Professional Documents
Culture Documents
Table of Contents
Overview .................................................................................................................................................................... 1-1 Lesson 1: Planning New Software Deployment ........................................................................................................ 1-2 Lesson 2: Multilingual Deployment............................................................................................................................ 1-6 Lesson 3: Using Group Policy to Install Software..................................................................................................... 1-10 Lesson 4: Using Software Restriction Policies ......................................................................................................... 1-14 Lesson 5: Digitally Signing Software ........................................................................................................................ 1-19 Lesson 6: Using WMI ............................................................................................................................................... 1-22 Lesson 7: Using Applocker ...................................................................................................................................... 1-25 Lesson 8: Using Virtualization for Testing ............................................................................................................... 1-30 Resolve Software Installation Issues........................................................................................................................ 1-34 Review Module 1: Identify and Resolve New Software Installation Issues ............................................................ 1-36 Labs - Module 1: Identify and Resolve New Software Installation Issues ................................................................ 1-38
1-1
Overview
Multilingual Deployment
Using Group Policy to install software
A new deployment of operating systems and applications in a network is a very important task that affects the productivity of everyone in an organization. Proper planning can prevent unnecessary problems from coming up when configuring the new systems. In many cases, being proactive and aware of the issues that will come up can save a lot of time. Testing the deployment and having a test group work with the new applications beforehand can help in this. Planning for the worst and having a good rollback strategy with good backups to match can also lower the likelihood of problems becoming catastrophic. Some of the more important components that will affect deployment are computer hardware, network services, active directory implementation, computer security settings and software installation methods. New features in Windows 7 like Applocker and enhancements to older features like UAC and virtualization can be used to better secure the desktop. Taking advantage of Group Policy security and configuration options will provide better control of the applications and drivers that are approved for the desktop environment. Using scripting and other tools can also be used to standardize the management and deployment of upgrades or new software. Multilanguage environments present unique challenges but these can be easily handled by using the right deployment tools.
1-2
Application Compatibility
Running existing applications and software on a new operating system can present some problems. Getting a complete inventory of all approved applications can be challenging in some environments. Application compatibility with the new operating system must be carefully tested in the user environment. The use of User Account Control (UAC) must also be evaluated. Using tools like the Application Compatibility Toolkit and features like Group Policy filtering can simplify this process. Virtualization and other tools can be used to deploy applications that are not compatible with Windows 7.
Module 1: Identify and Resolve New Software Installation Issues Application Compatibility
1-3
When an application must be supported on different operating system versions like Windows XP and Windows 7, compatibility problems will sometimes come up. When application testing shows up such problems, they can be mitigated in a number of ways: Upgrading: A newer edition of the application or one with a service pack upgrade might have been written which is compatible with Windows 7. The software vendor should be consulted if there are concerns that an application will not work out. Decommissioning: In some cases the application might be no longer needed, or its functionality might be taken over by another application that is approved and compatible with the O.S. Application Compatibility Mode: Applications that were written for Vista, XP or even older versions of Windows might be able to work if the compatibility mode of the program is changed. In addition to changing the settings to match an older operating system, other compatibility options like color settings, resolution and visual themes can be modified to meet the needs of that program. Assigning Administrator Privileges: Some programs will not work properly unless the user executes it with administrative privileges. This can also be assigned on an application level so the security of the computer system is not unnecessarily compromised. Virtualization: Applications whose compatibility issues cannot be mitigated might have to be run in a virtual or terminal services environment. Virtualization allows an administrator to extend the life-cycle of old applications as much as necessary without compromising present deployment plans for new operating system upgrades.
1-4
The UAC feature was first deployed with Windows Vista and it has been kept and enhanced in Windows 7. It allows an administrator to perform administrative and user functions with a single user account instead of using two of them. Enabling this feature makes the desktop more secure and reduces the likelihood of users installing applications unintentionally or otherwise. UAC now has configurable notification options which can be used to prevent unnecessary messages being presented to the end user. Optional messages include notifications of when changes are made to Windows settings or when software is being installed or updated on the system.
