click Yes.

    Note   Completing this procedure reverts the Security Configuration Editor on your computer to the default settings in Windows Vista. Any settings added to the default Security Configuration Editor will be removed. This will only affect the ability to view the settings with the Security Configuration Editor. Configured Group Policy settings remain in place.

  7. In The Security Configuration Editor is updated message box, click OK.

Previous Security Settings

Security Templates are provided so that if you want to build your own policies, rather than use or modify the policies supplied with this guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in. Unlike previous versions of the Windows operating system, Windows Vista does not come with predefined Security Templates, although you can still use the existing Security Templates as required.

Security Templates are included in the Windows Installer (.msi) file that accompanies this guide. The following templates for the EC environment are located in the GPOAccelerator Tool\Security Templates folder:

  • VSG EC Desktop.inf
  • VSG EC Domain.inf
  • VSG EC Laptop.inf

Important   You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows Firewall settings in the GPOs using a Security Template, and user settings are not included.

Using Security Templates

If you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the templates, you can use the following procedure to import them into the GPOs that you have created as needed.

To import a Security Template into a GPO

  1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the GPMC, right-click the GPO, and then click Edit.

  2. In the Group Policy Object Editor, browse to the Windows Settings folder.

  3. Expand the Windows Settings folder, and then select Security Settings.

  4. Right-click the Security Settings folder, and then click Import Policy.

  5. Browse to the Security Templates folder in the Windows Vista Security Guide folder.

  6. Select the Security Template that you want to import, and then click Open.

    The result of the last step in this procedure imports the settings from the file into the GPO.

You can also use the Security Templates supplied with this guide to modify the local security policy on stand-alone client computers running Windows Vista. The GPOAccelerator.wsf script simplifies the process to apply the templates.

To apply the Security Templates to create local Group Policy on a stand-alone client computer running Windows Vista

  1. Log on as an administrator to a computer running Windows Vista.

  2. On the desktop, click the Windows Vista Start button, click All Programs, and click  Windows Vista Security Guide.

  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.

  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.

    Completing this procedure modifies the local security policy settings using the values in the Security Templates for the EC environment.

To restore local Group Policy to the default settings in Windows Vista

  1. Log on as an administrator to a client computer running Windows Vista.

  2. On the desktop, click the Windows Vista Start button, click All Programs, and click  Windows Vista Security Guide.

  3. Open the GPOAccelerator Tool\Security Group Policy Objects folder.

  4. Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

    Note   If prompted for logon credentials, type your user name and password, and then press ENTER.

  5. At the command prompt, type cscript GPOAccelerator.wsf /Restore, and then press ENTER.

    Completing this procedure restores the local security policy settings to their default values in Windows Vista.

Subdirectories and Files

When you run the Windows Installer (.msi) file, it creates the Windows Vista Security Guide\GPOAccelerator Tool folder by default in a location on your computer that you specify. The .msi file creates the following subdirectory structure in the GPOAccelerator Tool folder, as well as the files described in the following table.

Table 1.1 Subdirectories, Files, and Descriptions

Subdirectory\File Description

SCE Update
\Restore_SCE_to_Default.vbs

A script that restores SCE to default Windows Vista values.

SCE Update
\Sceregvl_Vista.inf.txt

The default Windows Vista SCEREGVL.INF file that reverts SCE to original values.

SCE Update
\Strings-sceregvl.txt

A text file containing required string values for adding MSS settings to the SCE.

SCE Update
\Update_SCE_with_MSS_Regkeys.vbs

A script that modifies the SCE to include MSS settings.

SCE Update
\Sce.reg

A registry file containing default SCE registry values.

SCE Update
\Values-sceregvl.txt

A text file containing registry values required to display registry settings in the SCE.

Security Group Policy Objects
\Command-line here.cmd

A batch file that opens a command prompt in the path that it starts from.

Security Group Policy Objects
\GPOAccelerator.wsf

The primary tool that runs a script to implement the prescribed guidance.

  Warning

Do not use this script before reading all of the information in this chapter.

GPMCFiles
\CreateEnvironmentFromXML.wsf

The script that creates the GPOs and the OU structure.

warning  Warning

Do not modify this file.

GPMCFiles
\EC-VSG-GPOs.xml

An XML file that the GPMC uses to create the enterprise GPOs.

GPMCFiles
\EC-VSG-GPOs-LAB.xml

An XML file that the GPMC uses to create the enterprise GPOs and sample OU structure.

GPMCFiles
\SSLF-VSG-GPOs.xml

An XML file that the GPMC uses to create the enterprise GPOs.

GPMCFiles
\SSLF-VSG-GPOs-LAB.xml

An XML file that the GPMC uses to create the SSLF GPOs and the recommended OU structure.

GPMCFiles
\EC-VSGAuditPolicy.txt

A text file used by the detailed audit policy implementation included in this guide.

GPMCFiles
\EC-VSGAuditPolicy.cmd

A command file used by the detailed audit policy implementation included in this guide.

GPMCFiles
\EC-VSGApplyAuditPolicy.cmd

A command file used by the detailed audit policy implementation included in this guide.

GPMCFiles
\SSLF-VSGAuditPolicy.txt

A text file used by the detailed audit policy implementation included in this guide.

GPMCFiles
\SSLF-VSGAuditPolicy.cmd

A command file used by the detailed audit policy implementation included in this guide.

GPMCFiles
\SSLF-VSGApplyAuditPolicy.cmd

A command file used by the detailed audit policy implementation included in this guide.

Security Templates

The folder that contains the Security Template .inf files that you can use to implement some security settings prescribed in this guide.

Note   Microsoft recommends using the script included with the guide to create the prescribed GPOs. However, the supplied Security Templates can assist you with securing stand-alone computers.

Security Templates
\EC-VSG Desktop.inf

Enterprise Desktop Security Template

Security Templates
\EC-VSG Domain.inf

Enterprise Domain Security Template

Security Templates
\EC-VSG Laptop.inf

Enterprise Laptop Security Template

Security Templates
\SSLF-VSG Desktop.inf

SSLF Desktop Security Template

Security Templates
\SSLF-VSG Domain.inf

SSLF Domain Security Template

Security Templates
\SSLF-VSG Laptop.inf

SSLF Laptop Security Template

Security Templates
\Vista Default Security.cmd

A command file used as part of restoring the local security policy to the Windows Vista default settings.

Security Templates
\Vista Default Security.inf

A Security Template used as part of restoring the local security policy to the Windows Vista default settings.

Security Templates
\Vista Default Security.sdb

A security database file used as part of restoring the local security policy to the Windows Vista default settings.

Security Templates
\Vista Local Security.sdb

A security database file used when applying the VSG Security Templates to a computer.

 

Top Of Page Top of page

More Information

The following links provide additional information about Windows Vista security-related topics:

Top Of Page Top of page

In This Article

Download

Get the Windows Vista Security Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions