MDM & GP Tips Blog

Aug 2011
22

Supercookies.. the ugly snack you can kill using Group Policy

Here’s the deal: You know what cookies are. They’re little text files which save little bits of data about you. Say, the username of your favorite website, when you click "Remember me."

When you clear our your Internet Browser’s cache and cookies (say, in IE, Firefox, Chrome, etc) you wipe these files out.

Poof. Easy.

But what if a website decided to do a handful of "evil things." First, let’s say they read these cookies on your computer. Next, they used these cookies to build a "profile" about you, then store that profile in a secret area that cannot be quickly cleared out.  So, here’s the one-two-three punch:

() Punch #1 — the "profile" part is built so they can target you with ads on things they know you’re searching for. Say, Diapers, Diamonds, or Disinfectants.
() Punch #2 — the normal cookies part isn’t stored in your web browser’s normal cookies location. It’s often stored in the special cache within something you likely have on every desktop: Flash Player.
() Punch #3 (theoretical): Sell your personal / company data to the REAL bad guys.

Ow ow ow ow ow.

So, yes, indeed. Flash Player has a cache that can be used to store data — any kind of data, like personal data.

Hence the term — Supercookies. Because when you "clear cache and cookies" you don’t clear this out.

Great ! Just what we need .. another computer threat !

Okay, so how do you prevent the threat? There are two kinds of people I want to give the answer to: NON-IT folks and IT folks.

 

NON-IT Folks:

This advice will help if you have a handful of computers, because you’ll need to run around to each machine.

Option 1: Control Panel

Go to your Windows Control Panel, type in the word Flash as seen here then click on the Flash icon that appears.

image

 

Then, on each computer change the setting to "Block all sites from storing information on this computer" as seen here.

image

Boom. No more supercookies.

Option 2 (Still for Non-IT folks, but untested.):

There’s a special web page you can go to which should perform the same thing — only it’s a web page, and not your real control panel.  I’ve read that this MIGHT work for some versions, and not for other versions, so I wouldn’t rely on it if you really needed to… but I’m adding it here for completeness. Here’s the page anyway (use at your own risk.)

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html#117498

 

IT-Folks (Protecting your enterprise)

So, I’m sure you know where I’m going with this if you’ve got a lot of computers to manage: Use Group Policy!

Problem time though… Flash has no ADM / ADMX template to manage. It turns out Flash stores it’s files in a weird place, in a weird format, and as a system file.

So, you can’t use "out of the box" Group Policy to configure it.

Not to get all "commercial", but I created a video for you to see how lots of companies are handling this latest security threat.

Here’s the link: https://www.policypak.com/products/manage-flash-player-using-group-policy.html

TIP: If you’re truly impatient, fast forward to the 3.00 minute mark.

TIP 2: Sign up for one of my webinars and see how you can mitigate other security threats lurking in Acrobat, Java and other key components of your systems!

Here’s the link: https://www.policypak.com/component/gpa/?view=webinar

 

Talk soon!

Jeremy Moskowitz, Enterprise Mobility MVP

Feb 2011
12

GPMC Backspace Bug: Not fixed in Windows 7 / Server 2008 SP1.. but in this Hotfix !

This one has been bugging me for a LONG time, and likely affects your life too.

You're going along, typing in the name of a GPO, then.. Uh-oh.. a little typo.

You hit backspace, and Crappers.. it doesn't work !

My own personal workaround to this is to use Ctrl-Shift + Left arrow and wipe out the whole entry, or, of course, use the mouse to fix.

But, there's a hotfix, waiting for you, and it's right here.

Here's the weird part.. apparently, this hotfix isn't inside Windows 7 SP1or Server 2008 SP1 (if I'm reading the article correctly.) And the hotfix download page seems to say that it will only be part of SP2 !!

So, even AFTER you apply SP1 (when available) you should apply this hotfix to your machines running the GPMC.

The link to the hotfix is here: http://support.microsoft.com/kb/2466373

Special Thanks to Mark Parris who provided the inspiration to this tip. His blog can be found here: https://markparris.co.uk

May 2010
26

Full Disk / Bitlocker Security Hackable

Team:

Thanks to those folks who wrote in and thanked me for waving the banner around this issue.

Also, thanks to those folks who asked some clarifying questions. Okay, here are my summarized thoughts (basically, answers to your questions):

1. Sure, it would be great if copy machines could JOIN the Windows domain. Then, heck yeah, you could possibly use some GP trickery to make them more secure. BUT, that wasn’t what I was implying. ?

2. I supplied some GP-based security tips yesterday. One that encrypted the page file, and another one which totally removed it at shutdown. I also said that the best (bestest?) way to get protected is via full disk encryption. So, I totally stand by that.. Full disk encryption is arguably, the best (fastest / intermediate) way to get “pretty darn secure.” I would however, also suggest that I would only perform the “remove page file at shutdown” for machines where there is no other possible solution for security.

