Friday, December 08, 2006
ADM to ADMX Conversion
It comes in two flavours, UI and command line, first we will use the UI to convert a standard adm template to an ADMX template. Launch the ADMX editor and you get the following:-
If you click on the ‘Generate ADMX from ADM…’ option in the right hand pane then navigate to the adm you want to convert, admx migrator then creates a temporary admx template then you click ‘yes’ to load this temporary admx template into console. When it has loaded into the console you can navigate the admx template in much the same way as in the GPMC in Vista:-
From here you will notice that in the right hand pane you can create new categories or policy settings:-
Once you have created the new setting you can control how the setting is displayed in GPMC and any elements such as listboxes, combo boxes, drop down lists as shown here:-
After you have amended the admx template you can save the completed template, so the tool makes it easy to convert old adm templates, create new admx templates, and amend them as you require, certainly easier than typing the admx by hand and looks tidier in the new gpmc than importing the legacy adm templates.
Tuesday, November 28, 2006
Office 2007 Blogging Tools
Well I have been otherwise engaged for the past few months, and so I haven't had anything remotely useful to blog about, but I have made the plunge and installed Office 2007 which includes a couple of useful new features related to blogs.
In Word 2007, when you choose to create a new document, it gives you the option of creating a new Blog post.
The first time you do this it requests that you enter the details of your blog provider, it has a dropdown list of popular provider's and as I use Blogspot I figured I was out of luck. So I clicked on the link that my blog provider isn't listed, I was taken to this page, which has a useful description of how to do all this stuff in word. Well it helpfully pointed out that all I needed was the API my provider uses and the Posting URL. This was this point when I remembered that Blogspot and blogger are essentially the same thing, well it had been a while since I last used it!
From here I went back to word and inputted my account details and it successfully connected and retrieved the list of blogs under my account, I selected the right one and away I go. It does remain to be seen how the formatting works, but I won't know that until I have submitted it!
The other feature I have found that helps me review the blogs I like to visit is the built in RSS support in Outlook, whilst there is support for RSS feeds in IE7 it makes better sense to me to have Outlook tell me when a blog has new posts rather than looking in IE. Adding RSS feeds is as easy as right clicking on the RSS feeds folder and selecting add a new feed, enter the feed URL, then optionally select advanced settings to change the location of the feed content (i.e. a PST), whether you want to download enclosures to the feed and if you want to download the article as an html file.
You can also change the frequency with which Outlook automatically checks for new content by way of Send/receive groups.
Thursday, July 20, 2006
Vista - Controlling the Sidebar
So in mixed OS environments, do you make use of this feature of Vista? Well if the answer is yes, you can control how it behaves through GPO, and as the defaults leave it pretty user configurable this maybe a good idea.
The GPOs can be configured on a machine or user basis and the policy settings can be found in gpedit under either User or Machine Configuration branch – Administrative templates – Windows Components – Windows Sidebar. There are only some fairly basic settings here, but essential for locking down the use of the sidebar:-
Turn off Windows Sidebar
Obviously does what it says on the tin, however if you don’t configure this the sidebar will be displayed by default.
Turn off unsigned Windows Sidebar gadgets
This will stop the sidebar running any gadgets that haven’t been digitally signed. Again this is switched off by default and will allow the running of any gadget regardless of whether or not it is signed.
Turn off user installed Windows Sidebar Gadgets.
This prevents the sidebar from running any gadgets that have been installed by the user. Again if you don’t configure this it gives users free reign on what gadgets they install.
Override the more gadgets link
This enables you to redirect the ‘Get more gadgets online’ link to a website of your choice. If you don’t configure this, the link goes to the default Microsoft site.
So if you want to lockdown how the sidebar is used by your users, it’s important you configure the GPOs accordingly.
Thursday, July 06, 2006
IE7 - Protected Mode
The new (not so new now) Internet Explorer 7 Plus (plus - indicating it’s the Vista version, and therefore it has this feature) which is now in Beta 3 has a ‘Protected mode’ which controls what Areas of the Registry and User Profile Internet Explorer can write to. This feature has been referred to as ‘Sandboxing’ internet explorer away from the operating system, which is effectively what it does by removing the integration with the operating system that has been pervasive in previous versions.
I should say at this point that the Protected mode is configurable for each security zone in the browser itself, or as an administrator you can set it by GPO so that users can’t change the setting. With this in mind, by default Protected mode is disabled for sites in the Trusted Zone, but interestingly enough it is turned on by default in the Intranet Zone.
