Windows automated installation tools afford the opportunity to customize the Windows 7 (and Windows 8) image files prior to deployment. Building and capturing a reference computer image affords the opportunity to deploy an image that not only meets customer needs, but also enables premeditated feature deployment and security decisions. Both feature control and security are strengthened via local group policy. For two years of Windows 7 instruction I have been preaching several local group policy settings that are ‘musts’ for a Windows 7 deployment image.
They can be overridden by site, domain or OU based group policy once deployed within the enterprise environment. Nevertheless, few domain administrators are prepared to make Windows 7 configuration decisions as the OS is initially deployed. You would be well served to make some early decisions, and implement them within the image pre-deployment.
There are more than one thousand local policy settings. While many configuration settings might be easy to understand, I identify some important settings related to new features of Windows 7 in each of the sections to follow. You will have to determine the best alternatives for your environment. My goal in this blog is merely to point out the most important pre-deployment policies for some of the new features. The ones that will bight you if you don’t consider them pre-deployment.
EFS and Bitlocker
Windows 7 has an enhanced Digital Certificate Vault. The File Encryption Key (FEK) generated by NTFS Encrypting File System is no longer stored within the Security Account Manager (SAM). A PKI key pair and certificate is generated for the account encrypting the file, and the FEK is associated with the certificate. Neither backup processes, restore points, nor user migration tools capture certificates from within the Digital Vault. The certificate owner must manually export them. This precludes any simplified file or drive recovery unless the process is pre-meditated. (I shared the use of the Cipher tool in a prior blog in order to enable export of personal certificates and the keys they contain.)
Bitlocker is enabled by default in Windows 7 Enterprise and Ultimate versions. The process to Bitlocker a drive (fixed or removable) is wizard driven and simple. The Bitlocker recovery key is by default displayed, printable, or stored to a file. Most standard users will have little idea how best to save the recovery pin. The pin can be associated with a Digital Certificate. Which leads to a scenario similar to that identified for EFS. Unless you have a Bitlocker recovery pin that is stored independent of the encrypted drive, there is essentially no method to decrypt the drive once it is removed from the initial host computer or CMOS memory is cleared.
You should either disable EFS and Bitlocker :
- Edit Local Group Policy – Computer Configuration – Administrative Templates – System – File System – NTFS – Do Not allow Encryption on all NTFS Volumes
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Windows Components – Bitlocker Drive Encryption
- Decide how you want to handle Bitlocker for each drive type
Configure a recovery agent for both EFS and Bitlocker. The recovery agent is essentially a domain account with its own digital certificate or a writeable .CER (public key export) file. The FEK or the Bitlocker keys are attached to the certificates.
- Edit Local Group Policy – Computer Configuration – Windows Settings – Security Settings – Public key Policies – Encrypting File System Edit Local Group
- Policy – Computer Configuration – Windows Settings – Security Settings – Public key Policies – Bitlocker Driver Encryption
Windows Firewall with Advanced Security
Windows Firewall with advanced security offers a flexible and powerful range of inbound, outbound and connection filters. Group policy affords the opportunity to preconfigure the firewall, lock it on or off for each of the three network profiles (domain, private, public), or pre-establish the IPSEC settings that are integrated within the Firewall with Advanced Security. Set this aside for future consideration. There is one particular subset of group policy settings associated with the firewall that you really NEED to set before you deploy the image.
There is a single, default firewall log name for all firewall profiles and filters. It is not configured by default. Debug efforts are problematic at best unless you configure a log file and set a different log file name for each of the three profiles.
- Edit Local Group Policy – Computer Configuration – Windows Settings – Security Settings – Windows Firewall with Advanced Security –
- Click the Policy labeled ‘ Windows Firewall with Advanced Security – Local Group Policy’.
- Within the right panel, find the Panel set labeled ‘Overview’.
- At the bottom of the Overview panel is a link labeled ‘Windows Firewall Properties’. Select the link.
- Select the Domain tab, near the bottom under ‘logging’ select the customize button, under Name uncheck the ‘not configured’ box. Then in the Name field change the default name of the log file. Select OK.
- Repeat the process for the Private tab and the public tab, making sure that all three log files use different names.
Link-Layer Topology Discovery/Responder
Link Layer Topology Discovery/responder enables system discovery for ad hoc computing. It also allows experienced hackers to quickly discover mobile Windows 7 devices for which security may not be hardened. The Link Layer Topology Discovery and Responder features are on for all network profiles by default. You likely want to configure the responder based on the network profile. For an enterprise system, allowing it within domain and private networks and disabling it for public networks is common. Pre-configuring for safety is a wise move.
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Network – Link-Layer Topology Discovery
- Configure separate policies for the Mapper and the Responder.
Windows Connect Now
Configuring a Wireless Access Point (WAP) for strong connectivity encryption (like WPA2) can be problematic for the standard user. Enter Windows Connect Now. Microsoft has worked with several WAP vendors to incorporate the technology into their devices. When a Windows 7 system recognizes a Windows Connect Now enabled WAP in the vicinity, it prompts for the 8 digit PIN documented on the WAP. Enter the PIN and the Windows 7 PC is bound by WPA2 to the WAP. The problem is, the WAP now uses the factory generated WPA2 key and any other settings are overwritten. I have had to help several friends perform the ‘paper-clip’ reset of their WAP after they accidentally enabled Windows Connect Now without understanding the ramifications. Then we worked together to rebuild their wireless network, security filters, MAC filters, etc. One shortcut can lead to many hours of corrective effort.
You probably want to disable Windows Connect Now unless you know specifically how you intend to use it and train your users regarding its proper use.
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Network – Windows Connect Now
Windows 7 supports enhanced biometrics capabilities. The drivers are actually embedded within the Windows image file. They behave like a plug-and-play device. If someone has a fingerprint reader on their mobile device, they can activate the biometric authentication mechanism rather easily. Most people have ten fingers. Most enterprises have a policy supporting only three login attempts before accounts are locked or require help desk assistance. Until you determine how your company wants to implement biometrics, you might want to disable the feature locally.
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Windows Components – Biometrics
New Internet Explorer Features
Two new features of Internet Explorer (versions 8 and 9) behave uniquely on a Windows 7 platform: InPrivate Browsing and Delete Browsing History. The menus are the same for IE8 and IE9 regardless of platform, but the actions and results are decidedly different because of the Windows 7 architecture.
InPrivate Browsing totally conceals web-browsing sessions, including removing any memory or hard drive residue once the session is terminated. If you are concerned about enforcing corporate browser use, InPrivate Browsing makes enforcement, or at least proof of violations, nearly impossible. Until you understand the corporate security ramifications, you might want to disable InPrivate Browsing on a Windows 7 platform.
Perhaps this one is not so much that the behavior is different across platforms. This one is more about local group policy enabling you to prevent your user from accidentally hurting themselves. Delete Browsing History has new elements – including Preserving Favorites Site Data. The browsing history pop-up has a separator line designed to help the standard user identify that elements above the line are ‘preserved’ when selected while elements below the line are deleted when the ‘clear’ function is selected. One screen. Selection that causes different behaviors. Until you train your users, you might want to configure and lock the Prevent Deleting Favorite Sites Data policy under IE.
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Windows Components – Internet Explorer – Privacy
- Edit Local Group Policy – Computer Configuration – Administrative Templates – Windows Components – Internet Explorer – Delete Browsing History
With more than a thousand policy settings there are many features and settings that could be locked down in your deployment image. Take some time to walk through local group policy as you are exploring the short list offered above. You may find other elements that enhance your users’ Windows 7 deployment experience.