Microsoft's USGCB Tech Blog

A technical resource to help implement the US Govt Configuration Baseline (USGCB) on the Windows platform.

Browse by Tags

Related Posts
  • Blog Post: Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

    Microsoft has published its security guidance and baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. If you have been reluctant to evaluate or deploy these technologies in the absence of specific USGCB guidance, NIST essentially says, "Use the vendor's guidance."...
  • Blog Post: Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

    Although the US Government has not published a US Government Configuration Baseline (USGCB) standard for Windows 8 or Windows 8.1, Microsoft has just published a beta release of Microsoft security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 . It includes documentation, GPOs...
  • Blog Post: Apply_LGPO_Delta and ImportRegPol updated

    I discovered an “unintended feature” in the Apply_LGPO_Delta and ImportRegPol utilities, which I have fixed in the versions now posted to the LGPO Utilities page . The “feature” (OK, the “bug”) allowed commands to set a registry value and to delete that registry value not to overwrite each other in the...
  • Blog Post: Apply_LGPO_Delta v1.01, source code

    Visual Studio 2005 project and source code files for Apply_LGPO_Delta v1.01 is attached to this blog post. [Attachment removed, as a newer version is available -- bookmark the landing page for the most up-to-date-links.]
  • Blog Post: Set_FDCC_LGPO updated: v1.05

    [2009-04-15: Attachment removed. Bookmark this page for the latest versions of these utilities.] The utility for applying FDCC configuration settings en masse to a computer has been updated: The 0x80070020 sharing-violation error code that occasionally occurred appears to be due to contention...
  • Blog Post: Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

    This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed. Microsoft’s security guidance, the US Government Configuration Baseline (USGCB) and other security guidance currently mandate only that it be locked down in the Internet and Restricted...
  • Blog Post: IEZoneAnalyzer v3

    Announcing a major update to the IE security zone analyzer! IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings. It is particularly valuable on systems controlled through Group Policy, on which the standard security settings dialog does not allow viewing...
  • Blog Post: Source code for New and Updated Local Group Policy utilities

    Visual Studio 2008 source and project files for the new ImportRegPol utility and the updated Set_FDCC_LGPO and Apply_LGPO_Delta utilities for managing Local Group Policy Objects. Note that these are all now Visual Studio 2008 projects. [Update Jan 15 2010: new versions released -- see the LGPO...
  • Blog Post: Viewing and Comparing IE Security Zone Settings

    The Security tab of the Internet Explorer Properties dialog shows security settings for the Internet, Intranet, Trusted Sites and Restricted Sites zones. However: It doesn’t show settings for the Local Machine (Computer) zone, nor for Local Machine Zone Lockdown (LMZL). When machine settings...
  • Blog Post: FDCC and Internet Explorer 7, Part 3 – Protected Mode

    This is the [long-delayed] third installment in a series discussing various issues regarding the intersection of Microsoft Internet Explorer 7 and the Federal Desktop Core Configuration (FDCC). The FDCC bears close resemblance to Microsoft’s security guidance for Windows XP and Windows Vista, so this...
  • Blog Post: Set_FDCC_LGPO updated: v1.06

    Set_FDCC_LGPO has been updated to reflect the updated GPO content on NIST's download page . The FDCC settings have not changed. The updates contain only corrections to the downloads to more closely adhere to the FDCC settings. The updated Set_FDCC_LGPO is attached to this blog post. (This time I also...
  • Blog Post: New and Updated Local Group Policy Utilities

    A customer requested an addition to the local group policy toolset posted on the FDCC blog . While working on the new utility, I needed to upgrade the other two. The full set is attached to this post, with documentation. The source code for all of them is attached to a separate post . The new utility...
  • Blog Post: Set_FDCC_LGPO for Windows 7…

    … is not needed and will not be created. I had kind of blogged about this a while back but it was hidden under a more general title, so the question about Set_FDCC_LGPO on Windows 7 continues to get asked. This post offers another easy and flexible way for you to apply NIST’s GPOs and any...
  • Blog Post: Sticking with Well-Known and Proven Solutions

    I work with a lot of customers, and there are some problems I see over and over. One problem that I've seen and been thinking about a lot lately is the way that a number of customers paint themselves into a corner through excessive customization of their environment. Lately I've been making the case...
  • Blog Post: “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights

    When removing administrative rights from end users, it’s important to ensure that there are no easy paths by which a user (or malware running as the user) can gain administrative rights. For example, don’t relax default permissions on system resources such as files, folders and registry keys...
  • Blog Post: Apply_LGPO_Delta updated, v1.01

    Apply_LGPO_Delta is a utility for automating the management of local group policy -- administrative templates and security templates. First posted here , it has been updated with the same fix that was applied to Set_FDCC_LGPO to prevent the 0x80070020 sharing-violation error from occurring. Documentation...
  • Blog Post: FDCC is now USGCB

    Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal Desktop Core Configuration (FDCC) as the United States Government Configuration Baseline (USGCB). NIST's spreadsheets, Group Policy Objects (GPOs) and virtual hard disks (VHDs) for Windows 7 can be downloaded...
  • Blog Post: Set_FDCC_LGPO.exe v1.06, Visual C++ project sources

    Visual Studio 2005 project files and source code for Set_FDCC_LGPO.exe v1.06 is attached to this blog post. [Removed, as a newer version is available -- bookmark the landing page for the most up-to-date-links.]
  • Blog Post: IEZoneAnalyzer v3.5 with Zone Map Viewer

    IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone. Earlier today, I wrote about the surprisingly complex...
  • Blog Post: The Case of the Unexplained Installation Failure (and an ill-advised registry hack)

    Since Mark Russinovich hasn’t trademarked his “Case of the Unexplained…” series, I’m appropriating the title to describe the results of some troubleshooting I did for a customer. The root cause turned out to be a widely-adopted but ill-advised registry hack that many organizations have built into their...
  • Blog Post: FDCC Blog Alert: Issue with Vista SP1

    Author: Shelly Bird Credit: Syed Ismail, Ben Christenbury Applies to: Vista SP1 alone. Setting: Microsoft Network Client: Digitally Sign communications (always) is set to Enabled in FDCC. History: The server side settings are always ON (w2k3 SP2): HKEY_LOCAL_MACHINE\SYSTEM...
  • Blog Post: Internet Explorer’s Explicit Security Zone Mappings

    [Updated 15 May 2012 to correct a bug involving precedence of Computer policies over User policies.] I recently worked with some customers who wanted to enumerate which web sites had been assigned to which Internet Explorer security zones. I.e., they wanted to know which web sites had been assigned...
  • Blog Post: IEZoneAnalyzer update: v3.5.0.5

    I just posted a minor update to IEZoneAnalyzer. Version 3.5.0.5 fixes an issue in which IE10 was reported as version "9.10.9200.16614"; it now reports a 10.* version number. (*) Version 3.5.0.5 also adds text corresponding to new IE security zone settings, adds back in a set of sample files that...
  • Blog Post: Updated LGPO utility sources

    The updated sources corresponding to the updated versions of the Apply_LGPO_Delta and ImportRegPol utilities are attached to this post.
  • Blog Post: Correction posted for IE Explicit Security Zone Mappings and IEZoneAnalyzer's Zone Map Viewer

    I received some questions and comments about Internet Explorer's Explicit Security Zone Mappings and about the latest version of IEZoneAnalyzer containing the Zone Map Viewer. I hadn't had time to dig into the questions so they lingered, but I finally carved some time to post answers to those questions...