Browse by Tags

Related Posts
  • Blog Post: Windows XP Remote Assistance and DontDisplayLastUserName

    While implementing Remote Assistance during a Windows 7 deployment I found that a RA connection to older Windows XP workstations would behave like a Remote Desktop connection: the user would not be prompted to allow the administrator to connect, and the administrator would be prompted to logon. ...
  • Blog Post: How to generate a custom LGPO based on FDCC

    One of my customers requires additional security settings beyond the OMB-mandated Federal Desktop Core Configuration (FDCC) and I need to apply the settings as local policy during the MDT build process so that disconnected systems still get a baseline of policy. So here's the process I used to generate...
  • Blog Post: Script to set Windows Vista audit policy

    There's probably a sexier way to do it, but the attached script (rename to .cmd) can be used to set Windows Vista SP1 audit policy using auditpol. The current settings are based on the FDCC 2008 Q1 settings. It must be run elevated. I suggest using something like the following command line: CustomSetAuditPolicy...
  • Blog Post: USGCB Policy Bug: Turn off desktop gadgets

    The US Government Configuration Baseline (USGCB) group policy object (GPO) for Windows 7 Computer Settings includes the setting: Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets Turn off desktop gadgets = Enabled This setting is not included in the settings spreadsheet...
  • Blog Post: Maximizing Security in Configuration Manager

    This post details my experience and lessons learned with hardening a System Center Configuration Manager system. I'll review the risks and then describe the various technical components of a ConfigMgr system: Windows Server host, Internet Information Service (IIS), SQL Server and ConfigMgr itself. Make...
  • Blog Post: Short File Name Prerequisite for SCCM 2007

    A common security/performance setting is to disable short file names (aka 8.3 file names), and is recommended as part of the Microsoft Solutions for Security (MSS) (Disable Auto Generation of 8.3 File Names [NtfsDisable8dot3NameCreation]). However, as one of my customer's recently discovered, this is...
  • Blog Post: Explicit rights for Preinst

    I recently had to manually remove a secondary site (S01) from a ConfigMgr 2007 SP1 hierarchy. It deleted ok from the parent site (P01), but since that doesn't replicate up the hierarchy, I had to go to the Hierarchy Maintenance Tool (Preinst.exe) on the central (C01) site to fully remove it. However...
  • Blog Post: ConfigMgr 2007 and SCW

    The Security Configuration Wizard is new to Windows Server 2003 SP1 and provides very detailed ability to lockdown a server based on the roles, services and applications. With SMS 2003, the toolkit provided security templates that would allow SMS to function when used in the context of the Enterprise...
  • Blog Post: Debug programs right needed to uninstall ConfigMgr Console

    I recently discovered an interesting issue when trying to uninstall the ConfigMgr Console from a Windows Server 2003 system to which the SSLF member server baseline policy is applied. When running through setup to uninstall the console, all of the components all show the status "Not Started" and the...