Professional Documents
Culture Documents
Version 3.0
Published: November 2007 | Updated: February 2008
For the latest information, please see
microsoft.com/solutionaccelerators
Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual
Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Contents
Overview ........................................................................................................ 1
What the GPOAccelerator Does ...................................................................... 1
Who Should Read This Guide ......................................................................... 1
How to Use the GPOAccelerator in Your Environment ........................................ 2
Prescribed Security Baseline Environments ................................................ 2
Using the /LAB Option to Evaluate the Security Guide Settings ..................... 3
Chapter Descriptions..................................................................................... 3
Acknowledgments ........................................................................................ 4
Chapter 1: GPOAccelerator Command-Line Options and User Interface .......... 7
The Group Policy Management Console ........................................................... 7
Two Different Security Environments .............................................................. 7
Options for the GPOAccelerator ...................................................................... 8
Common GPOAccelerator Commands .............................................................. 9
GPOAccelerator User Interface ......................................................................12
Chapter 2: Using the GPOAccelerator with Windows Server 2008................. 15
Implementing the Security Policies ................................................................15
Implementation Tasks ............................................................................15
The GPOAccelerator Tool ........................................................................16
Security Templates ................................................................................24
Subdirectories and Files ..........................................................................25
More Information ........................................................................................26
Chapter 3: Using the GPOAccelerator with Windows Vista ............................ 27
Implementing the Security Policies ................................................................27
Implementation Tasks ............................................................................27
The GPOAccelerator Tool ........................................................................28
Security Templates ................................................................................35
Subdirectories and Files ..........................................................................37
More Information ........................................................................................37
Chapter 4: Using the GPOAccelerator with Windows XP ............................... 39
Implementing the Security Policies ................................................................39
Implementation Tasks ............................................................................39
The GPOAccelerator Tool ........................................................................40
ii How To Use the GPOAccelerator
If you decide to test and deploy the SSLF configuration settings to servers in your
environment, the IT resources in your organization may experience an increase in help
desk calls related to the limited functionality that the settings impose. Although the
configuration for this environment provides a higher level of security for data and the
network, it also prevents some services from running that your organization may require.
Examples of this include Remote Desktop, which allows users to connect interactively to
desktops and applications on remote computers.
Chapter Descriptions
In addition to this Overview, the How to Use the GPOAccelerator guidance consists of
the following five chapters:
Chapter 1: GPOAccelerator Command-Line Options and User Interface.
This chapter describes how to use the tool to create and deploy GPOs in your
organization, the tool's functional capabilities, and the wizard for the tool.
Chapter 2: Using the GPOAccelerator with Windows Server 2008.
This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for Windows Server 2008. It describes how to use the /LAB option, test
a customized Windows Server 2008 GPO design in a lab environment, and deploy a
customized Windows Server 2008 GPO design in a production environment.
Chapter 3: Using the GPOAccelerator with Windows Vista.
This chapter provides step-by-step guidance about how to use the tool to create and
deploy GPOs for Windows Vista. It describes how to use the /LAB option, test a
customized Windows Vista GPO design in a lab environment, and deploy a
customized Windows Vista GPO design in a production environment.
4 How To Use the GPOAccelerator
Acknowledgments
The SA-SC team would like to acknowledge and thank the group of people who produced
How to Use the GPOAccelerator. The following individuals were either directly
responsible or made a substantial contribution to the writing, development, and testing of
this guide.
Content Developers
Bill Gruber – Microsoft
Bill Wade – Wadeware LLC
Edgar Brovick – Wadeware LLC
Ethan Casey – Wadeware LLC
Paul Slater – Wadeware LLC
Developers
José Maldonado – Microsoft
Ross Carter – Microsoft
Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd.
Editors
Jennifer Kerns – Wadeware LLC
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 5
Reviewers
Derick Campbell – Microsoft
Chase Carpenter – Microsoft
Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Program Managers
Flicka Enloe – Microsoft
Kelly Hengesteg – Microsoft
Vlad Pigin – Microsoft
Release Manager
Karina Larson – Microsoft
Test Manager
Gaurav Singh Bora – Microsoft
Testers
Beenu Venugopal – Infosys Technologies Ltd.
Bhakti Bhalerao – Infosys Technologies Ltd.
Harish Ananthapadmaanabhan – Infosys Technologies Ltd.
IndiraDevi Chandran – Infosys Technologies Ltd.
RaxitKumar Gajjar – Infosys Technologies Ltd.
Sumit Parikh – Infosys Technologies Ltd.
Swaminathan Viswanathan – Infosys Technologies Ltd.
Chapter 1: GPOAccelerator Command-
Line Options and User Interface
This chapter documents the GPOAccelerator commands and options that you will use to
deploy Group Policy objects (GPOs) in an environment that uses Active Directory®
Domain Services (AD DS). After you deploy the GPOs, you will use the Group Policy
Management Console (GPMC) to manage them.
More information about these two types of environments is provided in the respective
security guides for Windows® XP, Windows Vista®, Windows Server® 2008, and the
2007 Microsoft Office release.
8 How To Use the GPOAccelerator
Command Results
GPOAccelerator.wsf Applies the desktop SSLF security settings to the local
/SSLF /XP /Desktop Windows XP–based computer.
GPOAccelerator.wsf Applies the laptop SSLF security settings to a local Windows XP–
/SSLF /XP /Laptop based computer.
Table 1.3. Common Commands When Deploying Windows Vista Security Guide
GPOs
Command Results
GPOAccelerator.wsf Creates the EC GPOs described in the Windows Vista Security
/Enterprise /Vista Guide. You must then link the GPOs to the appropriate OUs to
make this Group Policy configuration effective.
GPOAccelerator.wsf Creates the SSLF GPOs described in the Windows Vista
/SSLF /Vista Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates and links the EC GPOs and OUs according to the
/Enterprise /LAB sample OU structure prescribed in the Windows Vista Security
/Vista Guide.
GPOAccelerator.wsf Applies the desktop SSLF security settings to a local
/SSLF /Vista /Desktop Windows Vista–based computer.
GPOAccelerator.wsf Applies the laptop SSLF security settings to a local
/SSLF /Vista /Laptop Windows Vista–based computer.
Table 1.4. Common Commands When Deploying Windows Server 2008 Security
Guide GPOs
Command Results
GPOAccelerator.wsf Creates the EC GPOs described in the Windows Server 2008
/Enterprise /WSSG Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates the SSLF GPOs described in the Windows Server 2008
/SSLF /WSSG Security Guide. You must then link the GPOs to the appropriate
OUs to make this Group Policy configuration effective.
GPOAccelerator.wsf Creates and links the EC GPOs according to the sample OU
/Enterprise /LAB structure prescribed in the Windows Server 2008 Security Guide.
/WSSG
GPOAccelerator.wsf Creates and links the SSLF GPOs according to the sample OU
/SSLF /LAB /WSSG structure prescribed in the Windows Server 2008 Security Guide.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 11
Table 1.5. Common Commands When Deploying 2007 Microsoft Office Security
Guide GPOs
Command Results
GPOAccelerator Creates the 2007 Office Security Guide GPOs (/Office) for an EC
/Enterprise /Office (/Enterprise) environment. You must then link the GPOs to the
OUs to make this Group Policy configuration effective.
GPOAccelerator Creates the 2007 Office Security Guide GPOs (/Office) for an
/SSLF /Office SSLF (/SSLF) configuration in a production environment. You
must then link the GPOs to the OUs to make this Group Policy
configuration effective.
The following figure displays the Tool Options page in the wizard that you can use to
define how you want to establish and deploy your security baseline. On the Welcome
page, click Next to access this page.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 13
The Tool Options page provides you with the following choices:
Domain. Use this option to implement a security baseline and create Group Policy
objects (GPOs) for a domain-based environment. This option provides you with other
options on subsequent pages in the wizard to run a combination of options, such as
/Enterprise, /SSLF, and /Lab to establish and test your security baseline.
Note You must be a domain administrator to use this option.
Local. Use this option to implement a security baseline and modify the default
security settings on a client computer. This option provides you with other options on
subsequent pages in the wizard to run the /Desktop, /Laptop, and /Restore
command-line options that are defined in the security guides for Windows XP and
Windows Vista.
Note You must be an administrator to use this option.
Update SCE. Use this option to update the Security Configuration Editor (SCE) to
display MSS security settings. You can use this option to execute the /ConfigSCE
and /ResetSCE command-line options discussed in the security guides.
Note You must be an administrator to use this option.
Chapter 2: Using the GPOAccelerator
with Windows Server 2008
After reading the Windows Server 2008 Security Guide, you can use the tasks and
procedures in this chapter with the GPOAccelerator to create GPOs and OUs to create,
test, and deploy the Enterprise Client (EC) environment that the guide prescribes in your
production environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."
The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the Windows Server® 2008 security guidance. You do not need to spend time editing
policy settings and applying templates manually.
Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the WSSG EC Domain Policy to the domain.
3. Use the GPMC to link the WSSG EC Domain Controllers Baseline Policy to the
Domain Controllers OU.
4. Use the GPMC to check your results.
Similarly, you also use these steps to configure security for each server role in your
environment.
16 How To Use the GPOAccelerator
The GPOAccelerator
The main feature of this tool automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For servers in the EC environment, the script creates the following
GPOs:
WSSG EC Domain Policy for the domain.
WSSG EC Domain Controller Baseline Policy for domain controllers.
WSSG EC Member Server Baseline Policy for all servers.
WSSG EC <Server Role> Policy for individual server roles.
Use the GPOAccelerator to:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.
To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows Server 2008 that
is joined to the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name, password, and press ENTER.
4. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise /LAB and
then press ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.
Task 2: Use the GPMC to Link the WSSG EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows Server 2008 to link the
WSSG EC Domain Policy to the domain.
To link the WSSG EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click
OK.
5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link
to top button.
18 How To Use the GPOAccelerator
Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure
to do this will cause other GPOs linked to the domain, such as the Default Domain Policy
GPO, to overwrite the WSSG EC Domain Policy settings.
Task 3: Use the GPMC to Link the WSSG EC Domain Controller Baseline Policy to
the Domain Controllers OU
You are now ready to link the domain controllers GPO to the domain controllers OU. The
following instructions describe how to use the GPMC to link the WSSG EC Domain
Controllers Baseline Policy to the domain controllers OU.
To link the WSSG EC Domain Controller Baseline Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the Domain Controllers OU, and then click Link an
existing GPO.
4. In the Select GPO dialog box, click the WSSG EC Domain Controller Baseline Policy
GPO, and then click Yes.
5. In the details pane, select the WSSG EC Domain Controller Baseline Policy, and then
click the Move link to top button.
Important Ensure that the WSSG EC Domain Controller Baseline Policy has its Link
Order set to 1. Failure to do this will cause other GPOs linked to the domain controllers OU,
such as the Default Domain Controller Policy GPO, to overwrite the WSSG EC Domain
Controllers Policysettings.
Figure 2.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving servers into their respective OUs, and making sure each server
functions as expected. Many of the settings contained in the GPOs will take effect
immediately, but many will not take effect until the server is restarted.
For details about the settings contained in each GPO, see "Appendix A: Security Group
Policy Settings," which accompanies the Windows Server 2008 Security Guide.
20 How To Use the GPOAccelerator
Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.
5. At the command prompt, type cscript GPOAccelerator.wsf /WSSG /Enterprise and then
press ENTER.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 21
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.
Figure 2.2. The GPMC view of the EC GPOs that the GPOAccelerator creates
22 How To Use the GPOAccelerator
You can now use GPMC to link each GPO to the appropriate OU. The final task in this
process explains how to do this.
4. In the Select GPO dialog box, click the WSSG EC Domain Policy GPO, and then click
OK.
5. In the details pane, select the WSSG EC Domain Policy, and then click the Move link
to top button.
Important Ensure that the WSSG EC Domain Policy has its Link Order set to 1. Failure
to do this will cause other GPOs linked to the domain, such as the Default Domain Policy
GPO, to overwrite the WSSG EC Domain Policy settings.
6. Under the Domains tree, right-click the Domain Controllers OU, and then choose the
Link an existing GPO option.
7. In the Select GPO dialog box, click the WSSG EC Domain Controllers Baseline Policy
GPO, and then click OK.
8. In the details pane, select the WSSG EC Domain Controllers Baseline Policy GPO, and
then click the Move link to top button.
Important Ensure that the WSSG EC Domain Controllers Policy has its Link Order set
to 1. Failure to do this will cause other GPOs linked to the OU, such as the Default Domain
Controllers Policy GPO, to overwrite the WSSG EC Domain Controllers Policy settings.
9. Right-click the appropriate member server OU node, and then choose the Link an
existing GPO option.
10. In the Select GPO dialog box, click the WSSG EC Member Server Baseline Policy, and
then click OK.
11. Right-click the first server role OU node, and then choose the Link an existing GPO
option.
12. In the Select GPO dialog box, click the appropriate WSSG <Server Role> Policy GPO,
and then click OK.
13. Repeat the last two steps in this procedure as needed to link each GPO to the
appropriate Server role OU.
Note The GPOAccelerator script will create GPOs for the server roles discussed in the guide.
However, Microsoft recommends creating these GPOs using the Security Configuration
Wizard (SCW) as described in Chapter 2, "Reducing the Attack Surface by Server Role" of the
Windows Server 2008 Security Guide. This will result in GPOs that take into consideration
services and applications specific to your environment.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 23
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving servers into their respective OUs, and making sure each server
functions as expected. Many of the settings contained in the GPOs will take effect
immediately, but many will not take effect until the server is restarted.
For details about the settings contained in each GPO, see "Appendix A: Security Group
Policy Settings," which accompanies the Windows Server 2008 Security Guide.
4. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.
5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press
ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
7. In The Security Configuration Editor is updated message box, click OK.
Note This script only modifies SCE to display MSS settings. This script does not create
GPOs or OUs.
The following procedure removes the additional MSS security settings, and then resets
the SCE tool to the default settings in Windows Server 2008.
To reset the SCE tool to the default settings in Windows Server 2008
1. Log on to the computer as an administrator.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.
4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows Server 2008. Any settings added to the default SCE will be removed. This will only
affect the ability to view the settings with the SCE. Configured Group Policy settings remain
in place.
Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies supplied with this guide, you can import the relevant security
settings. Security Templates are text files that contain security setting values. They are
subcomponents of the GPOs. You can modify the policy settings that are contained in the
Security Templates in the MMC Group Policy Object Editor snap-in. Unlike some
previous versions of the Windows operating system, Windows Server 2008 does not
come with predefined Security Templates.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\WSSG
folder:
WSSG EC Domain.inf
WSSG EC Domain Controller.inf
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 25
More Information
The following resources provide additional information about Windows Server 2008
security-related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows Server 2008 Security Guide.
Windows Server 2008 TechCenter.
Chapter 3: Using the GPOAccelerator
with Windows Vista
After you read the Windows Vista, you can use the tasks and procedures in this chapter
with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the
Enterprise Client (EC) environment that the guide prescribes in your production
environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."
The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the Windows Vista® security guidance. You do not need to spend time editing policy
settings and applying templates manually.
Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the VSG EC Domain Policy to the domain.
3. Use the GPMC to check your results.
This section of the chapter describes these tasks and procedures and the functionality of
the GPOAccelerator, which automatically creates the prescribed GPOs.
28 How To Use the GPOAccelerator
The GPOAccelerator
The main feature of this script automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For computers in the EC environment, the script creates the following
four GPOs:
VSG EC Domain Policy for the domain.
VSG EC Users Policy for users.
VSG EC Desktop Policy for desktop computers.
VSG EC Laptop Policy for laptop computers.
Use the GPOAccelerator to complete the following tasks:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.
To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows Vista that is joined
to the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Open the GPOAccelerator Tool folder.
4. Right-click the command-line here.cmd file, and then click Run as administrator to
open a command prompt with full domain administrative privileges.
Note If prompted for logon credentials, type your user name, password, and press ENTER.
5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise /LAB and
then press ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.
Task 2: Use the GPMC to Link the VSG EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows Vista to link the VSG EC
Domain Policy to the domain.
To link the VSG EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.
5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the VSG EC Domain Policy settings.
30 How To Use the GPOAccelerator
Figure 3.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
test the design by moving users and computers into their respective OUs. For details
about the settings contained in each GPO, see "Appendix A: Security Group Policy
Settings," which accompanies the Windows Vista.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 31
Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.
5. At the command prompt, type cscript GPOAccelerator.wsf /Vista /Enterprise and then
press ENTER.
32 How To Use the GPOAccelerator
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.
Figure 3.2. The GPMC view of the EC GPOs that the GPOAccelerator creates
You can now use the GPMC to link each GPO to the appropriate OU. The final task in
this process explains how to do this.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 33
4. In the Select GPO dialog box, click the VSG EC Domain Policy GPO, and then click OK.
5. In the details pane, select the VSG EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the VSG EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the VSG EC Domain Policy settings.
6. Right-click the Windows Vista Users OU node, and then choose the Link an existing
GPO option.
7. In the Select GPO dialog box, click the VSG EC Users Policy GPO, and then click OK.
8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.
9. In the Select GPO dialog box, click the VSG EC Desktop Policy GPO, and then click
OK.
10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.
11. In the Select GPO dialog box, click the VSG EC Laptop Policy GPO, and then click OK.
12. Repeat these steps for any additional user or computer OUs that you created to link
them to the appropriate GPOs.
To confirm the GPO linkages using the GPMC
Expand the Group Policy Objects node, select the GPO, then in the details pane, click
the Scope tab and note the information in the Link Enabled and Path columns.
– Or –
Select the OU, and then in the details pane, click the Linked Group Policy Objects tab
and note the information in the Link Enabled and GPO columns.
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the
GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no
longer need. To completely undo all Active Directory modifications made by the
GPOAccelerator, you must manually delete the EC-VSGAuditPolicy.cmd file, the EC-
ApplyAuditPolicy.cmd, and the EC-AuditPolicy.txt file from the NETLOGON share of one of
your domain controllers. For additional details on how to completely remove the
implementation of the Audit policy, refer to the "Audit Policy" section in Appendix A,
"Security Group Policy Settings."
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guide prescribes. You can now use the Active Directory Users and Computers tool to
34 How To Use the GPOAccelerator
test the design by moving users and computers into their respective OUs. For details
about the settings contained in each GPO, see "Appendix A: Security Group Policy
Settings," which accompanies the Windows Vista.
5. At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press
ENTER.
6. In the Click Yes to continue, or No to exit the script message box, click Yes.
7. In The Security Configuration Editor is updated message box, click OK.
Note This script only modifies SCE to display MSS settings; it does not create GPOs or OUs.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 35
The following procedure removes the additional MSS security settings, and then resets
the SCE to the default settings in Windows Vista.
To reset the SCE to the default settings in Windows Vista
1. Log on to the computer running Windows Vista as an administrator.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.
4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows Vista. Any settings added to the default SCE are removed. This will only affect the
ability to view the settings with the SCE. Configured Group Policy settings remain in place.
Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies prescribed in Windows Vista Security Guide, you can import
the relevant security settings. Security Templates are text files that contain security
setting values. They are subcomponents of the GPOs. You can modify the policy settings
that are contained in the Security Templates in the MMC Group Policy Object Editor
snap-in. Unlike some previous versions of the Windows operating system, Windows Vista
does not come with predefined Security Templates.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\VSG
folder:
VSG EC Desktop.inf
VSG EC Domain.inf
VSG EC Laptop.inf
Important You do not need to use the Security Templates to deploy the solution described in
this guide. The templates provide an alternative to the GPMC-based solution, and only cover
computer security settings that appear under Computer Configuration\Windows
Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows
Firewall settings in the GPOs using a Security Template, and user settings are not included.
templates, you can use the following procedure to import them as needed into the GPOs
that you have created.
To import a Security Template into a GPO
1. Open the Group Policy Object Editor for the GPO you want to modify; to do this in the
GPMC, right-click the GPO, and then click Edit.
2. In the Group Policy Object Editor, browse to the Windows Settings folder.
3. Expand the Windows Settings folder, and then select Security Settings.
4. Right-click the Security Settings folder, and then click Import Policy.
5. Browse to the VSG folder in the \Program Files\GPOAccelerator\Security Template
folder.
6. Select the Security Template that you want to import, and then click Open.
You can also use the Security Templates supplied with this guide to modify the local
security policy on stand-alone client computers running Windows Vista. The
GPOAccelerator simplifies the process to apply the templates.
To apply the Security Templates to modify the local Group Policy on a stand-alone
client computer running Windows Vista
1. Log on as an administrator to a computer running Windows Vista.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Right-click the Command-line Here.cmd file, and then click Run as administrator to
open a command prompt with full administrative privileges.
Note If prompted for logon credentials, type your user name and password, and then press
ENTER.
4. At the command prompt, type cscript GPOAccelerator.wsf /Restore, and then press
ENTER.
Completing this procedure restores the local security policy settings to their default
values in Windows Vista.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 37
More Information
The following resources provide additional information about Windows Vista security-
related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows Vista.
Chapter 4: Using the GPOAccelerator
with Windows XP
After you read the Windows XP, you can use the tasks and procedures in this chapter
with the GPOAccelerator to create GPOs and OUs to create, test, and deploy the
Enterprise Client (EC) environment that the guide prescribes in your production
environment.
Important The tasks and procedures in this chapter are specific to creating and testing the
GPO settings and the sample OU structure for the Enterprise Client (EC) environment that the
guide prescribes. You can use a different set of options with the same tasks and procedures in
this chapter to create the Specialized Security – Limited Functionality (SSLF) environment. For
more information about SSLF options, see Chapter 1, "GPOAccelerator Command-Line Options
and User Interface."
The GPOAccelerator automatically creates all the GPOs and OUs that you need to apply
the security guidance for Windows® XP. You do not need to spend time editing policy
settings and applying templates manually.
Implementation Tasks
To implement the security design, there are a few key tasks to complete:
1. Create the EC environment.
2. Use the GPMC to link the XP EC Domain Policy to the domain.
3. Use the GPMC to check your results.
Similarly, you also use these steps to configure security for each server role in your
environment.
40 How To Use the GPOAccelerator
The GPOAccelerator
The main feature of this script automatically creates all the GPOs you need to apply this
guidance. You do not need to spend a lot of time manually editing policy settings and
applying templates. For computers in the EC environment, the script creates the following
four GPOs:
XP EC Domain Policy for the domain.
XP EC Desktop Policy for desktop computers.
XP EC Laptop Policy for laptop computers.
XP EC Users Policy for users.
Use the GPOAccelerator to complete the following tasks:
Test the design in a lab environment. In your test environment, use the
GPOAccelerator to create an OU structure, create the GPOs, and then automatically
link the GPOs to the OUs. After you complete the test phase of the implementation,
you can use the script in your production environment.
Deploy the design in a production environment. When you start working in your
production environment to implement the solution, you must first create a suitable OU
structure or modify an existing set of OUs. You can then use the GPOAccelerator to
create the GPOs, and then link the newly created GPOs to the appropriate OUs in
your environment.
To create the GPOs and link them to the appropriate OUs in a lab environment
1. Log on as a domain administrator to a computer running Windows XP that is joined to
the domain using Active Directory in which you will create the GPOs.
2. On the computer, click Start, click All Programs, and then click GPOAccelerator.
3. Click the command-line here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /XP /Enterprise /LAB and
then press ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note This step can take several minutes.
Task 2: Use the GPMC to Link the XP EC Domain Policy to the Domain
You are now ready to link the domain GPO to the domain. The following instructions
describe how to use the GPMC on a computer running Windows XP to link the XP EC
Domain Policy to the domain.
To link the XP EC Domain Policy
1. Click Start, click All Programs, click Accessories, and then click Run. (Or press the
Windows logo key+R.)
2. In the Open text box, type gpmc.msc and then click OK.
3. Under the Domains tree, right-click the domain, and then click Link an existing GPO.
4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.
5. In the details pane, select the XP EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the XP EC Domain Policy settings.
42 How To Use the GPOAccelerator
Figure 4.1. The GPMC view of the OU structure and GPO links that the
GPOAccelerator creates
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this guidance prescribes. You can now use the Active Directory Users and Computers
tool to test the design by moving users and computers into their respective OUs. For
details about the settings contained in each GPO, see the Windows XP.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 43
Deployment Tasks
To deploy the design in a production environment, complete the following key tasks:
1. Create the GPOs.
2. Use the GPMC to check your results.
3. Use the GPMC to link the GPOs to the OUs.
Figure 4.2. The GPMC view of the EC GPOs that the GPOAccelerator creates
You can now use the GPMC to link each GPO to the appropriate OU. The final task in
this process explains how to do this.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 45
4. In the Select GPO dialog box, click the XP EC Domain Policy GPO, and then click OK.
5. In the details pane, select the XP EC Domain Policy, and then click the Move link to
top button.
Important Ensure that the XP EC Domain Policy has its Link Order set to 1. Failure to
do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO,
to overwrite the XP EC Domain Policy settings.
6. Right-click the Windows XP Users OU node, and then choose the Link an existing GPO
option.
7. In the Select GPO dialog box, click the XP EC Users Policy GPO, and then click OK.
8. Right-click the Desktop OU node, and then choose the Link an existing GPO option.
9. In the Select GPO dialog box, click the XP EC Desktop Policy GPO, and then click OK.
10. Right-click the Laptop OU node, and then choose the Link an existing GPO option.
11. In the Select GPO dialog box, click the XP EC Laptop Policy GPO, and then click OK.
12. Repeat these steps for any additional user or computer OUs that you created to link
them to the appropriate GPOs.
To confirm the GPO linkages using the GPMC
Expand the Group Policy Objects node, select the GPO, then in the details pane, click
the Scope tab and note the information in the Link Enabled and Path columns.
– Or –
Select the OU, and then in the details pane, click the Linked Group Policy Objects tab
and note the information in the Link Enabled and GPO columns.
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Use the
GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no
longer need.
All of the GPOs that the GPOAccelerator creates are fully populated with the settings that
this the Windows XP Security Guide prescribes. You can now use the Active Directory
Users and Computers tool to test the design by moving users and computers into their
respective OUs. For details about the settings contained in each GPO, see the Windows
XP Security Guide.
46 How To Use the GPOAccelerator
The following procedure removes the additional MSS security settings, and then resets
the SCE to the default settings in Windows XP.
To reset the SCE to the default settings in Windows XP
1. Log on to the computer running Windows XP as an administrator.
2. On the desktop, click Start, click All Programs, and then click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press
ENTER.
5. In the Click Yes to continue, or No to exit the script message box, click Yes.
Note Completing this procedure reverts the SCE on your computer to the default settings in
Windows XP. Any settings added to the default SCE are removed. This will only affect the
ability to view the settings with the SCE. Configured Group Policy settings remain in place.
Security Templates
Security Templates are provided so that if you want to build your own policies, rather than
use or modify the policies prescribed in Windows XP Security Guide, you can import the
relevant security settings. Security Templates are text files that contain security setting
values. They are subcomponents of the GPOs. You can modify the policy settings that
are contained in the Security Templates in the MMC Group Policy Object Editor snap-in.
Security Templates are included with the GPOAccelerator. The following templates for
the EC environment are located in the GPOAccelerator\Security Templates\XPG
folder:
XP EC Desktop.inf
XP EC Domain.inf
XP EC Laptop.inf
Important You do not need to use the Security Templates to deploy the solution described in
this guide. The templates provide an alternative to the GPMC-based solution, and only cover
computer security settings that appear under Computer Configuration\Windows
Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows
Firewall settings in the GPOs using a Security Template, and user settings are not included.
You can also use the Security Templates supplied with this guide to modify the local
security policy on stand-alone client computers running Windows XP. The
GPOAccelerator simplifies the process to apply the templates.
To apply the Security Templates to modify local Group Policy on a stand-alone
client computer running Windows XP
1. Log on as an administrator to a computer running Windows XP.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /Enterprise /Desktop or
cscript GPOAccelerator.wsf /Enterprise /Laptop and then press ENTER.
Completing this procedure modifies the local security policy settings using the values
in the Security Templates for the EC environment.
To restore a local Group Policy to the default settings in Windows XP
1. Log on as an administrator to a client computer running Windows XP.
2. On the computer, click Start, click All Programs, and click GPOAccelerator.
3. Click the Command-line Here.cmd file.
4. At the command prompt, type cscript GPOAccelerator.wsf /Restore and then press
ENTER.
Completing this procedure restores the local security policy settings to their default
values in Windows XP.
More Information
The following resources provide additional information about Windows XP security-
related topics on Microsoft.com:
Administering Group Policy.
Enterprise Management with the Group Policy.
Loopback Processing of Group Policy.
Migrating GPOs.
Step-by-Step Guide to Understanding the Group Policy.
Step-by-Step Guide to Using the Delegation of Control Wizard.
Summary of New or Expanded Group Policy.
Windows XP.
Chapter 5: Using the GPOAccelerator
with the 2007 Microsoft Office Release
After you read the 2007 Microsoft Office Security Guide and customize the Group Policy
objects (GPOs) it identifies to meet your organization’s security requirements, you can
use the GPOAccelerator to test your design, and then deploy it in your production
environment.
The GPOs for the Windows XP and the Windows Vista are designed to work in
conjunction with the GPOs defined in the 2007 Microsoft Office Security Guide. The
testing and deployment of the 2007 Microsoft Office Security Guide assumes that you
have already implemented the GPOs from either the Windows XP Security Guide or the
Windows Vista Security Guide.
This chapter assumes that you have secured your operating system by following the
recommendations of either the Windows XP Security Guide or the Windows Vista
Security Guide.
