In this, the first book to be entirely dedicated to the subject of running Least Privilege Security (or standard user accounts) on Windows operating systems in the enterprise, you will learn about the benefits Least Privilege brings organizations in terms of not only security, but regulatory compliance, improved manageability, and operational simplicity. The book provides a complete guide to implementing Least Privilege Security on the desktop, with step-by-step instructions and advice about how to overcome the most common technical and political challenges.
Chapter 1, An Overview of Least Privilege Security in Microsoft Windows, explores the principle of Least Privilege Security and shows how to implement it in different versions of Microsoft Windows. It also explains how to control and change system privileges, benefit from implementing Least Privilege Security on the desktop, and overcome the most common technical and political problems and challenges when implementing Least Privilege Security.
Chapter 2, Political and Cultural Challenges for Least Privilege Security, covers the reasons why users may not accept Least Privilege Security on the desktop. It also clearly explains and justifies the benefits of Least Privilege Security for your organization. The chapter also covers how to apply Least Privilege Security to different categories of users and get buy-in from management.
Chapter 3, Solving Least Privilege Problems with the Application Compatibility Toolkit, covers how to modify incompatible applications on the fly and achieve the best balance between compatibility and security by using Application Compatibility shims. It explains how to create shims using the Application Compatibility Toolkit 5.5 and distribute compatibility databases to devices across the enterprise.
Chapter 4, User Account Control, covers how to achieve a seamless user experience by using the different components and compatibility features of User Account Control. It also explains how to configure User Account Control on multiple computers using Group Policy and the inner workings of User Account Control's core components.
Chapter 5, Tools and Techniques for Solving Least Privilege Security Problems, covers how to set up a system for temporarily granting administrative privileges to standard users for support purposes. It also covers how to use Task Scheduler to run common processes without the need to elevate privileges and how to install third-party solutions to configure administrative privileges for applications and Windows processes on-the-fly.
Chapter 6, Software Distribution using Group Policy, explains how to prepare applications for Group Policy Software Installation (GPSI) and Windows Installer deployment. It also explains how to repackage legacy setup programs in Windows Installer .msi format and how to make GPSI more scalable and flexible using the Distributed File System (DFS). It covers how to target client computers using Windows Management Instrumentation (WMI) filters and Group Policy Scope of Management.
Chapter 7, Managing Internet Explorer Add-ons, covers how to support per-user and per-machine ActiveX controls and manage Internet Explorer add-ons via Group Policy. It also explains how to install per-machine ActiveX controls using the ActiveX Installer Service (AxIS) and how to implement best practices for working with ActiveX controls in a managed environment.
Chapter 8, Supporting Users Running with Least-Privilege, explains how to support Least-Privilege user accounts using reliable remote access solutions, how to connect to remote systems with administrative privileges using different techniques and enable remote access using Group Policy and Windows Firewall.
Chapter 9, Deploying Software Restriction Policies and AppLocker, explains how to deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run. It discusses how to force an application to launch with standard user privileges even if the user is an administrator and how to blacklist an application using SRP or AppLocker.
Chapter 10, Least Privilege in Windows XP, covers how to redeploy Windows XP with Least Privilege Security configured and identify problems with applications caused by Least Privilege Security using the Microsoft Deployment Toolkit. It also explains how to mitigate the problems and limitations users may face when running with a Least Privilege Security account and how to handle ActiveX controls in Windows XP.
Chapter 11, Preparing Vista and Windows 7 for Least Privilege Security, explains how to collect and analyze data to identify any potential compatibility problems with Least Privilege Security and software installed on networked PCs using Microsoft's Application Compatibility Toolkit (ACT). The reader will learn how to analyze logon scripts for Least Privilege compatibility, how to prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.
Chapter 12, Provisioning Applications on Secure Desktops with Remote Desktop Services, explains how to install the core server roles for Remote Desktop Services in Windows Server 2008 R2 using Windows PowerShell. It also explains how to set up and understand Remote Desktop Licensing and configure Remote Desktop Gateway for secure remote access to applications over HTTPS. This chapter also discusses how to advertise published Remote Applications on Windows 7’s Start menu using Remote Desktop Web Access.
Chapter 13, Balancing Flexibility and Security with Application Virtualization, covers how to sequence an application for streaming and virtualization, and how to set up the App-V Client to work with a server-less deployment model.
Chapter 14, Deploying XP Mode VMs with MED-V, explains how to deploy legacy applications that are not compatible with newer versions of Windows and how to set up Windows XP Mode for Windows 7. It also explains how to configure the different components of MED-V for managing and deploying VMs in a large corporate environment and how to prepare VMs for use with MED-V.
The following software products are used in this book:
Windows Server 2008 R2 (any edition)
Windows XP Professional
Windows Vista (Business, Enterprise, or Ultimate)
Windows 7 (Professional, Enterprise, or Ultimate)
Microsoft Desktop Optimization Pack (MDOP) 2010
An application that is not compatible with a standard user account on Windows XP, Vista or 7
This book is for System Administrators or desktop support staff who want to implement Least Privilege Security on Windows systems.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Now that we've got our machines configured with the WinRM service and listening on port 5985 (or port 80 for WinRM 1.1), we need to see if we can connect using the winrs command."
Any command-line input or output is written as follows:
net user Support1 ******** /expires:never /passwordchg:no /ADD net localgroup Administrators Support1 /ADD
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "The Allow non-administrators to install drivers for these device setup classes setting under Computer Configuration | Policies | Administrative Templates | System | Driver Installation in Vista and Windows 7 Group Policy allows administrators to stipulate devices that can be installed by standard users according to the device GUID as specified in the driver".
Note
Tips and tricks appear like this.
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to< [email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail< [email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at< [email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at< [email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.