Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

Group Policy Settings (part 5) - Point and Print Restrictions & Digital Certificates and Authenticode

3/14/2011 10:18:13 PM

Point and Print Restrictions

Point and Print restrictions allow you to control access to selected shared printers on the corporate network. By default, printers are shared with the permissions set to Allow—Print for the Everyone group. This says that any user can connect to a shared printer, automatically download any required printer drivers, and submit print jobs to that device. Permissions can be adjusted on the printer properties to further control this access. The Point and Print restrictions in a GPO can be used in addition to these permissions to control printer access for large groups of users in an AD environment.

This setting is located under User Configuration > Administrative Templates > Control Panel > Printers, as shown in Figure 11.

Figure 11. Configuring Point and Print restrictions.


The fully qualified domain name (FQDN) of the print server must be added to complete the GPO setting.

This GPO setting requires that you construct a list of print servers that the users are allowed to download drivers from and then submit print jobs to. You can further restrict the driver download to only those drivers that have been tested, approved, and digitally signed by Microsoft’s Windows Hardware Quality Labs (WHQL), the testing arm of Microsoft for third-party drivers.

Digital Certificates and Authenticode

As users connect to web servers, their browsers download the HTML file and image files and also download and execute active content, like ActiveX controls. Active content, also called mobile code, is a major source of malware (viruses and spyware) and is often heavily restricted in a corporate environment.

To ensure that your ActiveX controls are safe and usable by all who visit your website is to have the ActiveX control tested and digitally signed by Microsoft. When an ActiveX control is signed by Microsoft, it is called Authenticode, and it is generally trusted to be safe for your users to run. However, on occasion, these tested and approved ActiveX controls can still conflict with other software running on your client computers, so having it signed by Microsoft is still not a guarantee of safety.

Caution

Be Careful with Authenticode Restrictions Enabling restrictions on your browsers to allow only approved publishers of Authenticode enhances the security of browsing but can cause web applications and other website functions that rely on unsigned and unapproved publishers of ActiveX controls to fail.


You can restrict the browsers on your users’ computers to execute Authenticode only from a select list of publishers that you approve. To do this, you must enable a setting in a GPO that is located under User Configuration > Windows Settings > Internet Explorer Maintenance > Security > Authenticode Settings. The setting is labeled Enable Trusted Publisher Lockdown. This setting, shown in Figure 12, disables users from accepting any certificates (used in the Authenticode) from publishers that aren’t on your approved publishers list.

Figure 12. Configuring trusted publisher lockdown.
Other -----------------
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
- Windows Update (part 3) - Windows Server Update Services Server (WSUS)
- Windows Update (part 2) - Automatic Updates
- Windows Update (part 1) - Manual Updates
- Windows Defender and Other Defenses Against Malware
- Windows Firewall
- Troubleshoot Security Configuration Issues (part 2) - Securing Data in Storage with Encrypting File System & Securing Computers with the Security Configuration and Analysis Tool
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 4) - Digital Certificates
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 3) - Cookie-Handling & ActiveX Opt-In
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 2) - Internet Explorer’s Protected Mode
 
 
Most view of day
- Windows Server 2012 : Installing roles and features (part 1) - Installing roles and features using Server Manager
- Multi-Tenancy in SharePoint 2013 (part 1) - Managing Service Application Groups, Creating a Site Subscription
- Microsoft Visio 2010 : Modifying a Graphic (part 3) - Changing a Graphic’s Position
- Microsoft Word 2010 : Working with Outlines - Creating a Multilevel List
- Windows Phone 8 : Configuring Basic Device Settings - Battery Saver
- Windows Phone 8 : Working with the Windows Phone Software (part 7) - Removing Multimedia Content - Removing a Video from Your Phone
- Microsoft Exchange Server 2007 : Upgrading Separate AD Forests to a Single Forest Using Mixed-Mode Domain Redirect (part 2)
- Microsoft Visio 2010 : Organizing and Annotating Diagrams - Markup & Review
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Setting Macro Security Options
- Monitoring Windows Small Business Server 2011 : Using Performance Monitor
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro