MDM & GP Tips Blog

Nov 2010
30

Using Powershell to find Group Policy Strangeness

Do you have any GPOs which are “not doing anything”? If so, why?

If you have zillions of GPOs, here’s a quick cleanup tip.

Use a Windows 7 machine and PowerShell to quickly find all GPOs which have all their settings disabled.

Here's an example GPO with all the settings disabled.

image

Sure, you COULD click on every stinkin GPO you have in your domain.

-OR- you can use Powershell to quickly get to the bottom of things.

1. On a Windows 7 machine, open a command prompt.

2. Type “Powershell” (no quotes.)

3. Type import-module Grouppolicy (no quotes.)

4. Type the command you see here: get-gpo all | sort gpostatus

The ones with AllSettingsDisabled will bubble up to the top.

image

All the Powershell propeller-heads are rolling their eyes right now, because they know there's a cleaner way to produce the output of this showing ONLY the ones that actually match the GpoStatus of AllSettingsDisabled.

Yes, yes, you purists

Here's how to do it:

get-gpo all | where { $_.GPOstatus eq AllSettingsDisabled}

image

Hope this helps you out!

Oct 2010
19

How to use Group Policy to control Services

Guest post by Alan Burchill (Enterprise Mobility MVP) from the Group Policy Center

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

In the examples below I am going to show you how to enable the Applications Identification service that is required to be enabled to make AppLocker work in Windows 7.

Using Group Policy to configured a Service

Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.

Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.

  1. You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
  2. You want to configure the security so that non-administrators can start,stop and pause the service.

Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure

Step 2. Select the services that you want to configure.

Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and

image

Step 3. From the menu click on Action > Properties then tick Define this policy setting and then configured the service startup mode to what you want it configured.

image

Step 4. If you click on the Edit Security button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick Start, stop and pause for INTERACTIVE if you want the logged on user to control the services.

image

Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.

Using Group Policy Preferences to configure a Service

The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.

The only reasons you would not want to use Group Policy Preference to control services are:

  1. You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
  2. You want to be able to configured the security to allow non-admin to start, stop or pause the service.

Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.

Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.

Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services

image

Step 3. In the menu click on Action > New > Service and now click on the button next to the Service Name field.

Note: From here you can either type in the service name in the Service Name field or click on the button to chose the service from a predefined list of services.

image

Step 4. Select the service name that you want to configured and then click Select

image

Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.

image

Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.

Step 6. Click on the Recovery tab to configure the recovery options of the service as you would configure in the service control panel.

image

Step 7. As this is a preference you can also configure the standard Common options from such as item level targeting which will allow you to granularly control what computer you target this setting.

As you can see with the combination of Group Policy Preferences and the native policies there is nothing you cant configure to your system services Enjoy

This post was originally posted here http://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

Oct 2010
18

Office 2010: Group Policy Deployment Bonanza

I’m not exactly sure why.. but sometimes Microsoft goes on a little jag about something. They get a particular bee in their bonnet, then BLAMMO! Tons of stuff on one focused topic comes out, all at once, just overwhelming us.

Well, this kind of just happened recently. And NO, I’m not talking about “Windows 7 Phone Mobile System 7 Mobility Solution for Mobile Phones” … or whatever-the-heck-it’s called.

I’m talking about Office 2010. And, specifically, deploying that big ‘ol beast using Group Policy.

I do cover how to deploy Office 2010 (and Office 2007 for that matter) in my big green book (www.GPanswers.com/book) but it’s also true Microsoft has made some newly available docs which give some extra oomph to dealing with that rollout.

PS: If you’re coming to my Chicago class NEXT WEEK, then GOOD NEWS !    I’ve decided to put my working gloves on, and POOF ! Now, you’ve got a brand new “unannounced” extra bonus lesson with hands-on labs for “Office 2010 + Group Policy = Deployment !” So, see you there. (Two seats left, by the way… https://www.gpanswers.com/training if you want to claim ’em.)

If you can’t make it to Chicago, here’s the “self help” resources I talked about.

() TechNet Magazine Auto Deploy Office 2010 with Free Tools:
http://technet.microsoft.com/en-us/magazine/ff956190.aspx

() Deploy Office 2010 by using Group Policy computer startup scripts
http://technet.microsoft.com/en-us/library/ff602181.aspx

() For IT professionals: Group Policy for Microsoft Office 2010
http://tinyurl.com/23g8txf

() Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
http://technet.microsoft.com/en-us/library/cc178992.aspx#section8

I do gotta say “Thanks Microsoft.”  Having to slog though without the docs (even, heck.. WITH the docs) out on your own is PAINFUL. Really. But these newer docs do ease that pain a little bit. I know people are hep on trying to roll out Office 2010.. and it isn’t easy.

Hopefully these docs help you make the magic happen. Until next time !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Oct 2010
10

ADMX Overlap

By now you saw the video related to this blog posting. If you haven’t yet, then STOP, watch this, then come back here:

http://tinyurl.com/admx-overlap-video

Okay. Now that you understand the “ADMX overlap” issue a little more, here’s the EXACT list of files that are exclusive to each operating system. So, if you want to have “100% of it all” be sure to copy up ONE operating system’s ADMX files, then hunt the rest of these down, and also put them in the Central Store.

(For more information on the Central Store, I would suggest my live or GP Online University Training course. Just click Training | Get Training and check it out.) Here’s the list:

Server 2008 R2 “only” ADMX / AXML files:

  • Adfs.admx
  • GroupPolicyPreferences.admx
  • Group Policy-Server.admx
  • Kdc.admx
  • MMCSnapIns2.admx
  • NAPXPQex.admx
  • PowerShellExecutionPolicy.admx
  • PswdSync.admx
  • ServerManager.admx
  • Snis.admx
  • TerminaServer-Server.admx
  • WindowsServer.admx

Windows 7 only ADMX files:

  • DeviceRedirection.admx
  • Sdiagschd.admx
  • Search.admx
Sep 2010
27

Internet Explorer 9 (Beta) Group Policy Settings

IE9-banner2

Guest Post by Alan Burchill (Enterprise Mobility MVP) from the Group Policy Center.

Microsoft has now released to the public the newest version of Internet Explorer 9 Beta to the public. If the new functionality alone is not enough to get you to use it is just remember that it is now a Fully Hardware accelerated which makes it much faster than any other browser on the market!!

With any new version IE there comes new features and with new features comes new group policy settings so below I go through the new policy settings and how you can get started right now with managing IE9 using Group Policy.

To get started you will need to download and install IE9 on whatever computer you are using Group Policy Management Console (a.k.a. GPMC) to edit your Group Policy settings as with anything to do with Group Policy it is normally best to make changes from a systems that has the newest software on it in your organisation.

WARNING: This software is still Beta so you are strongly recommended to isolate any testing you do with IE9 and Group Policy from your production environment.

Internet Explorer 9 Administrative Template Group Policy Settings

There are only 8 new Admin Template group policy setting but remember that just like previous version most of the  other older IE policy settings will still apply to this newer of IE. Theses settings are of course not final and Microsoft could change or added/remove more setting before the product goes RTW.

As IE 9 only supports Windows Vista and Windows 7 you now only get ADMX files for the new policy settings which will automatically get placed into the C:WindowsPolicyDefenitions folder on the computer you install IE9. Note: You will need to upload inetres the ADMX and ADML file to the central store (if you are using a admin template central store.) So once the new ADMX / ADML files are loaded you will be able to configured the new IE setting under Administrative Templates in the Group Policy Editor. Sweet!

To save you the time of trying to find where the new policy settings are yourself I have listed the 8 new Administrative Template settings with the location that they can be found so you can check them out yourself.

Disable add-on performance notification

Administrative Templates > Windows Components > Internet Explorer

image

Turn off Managing SmartScreen Filter

Administrative Templates > Windows Components > Internet Explorer

image

Allow Internet Explorer 8 Shutdown Behaviour

Administrative Templates > Windows Components > Internet Explorer

image

Automatically enable newly installed add-ons

Administrative Templates > Windows Components > Internet Explorer

image

Prevent Deleting Download History

Administrative Templates > Windows Components > Internet Explorer > Delete Browsing History

image

Enable WebM software (when available)

Administrative Templates > Windows Components > Internet Explorer > Advanced Settings > Multimedia

image

Prevent configuration of search from the Address bar

Administrative Templates > Windows Components > Internet Explorer > Advanced Settings > Searching

image

Install binaries signed by MD2 and MD4 signing technologies

Administrative Templates > Windows Components > Internet Explorer > Security Features > Binary Behaviour Security Restrictions

image

Internet Explorer 9 Internet Explorer Maintenance Group Policy

The other way you can configured IE9 with Group policy is by going to Windows Settings > Internet Explorer Maintenance section and as with previous version you can configure you IE setting (e.g. Home Page) or you can Import the current Program and/or Security using the Import Program Setting option.

image

Internet Explorer 9 Group Policy Preferences Group Policy

Umm… err… Unfortunately at this point in time there is no support for Group Policy Preferences with Internet Explorer 9. This may or may not change in the future but at least for now you can use Admin Templates and IE Maintenance mode to keep you going.

As the beta has only just been released then it is highly likely that there will be more information coming soon…

This article was original posted on the Group Policy Center at http://www.grouppolicy.biz/2010/09/internet-explorer-9-beta-group-policy-settings/

Sep 2010
15

GPanswers.com: It's fun to steal (or... The art of search.)

I really can’t take credit for this one. I’m going to just give the shout outs “in advance” to my friends who made this blog entry possible: Alex Verboon, Alan Burchill GP MVP, Darren Mar-Elia GP MVP, Mark Heitbrink GP MVP and the Group Policy Team itself.

Okay, with that out of the way, here’s “Jeremy’s 100% ripped-off guide to searching for stuff in Group Policy.”

Item 1: Online Group Policy Search
——

There’s a new “online” ability to search for Group Policy settings and items. It’s DUN-DUN-DUN… “In the cloud!” Aiighh.. Run for your life !! Okay, not really. It’s just a web page. Go to this address, and start searching for new Group Policy settings you didn’t know existed:

http://gps.cloudapp.net/

Item 1B: Online Group Policy Search, now inside Explorer
——————————————————–

I first came across this tip in a post from Alex Verboon. I’m not sure if Alan Burchill, Enterprise Mobility MVP had the same idea at the same time, or what, but they both discovered how you can link that “cloud app” to Windows 7 Explorer’s search. So, you can search for Group Policy settings, right from Windows Explorer.

Weird. Geeky. Neat.

The writeup is here:

http://www.grouppolicy.biz/2010/06/msdn-group-policy-search-out-now/

Item 2A:  Searching for GPOs… with comments.. Using Powershell
————————————————————–

The Group Policy team has a new blog entry which talks about the first two items I’ve listed. –And-  that blog entry continues to talk about Group Policy cmdlets in PowerShell.

The idea is that you can use the Group Policy cmdlets to search for attributes about GPOs themselves. Neat.

They’ve got a big ol’ PowerShell script you can use if you like right there.

However, my pal Jeff Hicks, PowerShell MVP helped me get it down to one quick line if you want to try it out. (Actually, it’s two lines.) Remember, you need a Windows 7 or Windows Server 2008 R2 machine with PowerShell installed to try this out.

Line 1: Import-Module GroupPolicy
Line 2:  get-gpo -all | where {$_.description} | Select Displayname,Description

When I run this command, I get the following output.. Neat !

DisplayName                      Description
———–                     ———–
OU 1                           Yep. Here’s a comment.

Item 2B: Searching for GPOs.. with comments .. No PowerShell
————————————————————

PowerShell isn’t for everyone; thought it is becoming the “de facto” way of doing lots of scripting. Mark Heitbrink, Enterprise Mobility MVP supplied this little nugget of goodness.

Note that this requires that you’ve got the Group Policy Scripts installed from here.

After that, you can use these canned VB scripts to run a command like…

cscript getreportforallgpos /c:gpo-report | find /i “something” c:gpo-report*.html

Final thoughts…
——————

That’s it. That’s all the stealing I’m doing for one day. Thanks to all my helpers.

PS: The inspiration of the title of this blog entry is from a song on of my favorite albums that no one ever heard of. Track 2; there’s a preview if you want to listen.
http://www.amazon.com/Its-Fun-Steal-Mono-Puff/dp/B0000069SW

PS: One seat left in Chicago with the FIRST7CHICAGO $300 off discount. Get the GP Training you need to rollout and secure your Windows 7 and Server 2008 R2 machines. Use that coupon code at checkout. https://www.gpanswers.com/training Don’t be that guy or gal who missed out. You can also call Diane at 302-351-4903 if you don’t want to sign up online.

Aug 2010
04

GPMC on Windows Server 2008 R2 and PowerShell

Team:

I’m racing toward getting out the door for my 30+ day trip to tour Australia and speak at Microsoft TechEd Australia and New Zealand.

But, I had a quick second to share a fun little PowerShell + GP tip… If you’ve NEVER used PowerShell before.. try this one. It’s fun and easy.

If you want to install the GPMC on a Windows Server 2008 R2 machine via command line, you can use PowerShell. The commands are as follows:

  • Import-Module Servermanager
  • Add-WindowsFeature GPMC

Then, if you then run the following command you will see the status as installed

  • Get-WindowsFeature GPMC

Try it.. something “special” that’s unexpected and neat happens. It’s super-fun !

Also.. I came across this super-nice write up of my latest book. I can’t even figure out the person’s name to thank him for such a nice review..  but, Thank You Mr. or Ms. Whomever you are.

Here’s the review:
http://www.anotherwindowsblog.com/2010/08/book-highlight-group-policy.html

Now, get your signed copies at:
www.GPanswers.com/book

Limited number, since I’m running out the door, and won’t have any to sign for a month !

Talk soon.. Gotta run !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Jul 2010
13

GP "must knows" - 4 of them !

Last week was a big week over here at the Group Policy HQ.

Here’s four fun and informative things that I think you’ll want to know.

Item 1: Quick, Informative Interview
Matt Hester, Tech Evangelist from Microsoft sits down with me and asks “What’s new and cool in modern GP?” When my wife saw this video, she dubbed it “Schmoozin’ with the Mosk.” Anyway, it’s fun and it’s here: 
https://moskowitzinc.infusionsoft.com/link/33465afc20/b8a1a0

2. My TechEd 2010 speech Replay — Application Smackdown with Applocker This was the #5 top-most rated session within all of the 900+ sessions at TechEd 2010. You get to check it out, for free! Learn how to smack down your apps.. Now! Here’s the link:
https://moskowitzinc.infusionsoft.com/link/33465afc20/bbaee0

Of course, when you’re ready for hands-on AppLocker training, I’ve got it in my GP Workshop, of course! (www.GPanswers.com/training) — in my GP 2.0 Catchup Class.. and more information in the newest book (www.GPanswers.com/book) in Chapter 8 — Implementing Security with Group Policy !

3. An article I wrote that found it’s way into Network world This was tweeted about 80 billion times last week… “Seven tips for using group policy in Windows 7”
https://moskowitzinc.infusionsoft.com/link/33465afc20/bebc20

And.. Lastly…
4. I’ve received lots of questions asking me: “Hey Moskowitz, is your book available as an e-Book somewhere?”

Yes, and yes again. Here’s what’s what:

1. If you want to get the newest book as a Kindle edition, you can get it from Amazon. Click here:
http://www.amazon.com/dp/0470581859/

2. There are some EXTRA (free) bonus chapters for the GREEN (newest) book here:
http://dev.gpanswers.com/books/extra-echapters.html#tabs
(look left)

3. I also have some (older, but still relevant!) eChapter (pay) PDF downloads at the same link:
http://dev.gpanswers.com/books/extra-echapters.html#tabs
(look right)

Also… if you buy the Kindle edition, I’m happy to sign your Kindle’s or iPad screen with a sharpie next time I see you. Just ask!

PS: Holy cow! HUUGE Class in DC coming up next week.. Super crazy excited. If you still want to come, I think we have a spot left. You MUST CALL at this point if you want to secure a seat. 302-351-8408.

PPS: I’ve had some upcoming “extra time” suddenly materialize after the DC class. If you think you / your company might be interested in a PRIVATE On-Site class, where I teach your team — PERSONALLY — how to overcome GP and desktop management challenges…  then just buzz me. I’m at 302-351-8408. We can talk about what your challenges are and how a GP class can help you out. Then, we’ll fit it into YOUR schedule. Talk with you soon. (The sooner you call, the sooner you’ll get over the issue your company has and you’ll be happier and more productive.)

Jul 2010
07

I Practice Safe Group Policy

Sometimes I get asked if there is anything that we can do to be “safer” around Group Policy usage.

The answer is a resounding “Yes.” Here are some quick tips for you to put into practice NOW, if you’re not already on the right track:

Tip 1: Create, link, then disable a GPO

Sounds counter-intuitive, but this tip can be a quick fix to a big problem. I don’t usually like “big fat GPOs with lots of stuff in them.” That’s not my preferred method of GPO creation. But there are clearcut times when you NEED multiple policy settings or multiple preference settings WITHIN a GPO .. and that’s a-ok.

The problem is, you won’t be able to “implement all the settings at once.” So, in essence you’ll have “half-created” GPOs replicating around with your clients getting those partially completed GPOs.

The tip is: Disable the GPO, add what you need to add, then ENABLE it. (You can choose your method: on the LINK, or on the GPO itself.)

So, if you’re working on setting up a GPO which dictates Firewall Rules, you want to ensure that they get ALL the firewall rules one time, instead of possibly downloading the GPO (incomplete) then re-downloading it later.

Tip 2: Think, then name.

 

This tip is easy to understand. Don’t name your GPOs “Our wonderful desktop settings” or “Everyone’s security settings” because that’s not descriptive enough. Surely there’s something SPECIFIC these GPOs could be named, like “Sales: Desktop Background” or “Marketing: Firewall Settings.” Clarity, clarity, clarity. You likely don’t work alone, so it’s important to be clear and deliberate in how you name your GPOs.

Tip 3: Use GP Comments

You can implement comments about the GPO itself and the settings within the GPOs. So don’t miss out by leaving “breadcrumbs” behind for “the next person” who edits those GPOs. Explain WHY you did something inside the GP comments. Your “future friend” will thank you !

I know you’re looking for more best practices, base-hits and big-wins you can use TODAY to make your world safer and more predictable.

I have exactly 4 spots left for my upcoming 5-day Group Policy Master Class (near Dulles Airport, airport code: IAD.)

I know the takeaways you get from the class will be mega-valuable and I guarantee this will help you with your upcoming Windows 7 rollout, create a smoother transition from XP and relieve the pain around desktop and security management. The best part is you’ll get the hands-on training you need for your real-world problems of today and tomorrow.

Knowing that budgets are tight, I’ve set up class at a hotel with a free airport shuttle (so no rental car needed) and a killer nightly hotel rate.

If you’re thinking about making it.. now is the time. Before the end of this week if you want a guaranteed seat.

Dates: July 19th (Monday) – July 22nd (Friday).

Ensure your seat by:

1. https://www.gpanswers.com/training/sign-up-now-live/
(I know the website says “The class is full” but I can take 4 more people !)

2. Calling 302-351-4903 and Diane will help you if you need an invoice for a PO. We need the PO in hand to guarantee your seat.

Also… !

“Manager’s Special” PolicyPak Webinar – Today at 2.30 PM EST.

Bring your IT Manager to my “PolicyPak: Save Time, Money, and Effort (and increase security and santity)” talk today. He / She only needs to stay for 15 minutes of the full 60 minute talk. So agenda is:

() “Manager-speak” (how the company will save Time, Money, and Effort) for 15-minutes
() “Geek speak” for 45-minutes with me and learn how to use my free PolicyPak software to make your life easier.

You BOTH need to sign up at https://www.policypak.com/demo

I’ll draw a free book for one lucky geek who brings his/her IT manager along!
Or… One lucky IT pro who brings his/her geek along!

That’s it. See you in the July 19th class or today online !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

May 2010
26

Full Disk / Bitlocker Security Hackable

Team:

Thanks to those folks who wrote in and thanked me for waving the banner around this issue.

Also, thanks to those folks who asked some clarifying questions. Okay, here are my summarized thoughts (basically, answers to your questions):

1. Sure, it would be great if copy machines could JOIN the Windows domain. Then, heck yeah, you could possibly use some GP trickery to make them more secure. BUT, that wasn’t what I was implying. ?

2. I supplied some GP-based security tips yesterday. One that encrypted the page file, and another one which totally removed it at shutdown. I also said that the best (bestest?) way to get protected is via full disk encryption. So, I totally stand by that.. Full disk encryption is arguably, the best (fastest / intermediate) way to get “pretty darn secure.” I would however, also suggest that I would only perform the “remove page file at shutdown” for machines where there is no other possible solution for security.

Heck, let’s break this “are we secure?” problem down .. way way down, just for fun here.

 

Question :Okay… Does NTFS provide “security” ?
Answer: Sorry. No. So, in short, if I steal your laptop, and it’s got no full disk encryption, then I can boot it from a USB stick, CD-ROM, or just rip the hard drive out and mount it in my non-Windows (ie: Linux machine) and.. bingo.. I have your files.

Question: Does applying either / both of those policy settings I suggested yesterday really make you more “secure”?
Answer: It’s better than NOTHING for desktops that HAVE to be out in the open, and for whatever reason can not get full disk encryption. And even then, it only protects the page file, which may or may not contain interesting stuff. To be super clear, I would suggest against enabling the “remove page at logoff” for servers at all costs, because rebooting your servers (or workstations with large page files) could take a loooong time.

Question: Does EFS (encrypting file system) provide “security” ?
Answer:  While I haven’t personally attempted to “bypass” EFS, I’ve seen several writeups of how to bypass it. Indeed, this one tool (found by quick Internet search) claims to immediately make child’s play of EFS. (Again, untested.. http://tinyurl.com/2buburp)
PS: I swear I didn’t do anything special to get that TinyURL.. that was auto-assigned to me.

Question: Does full disk encryption provide “security” ?
Answer: It’s an excellent start. Again, it’s the best thing we can do for the majority of attacks. But there are still vulnerabilities.  

Question: Okay.. what vulnerabilities am I still exposed to?
Answer: Three parts

() This one I knew about (which was discovered at Princeton University):
This vulnerability is based on the idea that you can “copy” the memory of a PC. Very interesting.
http://www.youtube.com/watch?v=JDaicPIgn9U

() This one I didn’t. This uses Firewire to slurp out the computer’s memory via DMA:
http://tinyurl.com/2pea3y
Thanks to Darren Mar-Elia, fellow GP MVP for this lead.

() A little internet searching came up with this commercial tool to bust Bitlocker / Truecrypt:
http://www.lostpassword.com/kit-forensic.htm
This actually seems to be similar to the Princeton attack; and requires memory to be “captured.” Or, you can try a lengthy “brute force” attack if the machine was fully shutdown.

Also, I think  reasonable reading as well, is the Microsoft response to the Princeton attack, and you can find that here:

http://windowsteamblog.com/windows/b/windowssecurity/archive/2009/12/07/windows-bitlocker-claims.aspx

In short, I am in agreement with Microsoft’s summary of the assessment:

“This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world.”

Agreed.

If you’re concerned about attack #1 and #3, then make sure your computers settings are configured (using GP, of course!) to make the computer fully shut down (hibernate) on idle. Then require the Bitlocker password pin or USB key at startup. Yes, this is kind of a pain in the neck. But it is the way to prevent that attack.

If you’re concerned about attack #2, then use GP (again!) to disable built-in Firewire ports unless absolutely necessary.

To be superduper, crazy clear.. there is no “magic bullet” for security. Here’s some reading to get into the concept of “defense in depth.”

http://www.amazon.com/Protect-Your-Windows-Network-Perimeter/dp/0321336437

The book isn’t “super technical” in a “click here, do this” kind of way. But it did “get it into my thick skull” that I need to be doing everything I can, at multiple layers to thwart the bad guys and protect my network and keep my company safe.

So.. hopefully this article helps you out.

Here are some I can help you get more secure.

1) I do cover how to do both hardware lockout and power configuration (among many, many security items that I cover) in my GP class (coming soon to Washington, DC — July 19th! www.GPanswers.com/training !) A handful of seats left.

and

2) This whole “defense in depth” idea is why I designed PolicyPak. Group Policy does a great job configuring some of the in-the-box operating system items. But what about the rest of the operating system and add-on applications? Hope to see you today or next week online (www.PolicyPak.com/demo)

and

3) Of course, you can get a book. ? www.GPanswers.com/book

That’s it. Talk with you soon!