The GPOAccelerator.msi file installs the GPOAccelerator tool along with related
materials. The GPOAccelerator automatically creates all the GPOs that you need to
implement either the Enterprise Client (EC) or the Specialized Security – Limited
Functionality (SSLF) settings from the 2007 Microsoft Office Security Guide. The
GPOAccelerator also supports the Windows XP Security Guide, the Windows Vista
Security Guide, and the Windows Server 2008 Security Guide.
This chapter provides information about how to use the GPOAccelerator to perform the
following tasks:
Test your customized Office GPO design in a lab environment. You will probably
need to customize the GPOs that the GPOAccelerator deploys, and the OUs to which
they are linked for your environment.
Deploy your customized Office GPO design in your production environment. You can
do this after you finish testing and are satisfied that the deployed GPOs in the lab
meet your organization’s security requirements.
For client computers in the EC environment, the GPOAccelerator script creates the
following four GPOs:
Office EC Computer Policy for the computer.
Office EC Users Policy for users.
Office SSLF Computer Policy for the computer.
Office SSLF Users Policy for users.
For more information about specific GPOs, see the 2007 Microsoft Office Security Guide.
50 How To Use the GPOAccelerator
5. In the message box labeled The Enterprise Office GPOs are created, click OK.
Fel! Använd fliken Start om du vill tillämpa Heading 1,h1 för texten som ska visas här. 51
Task 2: Use the GPMC to Check Your Results and Link the GPOs
You can use the Group Policy Management Console (GPMC) to check the results of the
script. The following procedure describes how to use the GPMC to verify the GPOs and
OU structure that the GPOAccelerator creates.
To verify the results of the GPOAccelerator
1. While logged on as a domain administrator, click Start, and then click Run.
2. In the Open box, type gpmc.msc and then click OK.
3. Under Group Policy Management, expand the forest, expand Domains, and then
expand <YourDomainName>.
4. Right-click the OU to which you want to link a GPO, and select Link Existing GPO as
shown in the following figure.
5. Select the GPO under Group Policy Objects, and then click OK.
6. Repeat steps 4 and 5 for each OU to link the appropriate GPO to meet the
requirements of the GPO design that you created through the security guide.
52 How To Use the GPOAccelerator
-B- -L-
backup, 51, 52 logon, 17, 20, 24, 29, 31, 35, 36, 37
baseline, 2, 11, 12, 13, 15, 16, 18, 22
-M-
-D- Microsoft Outlook, 4
domain, 1, 2, 7, 9, 13, 15, 16, 17, 18, 20, 21, 22, Microsoft Windows XP, 1, 2, 3, 8, 9, 11, 13, 27,
23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49
36, 37, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
50, 51, 52
domain controller, 2, 15, 16, 17, 18, 22, 23,
25, 34, 52 -N-
network, 1, 3
-E-
Enterprise Client Environment, 7, 11, 15, 16, 20, -O-
24, 27, 28, 31, 36, 39, 40, 43, 47, 49
organizational unit, 2, 3, 9, 10, 11, 15, 16, 17, 18,
19, 20, 21, 22, 23, 24, 27, 28, 29, 30, 31, 32,
-F-
33, 34, 35, 39, 40, 41, 42, 43, 44, 45, 46, 49,
50, 51, 52
-P-
-G- password, 17, 20, 24, 29, 31, 35, 36, 37
policy, 2, 7, 9, 15, 16, 17, 18, 22, 23, 24, 25, 27,
GPOAccelerator tool, 9, 10, 11, 17, 20, 24, 29, 32, 28, 29, 33, 34, 35, 36, 37, 39, 40, 41, 45, 46,
35, 36, 37, 41, 43, 46, 47, 48, 50 47, 48, 49
Group Policy, 1, 2, 7, 9, 10, 11, 13, 15, 17, 19, 20,
21, 22, 23, 24, 25, 26, 27, 29, 31, 32, 33, 34,
35, 36, 37, 39, 41, 44, 45, 46, 47, 48, 49, 50, 51
Group Policy Management Console (GPMC), 2, 7,
-S-
15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, Security Configuration Editor (SCE), 9, 13, 23, 24,
28, 29, 30, 31, 32, 33, 34, 36, 37, 39, 40, 41, 25, 34, 35, 36, 45, 46, 47
42, 43, 44, 45, 47, 48, 50, 51, 52
54 How To Use the GPOAccelerator