#5: Control UAC with More Control
User Account Control (UAC) is a security mechanism meant to prompt users for credentials when they try to launch various parts of the operating system that are privileged only to administrators. The default behavior is to prompt users for administrator credentials. In practice, users aren’t typically provided these administrator credentials. So why bother giving them the ability to enter in credentials at all? My suggestion is to tweak the UAC setting located at Computer Configuration | Security Settings | Security Options | User Account Control: Behavior of the elevation prompt for standard users. Set it to “Automatically deny elevation requests.” Then, when users try to touch admin-only parts of the operating system, they get an immediate Access Denied, instead of being prompted. One less thing for users to see and get frustrated with (since they shouldn’t be there in the first place.)
#4: Advanced Audit Policy Configuration
Windows Vista introduced some extra auditing capabilities. However, to enable them, there was no “Group Policy way” to do it. You used a tool called “Auditpol.exe.” That command-line tool, while still available in Windows 7, isn’t my preferred way to turn on these enhanced auditing features. Head down to Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration and see what’s new for auditing.
With Windows 7 as target machines, you can now use Group Policy to set up precisely which machines get what advanced auditing.
Extra Tip: Click on the node named “Audit Policies” itself to get links to some “how-to” steps for this special section. Additionally, to see what can be audited and the results of auditing, check out this Microsoft article.
AppLocker’s job is to ensure that you’re running only the software you do want to run, and not running software you don’t want to run. AppLocker is valid for Windows 7 and Windows Server 2008 R2 target systems. My buddy Greg Shields has a great article on AppLocker in the October 2009 TechNet magazine.
Then, start getting more secure. Find out if AppLocker is right for you. Check it out at
Computer Configuration | Policies | Windows Settings | Security Settings | Application Control Policies | AppLocker.
#2: Hardware Restriction
What’s that? You don’t yet know how to prevent USB memory devices from getting on your network? Start out your journey by watching this video from one of my training classes then head down to Computer Configuration | Policies | Administrative Template | System | Device Installation | Device Installation Restrictions and give it a shot yourself!
#1: Windows Firewall with Advanced Security
Windows Server 2008 and Windows Server 2008 R2 ship with the firewall turned on. That’s a good idea, but sometimes it can be a bear to know which ports to open based on what the server is actually doing for you. With the Windows Firewall with Advanced security section of the Group Policy editor, you’re in charge. It’s located at Computer Configuration | Policies | Windows Settings | Windows Firewall with Advanced Security.