Alexander’s Blog

Microsoft offers several spreadsheets that contain all the settings for group policies. These spreadsheets list the policy settings for computer and user configurations included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy objects (GPOs).

Using column filters, you can filter the information in these spreadsheets by operating system, component, or computer or user configuration. You can also search for information by using text or keywords.

These spreadsheets include the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. These spreadsheets do not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

• Group Policy Settings Reference for Windows Server 2008 R2 and Windows 7: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 R2 and Windows 7. The policy settings included in this spreadsheet cover Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista with SP1, Windows Server 2003 with SP2 and earlier service packs, Windows XP Professional with SP2 and earlier service packs, and Windows 2000 with SP4 and earlier service packs.
• Group Policy Settings Reference for Windows Server 2008 and Windows Vista Service Pack 1: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista with SP1, Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
• Group Policy Settings Reference for Windows Vista: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Vista with no service packs installed. The policy settings included in this spreadsheet cover Windows Vista, Microsoft Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
• Group Policy Settings Reference for Windows Server 2003 Service Pack 2: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template (.adm) files and Security Settings that shipped with Windows Server 2003 with SP2. The policy settings included in this spreadsheet cover Microsoft Windows Server 2003 with SP2 or earlier service packs, Windows XP Professional with SP3 or earlier service packs, and Microsoft Windows 2000 with SP4 or earlier service packs.This spreadsheet includes separate worksheets for each of the .adm files and the security policy settings that shipped in Windows XP SP3, a consolidated worksheet for easy searching, and an Update History worksheet that lists policy settings that have been added since the Windows Server 2003 operating systems were released.

According to reports, some Microsoft Windows computers are experiencing a “Black Screen of Death.” The phrase Black Screen of Death came out of the famous “Blue Screen of Death”, which caused system crash on earlier Windows operating systems. According to MSNBC:

The problem may be tied to security updates recently released by the software maker. “Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers,” the company said in a statement. “Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues.”

British security firm Prevx writes about the problem on its blog, and suggests following this procedure:

1. Restart your PC
2. Log on and wait for the black screen to appear
3. Make sure your PC should be able to connect to the Internet (black screen does not appear to affect this)
4. Press the CTRL, ALT and DEL keys simultaneously
5. When prompted, Click Start Task Manager
6. In Task Manager Click on the Application Tab
7. Next Click New Task
8. Now enter the command:
“C:\Program Files\Internet Explorer\iexplore.exe” “http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX”
9.  Click OK and your (Web) browser should start up and begin the download process
10.  When prompted for the download Click run, the black screen fix program will download and run to automatically fix the issue.
11.  Now restart your PC and the black screen problem will hopefully be gone.

“There appears to be many causes of the black screen issue,” wrote Dave Kennerley of Prevx Support on the company’s blog. “The symptoms are very distinctive and troublesome. After starting your Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server the system appears normal.

“However, after logging on there is no desktop, task bar, system tray or side bar. Instead you are left with a totally black screen and a single My Computer Explorer window. Even this window might be minimized making it hard to see.”

This Guide was designed to help IT professionals better understand and use Microsoft security release information, processes, communications, and tools. The goal is to help IT professionals manage organizational risk and develop a repeatable, effective deployment mechanism for security updates. In this Guide, you will find a glossary of terms, an overview of the Microsoft Security Bulletin process, and a stage-by-stage review of Microsoft Security Updates. The Guide is organized according to the following stages of the security update process:

Stage 1: Receive Microsoft Security Release Communications

Stage 2: Evaluate Risk

Stage 3: Evaluate Mitigation

Stage 4: Standard or Urgent Update Deployment Timeline

Stage 5: Monitor Systems

Ongoing Stage: Watch

Each section outlines the purpose and objective for that stage, as well as the expected target outcomes upon that stage’s completion.

The supported operating systems include Windows Server 2008, Windows Vista and Windows XP. The download file is available either as a PDF or an XPS. Click here to download the guide.

Error reporting is a feature used by Microsoft in Windows operating systems and is enabled by default. Some people like to turn on error reporting to do Microsoft a favor, while others prefer not to enable error reporting. I have been telling my students for years that they should disable error reporting on every computer they ever use. I say that not just to avoid annoyance, but from security perspective. Error reporting sends Microsoft computer and program errors. Microsoft can use this information to track and fix the errors with the operating system or applications. According to Microsoft “all error reports are confidential and anonymous”, as mentioned in this KB article.

However, I have several major problems with error reporting feature from the security perspective. I also believe that Microsoft cannot guarantee that the information you provide will stay “confidential” and “anonymous”, as the KB article claims.

1. The Microsoft Online Crash Analysis privacy statement clearly states that “If you use automatic reporting, you are not prompted to review the information in a report before it is sent.” That is not very comforting.

2. If you send the report automatically then your personal information may be sent without your knowledge so Microsoft warns you that “If you are concerned that a report might contain personal or confidential information, you should not send the report.”

3. Microsoft can share the information they collect from you with lots of other people. According to Microsoft “Microsoft employees, contractors, vendors, and partners may be provided access to information collected by the reporting service.” In addition “The vendor may provide the information to sub-vendors and partners.” I don’t know about you but I trust Microsoft. I don’t believe that they would have any reason to violate anyone’s privacy intentionally. However, I am not so sure that all the vendors and sub-contractors around the world in different countries will be as committed to safeguarding people’s privacy when they don’t have stringent privacy laws as we do in United States. It’s not that they are dishonest, it’s because their concept of privacy may be different.

4. Microsoft may store the information it collects from you in other countries where they may not have strict privacy laws. According to Microsoft “Information that is collected by or sent to Microsoft may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.”

5. Microsoft assures us “For example, reports are sent to Microsoft from your computer using encryption technology. The information is then stored on computer servers with controlled access.” I was personally told by one of the top security experts at Microsoft a few years ago at the MVP Global Summit in Seattle (and definitely after the privacy policy was published in 2005) that the information sent by error reporting is NOT ENCRYPTED and that for security reasons one should not enable error reporting.

I stated earlier that I don’t believe that Microsoft can guarantee that the information you provide will be “confidential” or “anonymous.” Guess what I discovered one day while looking closely to the description of a Microsoft update. I found out that Error Reporting may have been sending some information about application errors to Microsoft without your knowledge so Microsoft issued a patch to fix the bug. Keep in mind that the reports  may have included confidential information. Yet another reason why I am not a big fan of Error Reporting.

According to Microsoft Online Crash Analysis privacy policy, Microsoft may collect the following information from you.

1. Files that help describe the problem.
2. Basic software and hardware information (such as operating system version and language, device models and manufacturers, or memory and hard disk size)
3. Your Internet Protocol (IP) address is also collected because you are connecting to an online service (web service) to send error reports.
4. Reports might unintentionally contain personal information.
5. A report that contains a snapshot of memory might include your name and part of a document you were working on.
6. Data that you recently submitted to a website.
   [I think I'll let you imagine what this might include.....ZA]

By now it should be obvious to you what I think about enabling error reporting.

You Should Never Enable Error Reporting in Windows.

In Windows XP and Windows Server 2003, it is relatively easy to disable Error Reporting through Control Panel, System, Advanced tab, Error Reporting. Microsoft knows that. In the newer operating systems Microsoft developers have placed the option to disable error reporting in a much hidden place so most people won’t be able to easily find it. In fact, it’s far too obvious that they have cleverly (or deceptively, you make the call) place the options in places where consumers would get tricked in enabling the feature. For example, after you install Windows 7, you are given the option to help improve windows automatically. While you may think that you are improving performance, actually that means that you are agreeing to send Microsoft information so they can improve Windows operating system using your error reports. The information is cleverly disguised and the words “error report” are never used. However, if you use the “Use recommended settings” option you are not only enabling Automatic Updates you are also enabling error reporting.