Low Integrity
In Vista, anything that can be secured, has an associated Integrity level, basically the level of privilege that is required by any process to get Write access to the object, alongside this each process has am integrity level defined. As you might expect, processes with Low Integrity cannot gain access to any object that requires a higher integrity level.
Internet Explorer in protected mode uses the lowest of the three integrity levels, Low Integrity, giving it access to objects that require only low integrity, it’s worth noting that this is the case regardless of whether the user has access to the object as Integrity levels are checked prior to User Permission checks.
So rather usefully, IE7+ in protected mode does not have access to most of the Registry and is locked away from the sensitive areas both in the registry and the file system.
Elevation
So what if you have a bunch of sites that are on your intranet that require write access to objects on the client machines? Well you can turn off protected mode for intranet sites, this however maybe insecure due to the default behaviour of Internet Explorer is to auto-detect intranet sites and somebody may be running a web server surreptitiously on your network that may cause issues on systems where Internet Explorer does not operate in protected mode. Another option is to add the relevant sites to the Trusted sites list, but letting users add sites to this list could become an issue. The other method specifically used by IE7+ is to create a broker process to elevate so the process can access high integrity level objects, the behaviour of these brokers can be configured in the registry as to how IE accesses the object that is being brokered. This process can be as simple as a Window popping up to say that a website is trying to open a file in Word and asking for user permission to open it.
Conclusion
Personally, I like this feature, and it seems a certain amount of control can be gained through the registry, and therefore through GPOs. The flexibility of turning the feature on/off by zones will enable easy testing of websites as to whether it’s the Protected mode that is causing the issue without leaving the browser completely vulnerable.
Friday, June 16, 2006
Snipping tool
I know, its not something to get overly excited by, but it could come in useful on support calls for getting part screen shots from users.
Thursday, June 15, 2006
Internet Explorer 7 - Certificate Warning
It does give you the option of carrying onto the page you are trying to get to such as this. Notice the address bar is coloured red and it gives a clue why with the certificate error message to the right. My situation was that I was using a different DNS name in the URL to make life easier for myself (lazy I know!), after a few days I got sick of doing this and tried to find a way around this issue.
Manual Solution
Well there is an entry in the advanced tab of Internet options in IE7 near the bottom of the list called ‘Warn about certificate address mismatch’, and by default this is checked. If you uncheck it you can restart IE and go straight to the URL with no problems and no warnings on the Address bar giving you this.
Registry/GPO Solution
This can be useful for getting rid of the annoyance, but if you are willing to take this chance and you have Web Apps or Services that you have given ‘friendly’ names that aren’t on its certificate, and to stop users from worrying when they get this error then you can make an adm template to change the following registry key:-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings]
"WarnonBadCertRecving"=dword:00000000
The key is set to 1 by default, to turn the feature off set the key to 0.
Wednesday, May 10, 2006
GPO Administrative Templates in Vista Part 3
Simple Policy Syntax
In the ADMX template, at the end of the ‘Categories’ (signified by </category>) you will see the beginning of the Policies section. Using the Device Installation ADMX/ADML files as a basis you will find the First policy is as shown here:-
<policy name="DeviceInstall_AllSigningEqual" class="Machine" displayName="$(string.DeviceInstall_AllSigningEqual)" explainText="$(string.DeviceInstall_AllSigningEqual_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Settings" valueName="AllSigningEqual">
<parentCategory ref="DeviceInstall_Category" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
So we can see that as mentioned on the previous post the policy class is stated on a per-policy basis. The display name and the explain text sections work in much the same way as with the categories, they are linked to strings in the ADML template file shown here:-
<string id="DeviceInstall_AllSigningEqual">Treat drivers signed by Microsoft the same as those signed by others</string>
<string id="DeviceInstall_AllSigningEqual_Help">When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others.
If you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers.
If you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors.</string>
The ADMX snippet also shows that the registry keys and associated value along with what to set the registry key to if you enable or disable the policy. In this case the value AllSigningEqual would be set to a DWORD with a decimal value of 1 when enabled.
Extracting this information out and constructing the section of the ADM template would give you this:-
POLICY !!DeviceInstall_AllSigningEqual
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Settings"
EXPLAIN !!DeviceInstall_AllSigningEqual_HELP
VALUENAME "AllSigningEqual"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
And in the strings section:-
DeviceInstall_AllSigningEqual=" Treat drivers signed by Microsoft the same as those signed by others "
DeviceInstall_AllSigningEqual_HELP=" When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others./n/nIf you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers./n/nIf you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors."