Heck, let’s break this “are we secure?” problem down .. way way down, just for fun here.

 

Question :Okay… Does NTFS provide “security” ?
Answer: Sorry. No. So, in short, if I steal your laptop, and it’s got no full disk encryption, then I can boot it from a USB stick, CD-ROM, or just rip the hard drive out and mount it in my non-Windows (ie: Linux machine) and.. bingo.. I have your files.

Question: Does applying either / both of those policy settings I suggested yesterday really make you more “secure”?
Answer: It’s better than NOTHING for desktops that HAVE to be out in the open, and for whatever reason can not get full disk encryption. And even then, it only protects the page file, which may or may not contain interesting stuff. To be super clear, I would suggest against enabling the “remove page at logoff” for servers at all costs, because rebooting your servers (or workstations with large page files) could take a loooong time.

Question: Does EFS (encrypting file system) provide “security” ?
Answer:  While I haven’t personally attempted to “bypass” EFS, I’ve seen several writeups of how to bypass it. Indeed, this one tool (found by quick Internet search) claims to immediately make child’s play of EFS. (Again, untested.. http://tinyurl.com/2buburp)
PS: I swear I didn’t do anything special to get that TinyURL.. that was auto-assigned to me.

Question: Does full disk encryption provide “security” ?
Answer: It’s an excellent start. Again, it’s the best thing we can do for the majority of attacks. But there are still vulnerabilities.  

Question: Okay.. what vulnerabilities am I still exposed to?
Answer: Three parts

() This one I knew about (which was discovered at Princeton University):
This vulnerability is based on the idea that you can “copy” the memory of a PC. Very interesting.
http://www.youtube.com/watch?v=JDaicPIgn9U

() This one I didn’t. This uses Firewire to slurp out the computer’s memory via DMA:
http://tinyurl.com/2pea3y
Thanks to Darren Mar-Elia, fellow GP MVP for this lead.

() A little internet searching came up with this commercial tool to bust Bitlocker / Truecrypt:
http://www.lostpassword.com/kit-forensic.htm
This actually seems to be similar to the Princeton attack; and requires memory to be “captured.” Or, you can try a lengthy “brute force” attack if the machine was fully shutdown.

Also, I think  reasonable reading as well, is the Microsoft response to the Princeton attack, and you can find that here:

http://windowsteamblog.com/windows/b/windowssecurity/archive/2009/12/07/windows-bitlocker-claims.aspx

In short, I am in agreement with Microsoft’s summary of the assessment:

“This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world.”

Agreed.

If you’re concerned about attack #1 and #3, then make sure your computers settings are configured (using GP, of course!) to make the computer fully shut down (hibernate) on idle. Then require the Bitlocker password pin or USB key at startup. Yes, this is kind of a pain in the neck. But it is the way to prevent that attack.

If you’re concerned about attack #2, then use GP (again!) to disable built-in Firewire ports unless absolutely necessary.

To be superduper, crazy clear.. there is no “magic bullet” for security. Here’s some reading to get into the concept of “defense in depth.”

http://www.amazon.com/Protect-Your-Windows-Network-Perimeter/dp/0321336437

The book isn’t “super technical” in a “click here, do this” kind of way. But it did “get it into my thick skull” that I need to be doing everything I can, at multiple layers to thwart the bad guys and protect my network and keep my company safe.

So.. hopefully this article helps you out.

Here are some I can help you get more secure.

1) I do cover how to do both hardware lockout and power configuration (among many, many security items that I cover) in my GP class (coming soon to Washington, DC — July 19th! www.GPanswers.com/training !) A handful of seats left.

and

2) This whole “defense in depth” idea is why I designed PolicyPak. Group Policy does a great job configuring some of the in-the-box operating system items. But what about the rest of the operating system and add-on applications? Hope to see you today or next week online (www.PolicyPak.com/demo)

and

3) Of course, you can get a book. ? www.GPanswers.com/book

That’s it. Talk with you soon!

Jan 2010
07

Oodles of Great News today...

Team…

Several pieces of good news this week !

1. LAX Class — On on on ! March 22 – 26th.

We’ve got the first seven people signed up for my GPanswers five-day training class !

That means the class is ON ! Now, the only problem is.. will you be able to get one of the remaining seats?

If you were waiting for the class to be OFFICIALLY ON, well, we are now. So, don’t miss out.

Sorry, we cannot “save you a seat.” You can save your own seat when you use a credit card or utilize a PO. Then, your seat is a GUARANTEED. Sign up at…

https://www.gpanswers.com/training/sign-up-now-live/
or call Diane at 302-351-4903 for POs / special arrangements.

Special deals available for “Lone Wolf or Self-Pay” consultants, and discounts available when you sign up 3 or more.  Must call Diane to take advantage of these specials.

Sign up today. See you in LA.

2. I’ve been granted another year as a Enterprise Mobility MVP. There are exactly nine GP MVPs. Yowsa. Anyway, thank you for supporting my efforts here.

[MORE BY CLICKING CLICK FOR MORE]

3. Speaking of thanking you.. check this crazy picture out… (safe for work.)
https://www.gpanswers.com/images/gpanswers_number3.png

This is a picture (you can see the flash) of something printed in SQL Server magazine. Remember that “Community Choice” award survey I asked you to fill out? Something must have worked and you must have told two friends, because of all the websites… we came in #3 overall.

Holy cow.

We even beat out the MAGAZINE’S OWN website (the one who took the survey !)

What? Must have been a “rounding error” or something, but I’ll take it.

THANK YOU.

4. There’s a GPPreferences hotfix / rollup now available for Windows Vista clients.

http://support.microsoft.com/kb/KB977983

There’s no new functionality in here (and some is slated to come, retroactively for Vista at some point..) But this is a nice hotfix rollup if you’re using Vista clients.

5. Team… I want to expand the GP FAQ we have online at GPanswers.com. Do you have a BURNING FAQ question you want answered? If so, send me an email with the subject line of BURNING FAQ, and I’ll try to answer it in an upcoming Tip of the Week / online in the FAQ section. Remember: Subject line of BURNING FAQ, and please, hold-yer-horses for an immediate answer. I’ll be hand-crafting the answers of the ones I pick and then presenting those answers at a later time. I likely won’t be able to answer all. I hope you’ll understand.

That’s it for now. Thanks team. You’re the best! Have a great 2010, and see a bunch of you lucky ones in LA in March!

Jeremy Moskowitz
Twitter: jeremymoskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Nov 2009
18

The WSJ missed the point

I read the paper every day. I get the Wall Street Journal delivered to my house.

Say what you will about the Wall Street Journal, but there’s some (usually) great stuff in there.

Anyway, on Monday there was an article called

“It’s a FREE country… so why can’t we pick the technology we use in the office?”

You can catch up with the article here

But I think the WSJ missed the point. The article’s premise about why we (IT) continues to use older technology.

First off, if you look at the “Green IT” picture they have (with the birds) you can see that’s an Amiga 500 keyboard with a drawn-in monitor on top.

Heh.

Anyway..

Here’s the premise (quoted directly from the article):


Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. “Virtual machine” software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.

In my case, I’ve installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.

Ow. Sorry, WSJ, you’re missing it guys.

I’m not exactly sure where to start, or how long I want to rant here, so, I’ll just tackle one or two points here.
Here’s the “Jeremy Op-Ed” part…

These “let users do what they will” strategies may, yes, may indeed work out. But not in all cases. They do certainly work out great in “free-wheeling” offices with low numbers of users, and tech-savvy users. They can work where users are willing to partially pay for the direct and indirect costs involved.

This relates to my world. Heck — I actually use Xobni too, and it’s great. But it didn’t work for a while, and I had to figure out how spend my own time on to fix it.

But this strategy is simply not for everyone.

Ultimately, giving up control to the users means more work for an already-overworked IT department.

Giving choice to users means, opens up scenarios that most IT departments would not like to think about.

“Sir, are you running IE, Firefox, Opera or Safari? Great. Um, let me Google, er, Bing to see how to clear out the cache.. hang on.”

(Meanwhile that support call cost the company $125 in hard or soft dollars.)

Ow.

I’m all for giving users what they want — if they can support it themselves and not drain IT resources. But the reality is in most enterprises, giving users “more stuff” end up meaning “MORE WORK” for us, the IT department.

The WSJ goes on to detail one company (Kraft) which allows employees to choose non-standard Macs instead of PCs.

PS: I’m NOT anti-Mac, by the way.. I’m anti-de-standardization. (Hey, I just made up a word!) ?


Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.

Is this the right solution to the problem? Can users be self-supporting in a complex environment like yours?

And what about virtualization? The WSJ’s idea that you can just give em a VPC and go seems shortsighted to me. Those machines still need patching, lest they get infected and spit evil goo upon other virtual and real machines. There’s no mention of the enterprise-wide virtual desktop issue.. Things that Microsoft Med-V and VMware’s ACE try to solve.

Long story short… I think the WSJ missed the point.

We (IT) don’t control because we WANT to. We control because we HAVE to.

Group Policy is the “in the box” way to control Windows machines. We make things “more standard” to make them “more supportable.” More supportable means that we, in IT have a limited set of issues to troubleshoot, instead of an UNLIMITED set to troubleshoot. (At least we hope.)

I’m all for more freedom, if it doesn’t take US and OUR EYES away from the prize.

What’s the right way to handle this?

Maybe we should all be running Amiga 500s. (I kid.. I kid.. I’m a kidder.)

Comment on my BLOG to continue the discussion.

The link is here:

http://dev.gpanswers.com/blog/617-the-wsj-missed-the-point.html

Thanks team!

Thing 4: Gold for the Price of Silver (Repeat from Monday!)
——

I am running a little “Special” on my Group Policy Online University classes. I have exactly SIX people I can offer this deal to, so here goes:

-You get the GOLD kit for the price of the SILVER kit.

What’s in the GOLD kit? Check out
http://dev.gpanswers.com/training/online-training-faq.html
and read item #10 for what, exactly, is in the box.

Oh, and you get FIVE “mentoring credits” to use with me — for your own personal course troubleshooting.

And, longer view times, extra perks, yada yada yada…

So, if you’ve always wanted the killer GOLD kit,
but wish it was at a discount,
I have exactly SIX gold kits I can do this for.

So, head over to
http://dev.gpanswers.com/training/online-class-signup.html
click the GOLD kit.

Then, at checkout time, use coupon code
GOLD4SILVER
for your “Gold for the price of Silver” kit.

Note the discount taken off means you’ll still have to pay for shipping ($50); the deal is good, but hey, I’m not crazy.

Again, six kits only at this price. When they’re gone, they’re gone. Don’t delay if you’ve always wanted one !

This just in from someone who finished the GPU online courses:


Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.

— Glen Morris, Network Administrator, Mondial Assistance

Thanks Glen ! Glad you’ve got that “GP stuff” handled at this point and ready to make your company more productive!

Who’s ready to learn and be like Glen ? Is it you?

Click:
http://dev.gpanswers.com/training/online-class-signup.html

Use:
GOLD4SILVER at checkout time.

I’m practically handing you over the keys to car. Get smarter starting today.

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Oct 2009
07

The Case of the Missing Group Policy Settings

Team:

Check this out.

Let’s say you had a Windows 7 management machine and also a Windows Server 2008 (or 2008 R2) as your management machine.(In “Jeremy-parlance” a “management machine” is where you run the GPMC from.)

Turns out that on Windows Server 2008 and 2008 / R2, there’s a gaggle of “extra” policy settings !

Seriously, this is weird, so stick with me.

Click here:
…and you’ll see the Windows 7 management machine view of the Computer Configuration | Policies | Administrative Templates | System | Group Policy node.

Click here:
…and you’ll see shows the same thing, except seen from a Windows Server 2008 management machine.

So, what are these “missing” definitions?

These are the settings used to control, manage and monitor the Group Policy Preferences settings. The very “way” GP Prefs “operates.” You’ll see specific Group Policy Preferences items like “Printers Policy Processing”, “Shortcuts Policy Processing”, “Start Menu Policy Processing” and all sorts of other Group Policy Preferences-specific settings.

And my favorite strangeness in this area is “Registry Policy Processing” (with an upper case P in Policy) right next to its cousin “Registy policy processing” (with a lower case P in policy.) The lower case P policy (Registry policy Processing) is about how we handle the stuff inside the “Administrative Templates” node; ya know – “normal” Group Policy settings like “Prevent Access to the Control Panel.” The upper case P policy setting (Registry Policy Processing) is about the “Registry node” in the Group Policy Preferences (Chapter 10 in the Green book)

Bizzaro, but now at least it’s understandable.

Look closely, and you’ll also see another whole node within the Group Policy node called “Logging and tracing.”

Okay, so what gives?

I’ll go more into this at another time, but since you can’t wait that long, here’s the abbreviated version. In short the “definitions” of what’s possible in Group Policy-land are stored in ADMX files Turns out, though that Windows 7’s RSAT and Windows Server 2008 don’t ship with the exact same definitions.

Kooky. The “missing” Group Policy settings are only available in Windows Server 2008’s “set” of definitions. And, yes, that set is downloadable if you don’t want to rip it out of an existing Windows Server 2008 machine.

To catch-up your “Windows 7 management machine” download and utilize the files here http://tinyurl.com/mb6x5v (though there are sure to be updates for Windows Server 2008 R2, so, I would try to track those down when available.)

Don’t be caught off guard if a GP Prefs problem occurs… now you’re in the know!

Some discount seats left for the Group Policy Master Class training in Orlando.

Sign up at https://www.gpanswers.com/training/live-courses.html

Use Coupon code NEXTSIXORLANDO to get $200 off the whole week !

Apr 2008
01

The GPPEs are out!

New newsletter to user in their announcment coming soon. But, if you want to start playing with them TODAY...here's where to find them (thanks to my pal Jakob Heidelberg for making it easy for me to get.) The "real" links are, gah, all over the place.

GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

If you want a quick tutorial in them, I suggest getting Chapter 10 of my new book (which is available for immediate download.) Click the "About the book" section and follow along until you get Chapter 10. Thanks!