To turn off the option in Windows 7 you have to go to Control Panel, System and Security, Change Action Center Settings, Problem Reporting Settings. The title is cleverly disguised as “Choose when to check for solutions to problem reports.” All four options that you can select give you the impression that you are looking for solutions. Well, technically you are but depending on the option you select, you may also be reporting information to Microsoft, which is the equivalent of error reporting. Here’s what the screen looks like.

It is rare that you will ever find a solution if you check for solutions. I prefer to use either third or fourth option.I also recommend that on the Change Action Center Settings page you should ensure that the Customer Experience Improvement Program is set to disabled. In other words, select the option “I don’t want to participate in the program”, as shown below.

When working with MOSS 2007, especially on Windows Server 2008 (WS08), some administrators find it difficult to locate the option to enable Anonymous Authentication. Enabling Anonymous Access is not very intuitive in MOSS 2007 and requires you to go through several hoops. In a previous blog The Challenging Task of Managing SharePoint Permissions, I discussed how challenging it is to manage permissions in SharePoint (don’t forget to read my prediction in that blog post). Frankly, the entire design of permission management is a huge mess. People are so used to finding workarounds and waiting for the patches to be released to fix the holes, and then other patches to fix the updates that caused the mess in the first place, that they have pretty much stopped complaining. The complicated and confusing design for enabling Anonymous Access is just one example of the overall deficiency in SharePoint to better manage permissions and secure SharePoint sites.

If you go to the Site Settings, Advanced Permissions and do not see the Anonymous Access option in the Settings drop-down menu then your site is not configured for Anonymous Access. Enabling Anonymous Access is a three-step process. Here’s how you can enable Anonymous Access for a MOSS 2007 site.

Step 1: Enable Anonymous Authentication in IIS

1. First, make sure that you have enabled Anonymous Authentication in Internet Information Services (IIS). For IIS 6.0 (WS08) and IIS 6.1 (WS08 R2), start the IIS Manager and expand the Sites folder.

2. Click your Web site.

3. In the right hand pane double-click Authentication in the IIS section.

4. Right-click Anonymous Authentication and click Enable.

You need to take a couple of additional steps before Anonymous Authentication will work for your SharePoint site.

Step 2: Enable Anonymous Access in SharePoint Web Application

1. Start Central Administration using an account that has Site Collection Administrator privileges.

2. Click on the Application Management tab.

3. In the Application Security section click “Authentication providers.”

4. Select the Web Application for which you want to enable Anonymous Access.

5. Click the Default zone.

6. In the Anonymous Access section, check the box “Enable anonymous access” and then click Save.

7. Go to the Site Settings, Advanced Permissions and verify that the Anonymous Access is available from the Settings drop-down menu.

Wait! You are not done yet. So far you’ve enabled Anonymous Access in IIS  and Web Application. You still need to perform a third step.

Step 3: Enable Anonymous Access for the Web Site

1. Go to your Web site’s Site Permissions page (Site Settings, Advanced Permissions).

2. From the Settings drop-down menu click Anonymous Access.

3. Check the radio button “Entire Web site” and click OK.

At this point you have completed all the steps necessary to enable Anonymous Access for your Web site. Test to make sure that Anonymous users can access the site.

Troubleshooting

There is one thing that will drive you crazy if you are new to MOSS 2007. Even after you configure the permissions and restrict a library or a list from Anonymous users, you may notice that the Anonymous users still have access to the library or list. You can work around this issue by going to the Settings menu while inside the library and then click Anonymous Access. Uncheck the box View Items.

If you are having issues with Anonymous Access, you might also be interested in reading my blog post How to Configure Survey Lists for Anonymous Access in which I discuss the solutions for some other undocumented “features” in SharePoint.