Listbox Syntax
This becomes a little more interesting when you encounter policies with multiple ‘Parts’ (to use ADM Syntax), these have now become ‘Elements’. Whilst all the information is in the ADMX and ADML templates to construct them, it is a pain to get the information together, when you find the info however it is pretty intuitive to construct the policy syntax if you are used to constructing/amending adm templates.
Here is an example of a listbox from this ADMX/ADML template set:-
From the ADMX template:-
<policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions" valueName="DenyDeviceClasses">
<parentCategory ref="DeviceInstall_Restrictions_Category" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions\DenyDeviceClasses" valuePrefix="" />
</elements>
</policy>
From the ADML:-
<string id="DeviceInstall_Classes_Deny">Prevent installation of drivers matching these device setup classes</string>
<string id="DeviceInstall_Classes_Deny_Help">Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.
If you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.
If you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.
NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.</string>
Also from the ADML:-
<presentation id="DeviceInstall_Classes_Deny">
<listBox refId="DeviceInstall_Classes_Deny_List">Prevent installation of devices using drivers for these device setup classes:</listBox>
<text>To create a list of device classes, click Show, click Add,</text>
<text>and specify a GUID that represents a device setup class</text>
<text>(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).</text>
</presentation>
The equivalent sections in an ADM would be constructed as follows:-
POLICY !!DeviceInstall_IDs_Deny
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions"
EXPLAIN !!DeviceInstall_IDs_Deny_HELP
VALUENAME "DenyDeviceIDs"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
PART !!DeviceInstall_IDs_Deny_LIST LISTBOX
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall
\Restrictions\DenyDeviceIDs"
VALUEPREFIX ""
END PART
PART !!DeviceInstall_IDs_Deny_TEXT1 TEXT
END PART
PART !!DeviceInstall_IDs_Deny_TEXT2 TEXT
END PART
PART !!DeviceInstall_IDs_Deny_TEXT3 TEXT
END PART
END POLICY
And in the strings section:-
DeviceInstall_Classes_Deny="Prevent installation of drivers matching these device setup classes"
DeviceInstall_Classes_Deny_HELP="Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.\n\nIf you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.\n\nIf you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.\n\nNOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device."
The second section taken from the ADML template is taken from the Presentation table towards the bottom of the template following the strings table.
The rest, I think is pretty intuitive and the other ADM syntaxes are equally straightforward to construct.
Tuesday, May 02, 2006
GPO Administrative Templates in Vista Part 2
CLASS
In ADM templates you set the CLASS for the policies that followed the CLASS statement to either CLASS USER or CLASS MACHINE. This denoted which registry hive the policies that followed would be amending; Hkey_Current_User and Hkey_Local_Machine respectively. I personally split my policies into User and Computer policies, and so a single GPO will only be set to provide settings for one or the other registry hive. I find this generally works well, and so I have adm templates that are tailored to either user settings or machine settings, therefore I only set the CLASS once per ADM template. In the ADMX templates however the CLASS is given once per Policy setting and so if you are converting AMDX/ADML into ADM templates you need to be careful that you see this.
Categories
If you open one of the default ADMX templates in a text editor the first things you will notice after the XML pre-amble is the list of Categories along with the display name for the Category, the explaintext and its parent category as shown here:-
<category name="DeviceInstall_Category" displayName="$(string.DeviceInstall_Category)" explainText="$(string.DeviceInstall_Help)">
<parentCategory ref="windows:System" />
</category>
<category name="DriverInstall_Category" displayName="$(string.DriverInstall_Category)" explainText="$(string.DriverInstall_Help)">
<parentCategory ref="windows:System" />
</category>
<category name="DeviceInstall_Restrictions_Category" displayName="$(string.DeviceInstall_Restrictions_Category)" explainText="$(string.DeviceInstall_Restrictions_Help)">
<parentCategory ref="DeviceInstall_Category" />
</category>
So we can see here that the Device Install and Driver Install Categories both sit under the Windows System Category and Device Install Restrictions Category sits under the Device Install Category. In much the same way as in ADM templates, the DisplayName and explaintext are listed as strings, however you will find these strings listed in the equivalent ADML template file rather than in the main body of the ADMX file. The relevant section in the ADML that covers Device Install Restrictions Category looks like this:-
<string id="DeviceInstall_Category">Device Installation</string>
<string id="DeviceInstall_Help">Policy settings that control the installation of devices.</string>
<string id="DeviceInstall_Restrictions_Category">Device Installation Restrictions</string>
<string id="DeviceInstall_Restrictions_Help">Policy settings that describe which devices can or cannot be installed on the System</string>
Ok, from here we have enough to layout the barebones of the ADM template as follows:-
CLASS MACHINE
CATEGORY !!DeviceInstallation
EXPLAIN !!DeviceInstallation_CATEGORY_EXPLAIN
CATEGORY !!DeviceInstall_Restrictions_Category
EXPLAIN !!DeviceInstall_Restrictions_Category_EXPLAIN
[strings]
DeviceInstallation="Device Installation"
DeviceInstallation_CATEGORY_EXPLAIN="Policy settings controlling the installation of devices on the system."
DeviceInstall_Restrictions_Category="Device Installation Restrictions"
DeviceInstall_Restrictions_Category_EXPLAIN="Policy settings describing which devices may or may not be installed on the system."
Part 3 will continue on to discuss a number of policy settings and how you construct the Policy Syntax for the ADM template from the ADMX/ADML template files.
Friday, April 28, 2006
GPO Administrative Templates in Vista Part 1
The underlying Policy file for each GPO (Registry.pol) is found in the Sysvol of Domain controllers in a Windows 200x network and it delivers registry based settings to the User/Computer; this will remain. The differences will come with how they are presented to Administrators. The two sets of files to concern yourself with are the admx and adml files, this can be found on any Vista station under %systemroot%\PolicyDefinitions and %Systemroot%\PolicyDefinitions\[MUIculture] (i.e. en-us This is the American English Language file location), both sets of files are XML based.
The ADMX files contain the structure of the view of the policies that will be presented in the GPEdit or GPMC consoles and as with ADM templates they contain:-
- Categories
- Policies
- Registry Key Paths and Values
- Elements (previously known as Parts)
- Control Types
This is all good news so far, but what happens if you use other tools to manage GPOs that are also reliant on ADM templates for the Structure it display policies with. Well this means you will just have to create your own ADM templates and include any Vista specific settings in them. I will go through this in more detail in Part 2.
Windows Vista
I have spent the couple of months or so evaluating Vista with respect to:-
- Features and how to centrally manage and them with Group Policy Objects (GPOs).
- How to lockdown Vista for use in a secure environment
- How to let trusted administrators turn on ‘useful’ or cool new features.
- Ease the learning curve for the users of Vista.
Well the good news is that it in an environment that is closely managed and tightly locked down such as in Educational Institutions most of the new features will be locked down by existing GPOs that you have in place. The company I work for is a large IT service provider and supplier to the Educational market in the UK and further a field. My primary interest in Vista comes from a security standpoint; how can we lock the OS down so that Kids (or adult users) can’t break the OS but keeping it usable and exposing the new features they can make use of.
Whilst the level of locking down we do will not be required by many corporate networks it’s a good start point to lock the whole thing down and open things up as required or demanded (with justification) by the business.
In a Windows 200x/XP based network GPO settings are exposed in the Microsoft tools (GPMC, GPEdit) by the use of Administrative templates, currently these are ADM templates that use a kind of markup language that is proprietry to Microsoft. They control what you see in the MS GPO tools, how its laid out, descriptions of the settings, options you have for changing the settings. Whilst this works, with the coming of Vista and Longhorn Server these ADM templates will not be used by default and ADMX and ADML files are used and are based on open xml standards but essentially do the same job as ADM templates with a few differences in the mechanics of how they work. These will be discussed in more detail in another post.
In environments that use GPOs to lock down the OS its fairly simple to ensure Vista functionality is locked down too, you might ask why do this with the OS being all the publicity by Microsoft highlighting new security features in Vista? Whilst this may be the case, during any period of co-existence between different versions of Windows (XP and Vista) there will obviously be a learning curve, but you can stick to classic menus and the same GPOs to provide a common User Experience between the two versions. Useful new features in Vista can be evaluated and introduced as users are educated in these features and begin to use them on a home computer.
In my next few posts I will be going through the Vista Feature set providing information on how to control access to and features of them, generally they will come as time allows or when I happen to be testing them.
Sunday, April 09, 2006
First One.....
I will no doubt post to here when I get chance, if I have something to say.........If I don't, obviously I won't.
Laters.