Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Vista

Securing the Workstation : Applying the Castle Defense System (part 4) - Hardening the system - USB Device Control, Windows Defender

7/11/2013 6:43:48 PM

3.4 USB Device Control

With Vista, you can now lock down USB devices, once again through Group Policy. With iPods and other portable music devices abounding, it is becoming more and more important for organizations to control which devices users can connect to their systems. For example, a user should not be able to connect their iPod to their office PC to download music. In addition, they should not be able to connect it to use as a hard drive to transport information they gather from your network. For these reasons, you must configure the USB Device Controls in Group Policy and control which devices are deemed acceptable — mice, keyboards, smart phones, and printers — and which are not — portable disk drives and flash memory devices, for example.

Although you can use these controls to prevent installation of all devices, it is best to allow the installation of authorized devices. To do this, you need to be able to identify devices. There are two ways to do this:

  • You can use device identification strings, which are contained both within the device and within the .INF file that comes with the driver to block or authorize devices. There are two different types of device ID strings. The first is the hardware ID. These provide the most direct match between a device and its driver. The second are compatible IDs. These provide a list of compatible drivers that could give you at least basic functionality for the device. If you use these IDs to allow or deny devices, then you must include all of the possible IDs for the device. If not, multifunction devices especially, might be blocked at one level, but not at another.


  • You can use device setup classes to control devices. Classes divide devices into groups that use the same installation process. Classes are identified by globally unique identifiers (GUID) which are complex numbers that uniquely represent a class of devices. For example, if you want to block USB disk drives, then block the GUID for these devices and no USB disk drive will be able to be installed on your systems.


Set up your authorizations through Group Policy.

  1. Launch the Group Policy Management Console (GPMC), choose Start Menu => Search => gpmc.msc, and press Enter.

    NOTE

    If you are running Service Pack 1, you must download and install the GPMC onto your management PC before you can use it.

  2. Because this policy affects every computer, apply it to the PCs OU . This can be applied through any GPO that would affect all PCs. If the GPO exists, right-click on and select Edit. If it doesn't, then create it, name it, link it to the PCs OU, and then edit it.

  3. Go to the Device Installation settings (Computer Configuration => Policies => Administrative Templates => System => Device Installation). Also set up the policies for Removable Storage (Computer Configuration => Policies => Administrative Templates => System).

  4. Set up the policies according to the recommendations in Table 2. Examine the explanation for each setting to learn more about its intent and configuration possibilities. Each setting that is not configured relies on the default behavior for that setting.

  5. Test the settings with various devices of each type you authorized and de-authorized.

Table 2. Assigning Device Installation Settings
LocationSettingRecommendation
Device InstallationTreat all digitally signed drivers equally in the driver ranking and selection processNot configured
 Turn off Found New Hardware balloons during device installationNot configured
 Do not send a Windows Error Report when a generic driver is installed on a deviceNot configured
 Configure device installation timeoutNot configured
 Do not create system restore point when new device driver installedNot configured
 Allow remote access to the PnP interfaceNot configured
Device Installation RestrictionsAllow administrators to override Device Installation Restriction policiesConfigure only if you fully trust your administrators or anyone with administrative access rights.
 Allow installation of devices using drivers that match these device setup classesEnable and add the appropriate GUID entries.
 Prevent installation of devices using drivers that match these device setup classesEnable and add the appropriate GUID entries.
 Display a custom message when installation is prevented by policy (balloon text)Enable and type in an appropriate violation of policy message.
 Display a custom message when installation is prevented by policy (balloon title)Enable and type in an appropriate message title.
 Allow installation of devices that match any of these device IDsNot configured
 Prevent installation of devices that match any of these device IDsNot configured
 Prevent installation of removable devicesNot configured
 Prevent installation of devices not described by other policy settingsEnable.
Removable Storage AccessTime (in seconds) to force rebootNot configured
 CD and DVD: Deny read accessNot configured
 CD and DVD: Deny write accessEnable only in very secure environments. Users often rely on this for backups.
 Custom Classes: Deny read accessEnable only if you have appropriate GUIDs.
 Custom Classes: Deny write accessEnable only if you have appropriate GUIDs.
 Floppy Drives: Deny read accessNot configured
 Floppy Drives: Deny write accessEnable only in very secure environments.
 Removable Disks: Deny read accessNot configured
 Removable Disks: Deny write accessEnable.
 All Removable Storage classes: Deny all accessEnable in very secure environments.
 All Removable Storage: Allow direct access in remote sessionsEnable in very secure environments.
 Tape Drives: Deny read accessEnable.
 Tape Drives: Deny write accessEnable.
 WPD Devices: Deny read accessEnable only if your users do not use smart phones or Pocket PCs.
 WPD Devices: Deny write accessEnable only if your users do not use smart phones or Pocket PCs.

3.5 Windows Defender

Windows Defender is a spyware utility that automatically protects your computer from malicious content, such as spyware and rootkits, and automatically removes them if they are identified. Defender is built into Vista and does not require an additional installation. As shown in Figure 8, you access it through the Vista Security Center (Control Panel => Security => Security Center). This center gives you access to Windows Update settings, the Windows Firewall, Defender, and Internet Options, all of which are related to the health of your PC.

Figure 8. Accessing Windows Defender through the Security Center

Defender is launched by clicking on its link in the left pane of the Security Center. As shown in Figure 9, Defender offers a very simple control panel. From here you can perform a quick or a full scan, look up your scanning history, and access Defender tools. Most often, you will not access Defender through this interface, but rather configure it through Group Policy.