Module 1: Identify and Resolve New Software Installation Issues Application Compatibility Toolkit
1-5
The Application compatibility tool kit is a free download from the Microsoft web-site that allows applications to be tested before a new deployment. It comes with a number of tools that can collect, analyze and test software so compatibility issues can be identified and mitigated. The ACT will work with Windows 7 and operating systems as old as Windows NT 4.0. The main tools in the tool kit are: Application Compatibility Manager (ACM): This tool allows you to collect and analyze data about applications on a system before starting a new deployment. It can also be used to analyze a system before Service Pack or other upgrades. Data Collection Package: This tool is created by the ACM and installed on client computers that need to be evaluated. ACT Database: A SQL Server database that stores data collected by the ACM. Information in the database can be viewed the reports accessed from the ACM. ACT Log Processing Service: This service process the log files uploaded from client computers and adds it to the ACT Database.
1-6
Deployment Options
Deployment Features
Deployment Pack Types
The Windows Setup can be used to add language packs to an image or to a specific computer using unattended answer files. The language pack must be added to the image before international settings are configured. The Windows PE configuration pass can be used to do both operations. After any changes to the language pack using Windows Setup, the Lang.ini file should be updated to make sure all the languages on the image are listed and to verify the language that will be displayed during setup. Offline installation tools such as Windows Automated Installation Kit (Windows AIK) and OEM Pre-installation Kit (OPK) are very useful in automating new deployments of the Windows 7 operating system and other client applications. This is especially true when creating images that will be used by employees from different language groups. Some features of the operating system make it easier to deploy multiple language packs such as the language-neutral binaries. Windows 7 operating systems can use only a single language according to the licensing requirements. The only exceptions are Windows 7 Ultimate and Enterprise Editions.
Module 1: Identify and Resolve New Software Installation Issues Deployment Options
1-7
When deploying an operating system with multiple languages, there are two options: A single language is chosen: Many environments that use different languages might still deploy desktops where only a single language is required. When multiple language packs are installed on a system, the user will choose their default language when the computer is first configured. Single language editions of Windows 7 will automatically delete additional language packs. Multiple languages are chosen: If the system is running Windows 7 Ultimate or Enterprise editions, the end users are allowed to switch between any language pack installed on the computer. Any language pack installed can be removed later except for the default one chosen during the initial setup.
1-8
Deployment Features
Some new features that simplify and improve the deployment process include: Reduced size of language packs: Many language packs can now be deployed in the same image with less concern as to the amount of space needed for them. Deployment Image Servicing and Management (DISM): Offline management of packages is easier with this new tool that replaces the Package Manager, the International Configuration Tool and PEimg from Windows Vista. Using this tool, language packs can be removed from images without booting them and without the need for answer files. Logging: The logging options are improved with better and more precise messages. Log files are saved in the %WINDIR%\Logs folder and are archived after they reach a certain size.
Module 1: Identify and Resolve New Software Installation Issues Deployment Pack Types
1-9
Full
LIP
Not all language packs have the same functionality and some can be much larger than others. The two main types of language packs are Full and LIP. Full: These will always contain all the resources necessary to localize the user interface. The desktop must have the required licensing to use them. Some of the resources needed by the language pack might be localized in a different language LIP: These are partial language packs that do not contain all the resources needed to localize the user interface. All the necessary language resources will be localized in the LIP however. They do not require licensing and multiple language packs can be installed on any version of Windows 7. They are normally created for small language markets that do not already have a Full language pack available for them.
1-10
Distribution Points
Other Group Policy Settings
Configuring new software install using Group Policy settings simplifies administration of application installs. The OU and domain structures can be used to control what programs are installed for certain groups of users or machines. The method of installation is also configurable and controls can be implemented to verify the configuration of the machine before starting a new setup. Group Policy software installations also support the maintenance and removal of these applications. When applications must be customized for different groups of users, specially created msi and mst files can be used to control what features and options are configured. Example, Office 2007 can be installed on some computers with PowerPoint and without it on others. The same can be done for different language versions of the same software.
Module 1: Identify and Resolve New Software Installation Issues Assigning / Publishing Software
1-11
Maintaining Applications
Assigning Software
Publishing Software
Licensing of applications should be carefully tracked when using this deployment method. By assigning group policy objects to OUs instead of domains and by using GPO filtering, you can restrict which computers and users will use the applications and so limit licensing requirements. Group Policies can also be used to remove unused software. Some older applications might not support this method of deployment. Windows Installer MSI files are the preferred installation method although other options are available. There are two methods available for application installation using Group Policy settings: Assigning Software: Assigned applications can be deployed using the User or Computer settings in Group Policy. If deployed to Users, the program is setup during the next logon process. Computer deployments install the application during machine startup and the application will be available for any user working on the system. This method of deployment is often used for applications that are used by most users on a large portion of the client computers Publishing Software: The option to publish a new application is only available on the User side in a Group Policy Object. The software is not installed during the logon process, but becomes available for install through the Add/Remove Programs window. This method of deployment is often used for applications that are not used regularly and on computers that have limited drive space.
1-12
Distribution Points
Using DFS
Permissions
Hiding Share Locations
When creating a distribution point for the software installation files, it should be easily accessible by the client computers. Creating multiple shares configured in a DFS tree is a recommended solution to ensure high availability of the install files. When packages are assigned or published to users, the software installation is done using the privileges of the system and not the user. However, the user accounts will require read permissions to the network share being used. In most cases, using hidden shares (adding a dollar sign to the end of the share name) is preferred to prevent end users from browsing for software distribution locations.
Module 1: Identify and Resolve New Software Installation Issues Other Group Policy Settings
1-13
WMI Filters
Security Filtering
Slow Link Detection
Other options are available through group policy to control the policy settings that apply to different machines. Some important ones to keep in mind are: WMI Filters: Verify hardware and software settings on a machine before applying new software. Security Filtering: Prevent the installation of software based on group membership. Slow Link Detection: Software is not installed if the speed of the network connection is slower than a predefined limit. Often used to prevent installs over modem or VPN connections. 500Kbps or less is the default setting if this option is enabled.
1-14
Rule Types
Enforcement Properties
Installing unsupported software on computers is one problem which often creates problems on a desktop. This can cause compatibility issues with other approved software or make the operating system less stable or secure. Software Restriction Policies can be used in group policies to prevent the use of such applications and to some extent, prevent them from being installed in the first place. Some specific areas where software polices can be used to protect and control the desktop are: The use of ActiveX Controls Running applications and scripts with digital signatures Prevent unapproved software from being installed Prevent viruses Blocking applications based on their path or hash settings
Module 1: Identify and Resolve New Software Installation Issues How Software Restriction Policies Are Applied
1-15
Group policy settings are used to assign restriction policies to computers. They can be applied at any level in the active directory hierarchy (site, domain or OU). After policy settings are assigned to a group policy and applied in active directory, affected machines and users will have these policy settings applied when the user logs in or after the machine starts up depending on how the policy is applied. The policy settings are then enforced by the operating system. There are two strategies for applying policy settings. A specific set of applications can be trusted for execution on the desktop to the exclusion of all others (white list) or all applications can be trusted for execution except for a specified list of denied programs (black list). Using a white list is the best option in terms of desktop security and control of the desktop, but can be difficult to implement when applications change or are upgraded regularly. The black list option allows greater freedom to the end user but is more difficult to control and protect from malicious software attacks.
1-16
Rule Types
Hash
Certificate
Path
Zone
Restrictions on software are implemented by creating rules that allow or prevent the use of a program. There are four different types of rules that can be used to identify and control software: 1. Hash: A cryptographic calculation of the file contents creates a unique ID for the executable file. This fingerprint is unique and does not change if the file if relocated or renamed making it more difficult to circumvent these rules. If a file is digitally signed, the hash value of the signature is used for the calculation. 2. Certificate: The publisher certificate used to sign the file is used to identify it. The certificates can be selfgenerated or be issued from a Public or Private CA. Exceptions to certificate rules can be configured by using hash rules. 3. Path: A fully qualified path to a file or registry key can be used to create a path rule. UNC paths and folders can also be used. For greater flexibility, path rules allow the use of environment variables to point to files or folders. Extra care should be taken when using environment variables since they can be changed by users without administrative privileges. Wild card characters can also be used. 4. Zone: Internet Explorer uses five security zones that represent different parts of your network. Zones rules can be used to control what files can be downloaded in any of them. The five zones are: a. Internet b. Intranet c. Restricted Sites d. Trusted Sites e. My Computer When multiple rules of the same type apply to an application, the most specific rule will be applied. So, if two path rules apply to an executed script but one only applies to the extension (*.vbs) and the other specifies the path and extension (c:\scripts\*.vbs), the more specific rule that uses a path and extension will be used. When rules of different types apply to the same program, the order of precedence is as follows: 1. Hash Rule 2. Certificate Rule
1-17
1-18
Enforcement Properties
DLL Checking
Skip Administrators
Once policies are configured, there are two additional options that can be used to control how they are enforced. These options can also affect the performance of the system. DLL Checking: In addition to checking the executable files, the DLLs that they depend upon can also be verified with the restriction policies as well. This feature is normally turned off. Enabling it can serious affect the performance of applications because of the additional processing load involved. Skip Administrators: If policy settings should be applied to all users, including administrator accounts, then this can be done. The option to exclude administrators might be necessary in environments where these accounts are used to install or configure applications that will not be controlled with policies.
1-19
Driver Signing
Application Signing
Verifying the source of software and drivers is one important way to prevent problems on computers. Requiring the use of digital signatures will allow the legitimacy of the software publisher to be verified. This method can be used to prevent the execution of malicious software, the unauthorized installation of software or upgrading components prematurely. Digital signing can be configured locally on the computer or through Group Policy settings.
1-20
Driver Signing
The operating system can be configured to prevent the installation of drivers that are not digitally signed by their developers. Preference can also be given to drivers signed by Windows Hardware Quality Labs (WHQL). Unsigned drivers or drivers not signed by approved publishers can be prevented from being installed on the computer or the user can be prompted with this information and given the choice to continue with the setup. A policy where unapproved drivers are consistently rejected makes for a more stable environment. Before a driver signing policy is implemented, the effect on existing approved applications should be considered. The need for updates to those applications must also be taken into account. Some Windows systems might require driver signing with no GUI options to disable this feature. The 64-bit versions of Windows Vista & 7 fall into this category. If there is a need to disable driver signing on such systems, the bcdedit.exe command can be used to do this. The consequences of disabling this feature should be considered carefully before implementing it. In some cases, deciding to use an alternative application or an upgrade might be a better solution.
Module 1: Identify and Resolve New Software Installation Issues Application Signing
1-21
Trusted Entities
If an approved application is digitally signed, the CA of the developer might have to be configured as a trusted entity to allow the use of security settings like certificate rules in software restriction policies. Most application developers are willing to sign their software and have it tested for approval by Microsoft which makes the desktop more stable. If some applications are developed internally by a company however, a specific policy might need to be developed to ensure that the desktop continues to remain safe. Creating rules as to the level of testing necessary before approval, signing and deployment of these applications will prove helpful. While self-signing applications is one available option, using an Enterprise CA in the domain has distinct advantages. Being able to centrally approve and deploy certificates will simplify the process and make it easier to configure desktops with trusted certificate publishers. A Stand-Alone CA that is not integrated into Active Directory can also be used but will not provide the ease of deployment that Enterprise Certificate Authorities do. If applications will be used outside the organization, getting a certificate from a trust public CA will be a better solution, but the cost of this method must be factored in. There is no additional cost for creating a CA on a Windows Server. Whichever CA type is used, methods should be put in place to protect and backup the private key that is used to verify digital signatures.
1-22
WMI Tasks
The Windows Management Instrumentation is one important way available to manage Windows operating systems. Administrators can use it as a standard way to query, monitor or change configuration settings on any Windows XP or later system. This is based on the WMI Scripting Library which provides a set of standard objects that can be used to access information about the operating system infrastructure. Scripting languages such as VBscript, Jscript and PowerShell are supported. Group Policy Objects can also be used with WMI to manage domain servers and desktops. In addition to managing hardware resources, WMI can be used to get information about or change software applications, user accounts and services running on the system. Each manageable component is referred to as a managed resource. Because of the uniform way in which Windows operating systems are managed with WMI, changes in desktop and server management tools will not change the way computers are managed. The way a DNS Server is managed on Windows Server 2003 is the same way it will be managed on Windows Server 2008.
Module 1: Identify and Resolve New Software Installation Issues WMI Tasks
1-23
Monitoring Desktops
Configure Services
Manage Applications
The resources that can be managed through the WMI Library are extensive. Some examples of task that can be done are: Controlling GPO assignment: Even after a group policy object is assigned to an OU, an administrator can further limit the machines that it is assigned to. You could, for example, prevent the installation of a software program unless there was a minimum amount of drive resources available. Monitoring Desktops: WMI scripts can retrieve information from event log files and monitor registry changes. Changes to the file system, printers or other components can also be tracked. Configure Services: Network services like DNS can be queried and changed when needed. Desktop service configuration settings, like DHCP, can also be managed. Manage Applications: Microsoft applications like Operations Manager, Exchange Server or SQL Server can be configured with WMI scripts.
1-24
Scriptomatic
Using the Group Policy Management Console, WMI scripts can be created and linked to select Group Policy objects. The WMI scripts are referred to as filters and are made up of queries written in the WMI Query Language (WQL). There is a separate folder from which WMI Filters can be created and updated. Once they are linked to a GPO, any changes it specifies will only be applied if the computer system meets the requirements specified in the filter (e.g. minimum memory or drive space availability). A filter can be applied to many GPOs, but each GPO can only have a single filter applied to it. If multiple filters are needed, then the configuration settings must be separately managed from different GPOs. Besides hardware information, WMI filters are often used to verify the operating system version, running services or network connectivity. Depending on the number of queries in a filter, the time taken to startup or logon to a system can be significantly increased. Filters should therefore be kept to a minimum and be as simple as possible to prevent performance problems. Learning the WMI scripting language and syntax can be time consuming, especially if you only need to perform a simple task or query. Scriptomatic is a free utility that can be used to create these scripts. The information it gives about WMI class and property information can give administrators new ideas about how to take advantage of the WMI infrastructure.
1-25
System Requirements
One of the new features in Windows 7 that make managing approved software applications easier is Applocker. Using different security options, a technician is able to prevent the use of applications on a computer by a number of different layers of restrictions. Administrators that previously used Software Restriction Policies to provide this functionality might decide to supplement or replace it with this new feature if all clients will be migrating to Windows 7. Like software restriction policies, applocker rules can be configured on the local machine or through group policy settings in active directory. Applocker will also allow the automatic configuration of rules based on applications already installed on the system. The audit mode in applocker allows the testing of new rules to make sure that legitimate applications are not prevented from running. Group Policies will still allow software restriction policies to be applied to Windows 7 systems. Both software restriction policies and applocker rules cannot be applied to the same system. Applocker rules will prevail in such a situation.
1-26
System Requirements
Windows 7 Support
GPMC
Remote Server Administration Tools
Applocker rules will not work on earlier versions of Windows. Windows 7 Professional can be used to create the policies, but they can only be applied to Windows 7 Ultimate or Enterprise Editions. Windows Server 2008 R2 can also use these rules. The Group Policy Management Console (GPMC) or the Remote Server Administration Tools (RSAT) can be used to create rules for group policy deployment.
Module 1: Identify and Resolve New Software Installation Issues Applocker vs. Software Restriction Policies
1-27
1-28
Module 1: Identify and Resolve New Software Installation Issues Creating Rules
1-29
One of the easiest ways to deploy new applocker rules is to automatically generate them from a reference machine. The Automatically Generate Rules wizard will create only allow rules (white-list). If default rules are not generated first when creating a rule collection, then legitimate applications could be prevented from running. Take advantage of audit mode to prevent this from happening. If rules are generated that prevent the system from running properly, restarting the system in Safe Mode to temporarily disable these rules and fix them. The recommended procedure for creating new rules with the wizard is to do the following: 1. Install and update all the applications that will be used on the computer 2. Create Default Executable Rules 3. Automatically Generate Executable Rules 4. Delete unnecessary rules 5. Use the Audit only enforcement mode to verify that all applications will run successfully
1-30
Limitations of Virtualization
New Features
One of the most convenient ways to test new software and features is by using virtualization. Using VHD images allows a technician to apply and test changes to the operating system confirmation quickly and efficiently. While some changes can only be quality tested properly on a physical machine, the ability to apply and remove changes to an image quickly can be very helpful.
Module 1: Identify and Resolve New Software Installation Issues Creating a Testing Environment
1-31
VHD Images
Network Images
Running standard VHD images in Virtual PC, Virtual Server or Hyper-V creates a testing environment where software updates, hotfixes and new applications can be installed or reconfigured to make sure that they will not cause problems on standard desktops. A single machine running multiple images can be used to test not only the effect of changes on a single system, but how those changes might affect network and connectivity settings.
1-32
Limitations of Virtualization
Testing Drivers
Testing Hardware
Testing Performance
The limitations of the virtualization environment must be factored in when evaluating the results of new tests. The effect of driver and hardware changes are best tested on non-virtualized installations. The actual performance change on user systems needs to be checked in many cases since this is an important factor in whether or not a change will be practical.
Module 1: Identify and Resolve New Software Installation Issues New Features
1-33
New virtualization options in Windows 7 which allow VHD files to be easily connected to and treated as a hard drive and the ability to boot the operating system directly from these images can also be leveraged in a testing environment. The diskpart.exe or the Disk Management tool can now be used to create VHD files. These options can be used to improve the portability of test machines and might also be used on user machines to copy existing operating systems to new computers.
1-34
Like any other troubleshooting task, when trying to find the solution to a software installation problem, isolating the problem area is critical. The problem can be the distribution point, the desktop hardware or software configuration or network issues. Here are some situations that might arise and possible solutions to them. The user does not have permissions to do the install. Verify the permissions of the user or the application doing the install. Group Policy installs do not require administrative rights on the part of the user. If the application does further configuration after the user logs on however, elevated privileges might be necessary. Check the effect of UAC on the install process. The software is not compatible with Windows 7. Try changing the compatibility mode of the application. Test the different settings available such as running with higher privileges or modifying screen resolution. Using Virtual PC to run the application in a previous operating system or taking advantage of Terminal Services to run the software might be another solution. Group Policy is not installing the software or not installing it in the expected manner. Group Policy software installs can be either assigned or published. Published software will not be automatically installed but advertised through Add/Remove Programs. Verify that the GPO applies to the user and is not being blocked or overridden by other policies or WMI settings. The GPMC or gpresult.exe can be used to confirm applied policy settings. The software distribution point should also be checked for availability and appropriate permission settings. Software Restriction Policies are not being applied. Verify that the policy settings are being applied as expected. Policies are always applied at the local machine level first, then the site level, then the domain and lastly the OU levels. The last policy to be applied normally prevails unless they are overridden or blocked. Software Restrictions cannot be combined with Applocker settings. The Applocker configuration will prevail and the Software Restriction Policies will be ignored.
1-35
New drivers cannot be installed on the computer. If the drivers are not signed by a trusted publisher, they might be blocked because of the driver signing configuration. Try to use signed drivers whenever they are available. Local driver signing configurations might be overridden by settings in Active Directory Group Policies. Verify the permissions of the user installing the drivers. Windows 7 will not install more than one language pack. Multiple full language packs can only be installed on systems running the Ultimate or Enterprise editions of Windows WMI Filtering is not working on some desktops. Verify the Group Policy hierarchy and make sure the filters are linked to the right GPOs. WMI filtering will only work on Windows XP or later systems. Software installations done over the network are taking too long. Use DFS trees to make the distributions points available instead of network shares. DFS is automatically site aware and will connect desktops to the closest available share. DFS can also be used to automatically update distribution points when changes are made. Applocker Rules have made a desktop computer unusable. Boot the system in safe mode and delete the rules that are causing the problem. Take advantage of the Audit Only enforcement mode to prevent the problem from occurring again. Software installations are taking a very long time for VPN users. Enable the Slow Network Detection option in Group Policy to prevent software installations over these connections. Set an appropriate bandwidth level if the default is considered too low.
1-36
REVIEW
Examine the review questions as a class
1.
2.
In what order are machine and active directory policy settings applied?
3.
When would using the Slow Network Detection option in Group Policy be advantageous?
4.
How many Group Policy Objects can a single WMI filter be applied to?
5.
What is the order of precedence for Software Restriction Policy rule types?
6.
7.
When multiple software restriction path rules apply to the same application, which one will be used?
8.
1-37
When group policy is used to install applications what method will automatically do the setup before the user logs on?
10. True or False. Multiple WMI Filters can be applied to a single GPO.
11. What security option is available with Software Restriction Policies that cannot be used with Applocker?
12. What security option is available with Applocker that cannot be used with Software Restriction Policies?
1-38
Overview: Install and configure Windows 7. Install and configure applications and application access. Unless stated otherwise, use the Windows 7 image for this lab and login as Admin1 with a password of Pa$$w0rd. All ISO images must be 64-bit and will be on the local C: drive in the Labfiles folder.
1-39
ON the Help protect your computer and improve Windows automatically screen, click Ask me later. Choose appropriate time and date settings and click Next. On the Select your computers current location window, choose Work network. Click Start and in the Search programs and files window, type command. In the Start Menu, right click the Command Prompt program and choose Run as Administrator Execute the following commands to create a user account, a group and add the user to the group: o net user /add User1 Pa$$w0rd o net localgroup /add Local_Users o net localgroup /add Local_Users User1 Click Start. Right click Computer and choose Manage to open the Computer Management console. From Disk Management, change the drive letter of the first CD/DVD drive to G:. Use the Disk Manager to create two primary partitions of 24 gigabytes each. The first will be the D: drive and the second will be the E: drive. Close the Computer Management console. Use Windows Explorer to create a TEMP folder on the root of the D: and the E: drives.
1-40
31. In the AppLocker Properties window, click the Enforcement tab and enable all three rule categories by checking off the Configured check boxes. Make sure that the Enforce rules option is chosen for all three. 32. In the Advanced tab, read, but DO NOT, configure the option to enable DLL rules. 33. Click OK. 34. Login as User1. 35. Use the Command Prompt to verify that the telnet command cannot be executed. 36. Logout as User1 and login as Admin1. 37. Use the Command Prompt to verify that the telnet command still cannot be executed (The deny rule for Everyone will also apply to members of the Administrators group). 38. Use the Local Security Policy window to modify the Telnet (Everyone) rule. Change its name to Telnet(Local_Users) and change the group it applies to as Local_Users. 39. Try to execute the telnet command again. It should now be successful for Admin1 but unsuccessful for User1. If the rule is not working, restart the computer and verify that the Application Identity service is running. 40. Open the Local Security Policy window and navigate to Application Control Policies > Applocker > Executable Rules. 41. Right click on Executable Rules and click Create New Rule. Click Next 42. On the Permissions window, choose Deny for the Action and Everyone for the group. Click Next. 43. On the Conditions window, click Path. Click Next. 44. On the Path window, choose the C:\PROGRAM FILES\MICROSOFT GAMES\ folder. Click Next. 45. On the Exceptions page under Add exception:, choose File hash. 46. Click Add and choose the C:\PROGRAM FILES\MICROSOFT GAMES\SOLITAIRE\SOLITAIRE.EXE file. Click Next. 47. On the Name and Description page, name the rule Microsoft Games. In the Description, type Block all games except Solitaire. Click Create. 48. Try executing three or more games to verify that Solitaire is the only one that will run.