Figure 9. Working with Windows Defender

Use the recommendations in Table 3 to configure Defender settings in your network. Rely on the procedure outlined earlier for Device Control to modify the Group Policy that is applied to all PCs. You can find Windows Defender settings by choosing Computer Configuration => Policies => Administrative Templates => Windows Components.


Table 3. Configuring Windows Defender GPO Settings
LocationSettingRecommendation
Windows DefenderTurn on definition updates through both WSUS and Windows UpdateDisable only if you have a custom Windows Server Update Services server in your network.
 Check for new signatures before scheduled scansNot configured
 Turn off Windows DefenderNot configured
 Turn off Real-Time Protection prompts for unknown detectionNot configured. Your users should be aware of untoward behavior on their systems.
 Enable logging known good detectionsEnable only in troubleshooting situations.
 Enable logging unknown detectionEnable only in troubleshooting situations.
 Download entire signature setNot configured
 Configure Microsoft SpyNet reportingConfigure only if you want to change your default participation in SpyNet. All organizations should participate to SpyNet as it relies on massive amounts of information to provide top-level protection.

Automatic Update Management

Windows Vista obtains Windows Defender updates from one of two sources: the Microsoft Update Web site or from an internal Windows Server Update Services (WSUS) server. The latter connects to Microsoft Update instead of the individual computers on your network. Organizations with more than a few computers will want to install their own WSUS server or servers so that they can better control the application of updates for Windows Defender as well as those for Windows itself. Because both updates originate from the same source, they are managed in the same way.

When originally configuring PCs during installation, one of the post-installation tasks you need to perform is to configure Vista to obtain updates for more products than only Windows. This lets you obtain updates for hardware components as well as Microsoft Office tools. This way, you only need to use one single tool for update configuration and management.

NOTE

Applying updates addresses tasks number VA-17: Security Patch Update Management and VA-22: Service Pack Deployment . Once again, Updates are managed through Group Policy under Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update. Use the recommendations in Table 4 to configure your settings. Also rely on the procedure outlined previously for USB Device Control to perform these modifications.

Table 4. Configuring Windows Update Settings through Group Policy
SettingRecommendation
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog boxEnabled. You want to control when updates are deployed.
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog boxNot configured
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updatesEnabled. This should be used in conjunction with the Power Management settings in the GPO to reduce the power costs of PCs in your network.
Configure Automatic UpdatesEnabled. Ideally, configure to obtain updates from your server and install them on a regular schedule.
Specify intranet Microsoft update service locationEnabled and point to your WSUS server(s).
Automatic Updates detection frequencyNot configured. The default setting is appropriate.
Allow non-administrators to receive update notificationsNot configured. You should let administrators be the only ones to get these notices.
Allow Automatic Updates immediate installationEnable only if you set a schedule in the Configure Automatic Updates item above.
Turn on recommended updates via Automatic UpdatesEnable.
No auto-restart for scheduled Automatic Updates installationsEnable only if you intend to deliver updates during daytime hours.
Re-prompt for restart with scheduled installationsEnable only if you think you need emergency updates because this will disrupt users' work.
Delay Restart for scheduled installationsNot configured. Your schedule should apply updates at night.
Reschedule Automatic Updates scheduled installationsNot configured.
Enable client-side targetingEnable to create test beds for update testing.
Allow signed content from intranet Microsoft update service locationEnable and configure in highly secure networks.

NOTE

Microsoft releases updates on the second Tuesday of each month. Be sure to test all patches and service packs fully before deploying them to your network.

Wireless and Wired Network configurations

When connected to a Windows Server 2008 network, Vista allows you to configure the operation of a wired or wireless network through Group Policy. In fact, these policy settings let you configure exactly who or what can connect to your own internal network through either wired or wireless networks. Settings in these policies are controlled through the Network Policy Server role which is part of Windows Server 2008's Network Access Protection. Basically, you configure a network policy for both wired and wireless connections and then set the policy controls in the Group Policy settings of each PC to allow them to connect to the network. Any device that does not receive this Group Policy setting cannot connect to the network. This provides very tight control over rogue network devices, especially wireless devices, which are a lot easier to spoof.

Other -----------------
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
- Participating in Internet Newsgroups : Downloading Messages
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 2) - Windows Boot Manager Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 1) - Power-on Self Test Phase, Initial Startup Phase
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Participating in Internet Newsgroups : Some Usenet Basics
- Configuring Startup and Troubleshooting Startup Issues : What’s New with Windows Vista Startup
- Managing Client Protection : Microsoft Forefront Client Security
- Managing Client Protection : Using Windows Defender (part 2)
- Managing Client Protection : Using Windows Defender (part 1)
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
 
 
Most view of day
- BizTalk 2006 : Using BizTalk Framework 2.0 Reliable Messaging (part 2) - Acknowledgement Verification
- Windows Small Business Server 2011 : Disaster Planning - Planning for Disaster
- Microsoft Exchange Server 2010 : Working with SMTP Connectors, Sites, and Links (part 3) - Creating Send Connectors
- Extending Dynamics GP with Free Software : Preventing date errors with DocDateVerify, Executing SQL from the Support Administrator Console
- Adobe Illustrator CS5 : Organizing Your Drawing - Enhancing Appearances with Live Effects
- Windows Phone 8 : Designing for the Phone - Blend Basics (part 2) - Brushes
- Client Access to Exchange Server 2007 : Using Outlook 2007 Collaboratively (part 1)
- Editing Digital Video with Windows Live Movie Maker (part 2) - Understanding the Movie Maker User Interface
- Automating Windows 7 Installation : Applying an Image Using ImageX
- iphone Programming : Mixing OpenGL ES and UIKit, Rendering Confetti, Fireworks, and More: Point Sprites
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro