If the idea of configuring Windows Group Policy makes you break out in a sweat, be afraid no longer. We’ll go step-by-step through the process so that even a relative neophyte can get good results.

GPMC

GPMC (Group Policy Management Console) is an excellent tool for configuring and managing Group Policy. If you don’t already have it installed, you can get it from here. Fire it up by clicking Start, selecting Run…, then typing gpmc.msc and clicking OK.

Navigate through the domain tree in the left pane to Forest (for your domain), Domains, then open your domain, then open Group Policy Objects. You should find at least two GPOs (Group Policy Objects) there, among them being Default Domain Controllers Policy and Default Domain Policy. Click on one of these policies to open it in the right pane. Select the Settings tab to display the rules that make up the policy. Click on show all in the upper right corner to expand the rule hierarchy. Look through these policies to see if you already have rules governing Automatic Updates. If so, you can modify them in place, but we will proceed assuming a clean slate.

Create GPOs

Right-click on Group Policy Objects in the left pane and select New. Assign a name like Automatic Updates-Desktops and click OK. Now right-click your new policy in the left pane and select Edit. This will start up the Group Policy Object Editor.

In the left pane, drill down to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. All Automatic Updates settings will appear in the right pane. As you click on each one, a description of the item will appear adjacent to the list. We won’t set every value, but we will set most of them. Open a setting by double-clicking its entry to open a configuration window. Each configuration window also has an Explain tab to help you understand the meaning of each aspect of the setting.

Let’s walk through the first one. Double click Configure Automatic Updates. Select the Enabled radio button. Set the first pull-down to 4 – Auto download and schedule the install. Set the install day to 0 – Every day. Set the scheduled install time to whatever you prefer. Finally, click OK to save the settings and close the box.

Here’s how I typically set it up:

• Configure Automatic Updates
  • Enabled
  • Configure automatic updating: 4 – Auto download and schedule the install
  • Scheduled install day: 0 – Every day
  • Scheduled install time: 11:00
• Specify intranet Microsoft update service location
  • Disabled
• Reschedule Automatic Updates scheduled installations
  • Enabled
  • Wait after system startup (minutes): 5
• No auto-restart with logged on users for scheduled automatic updates installations
  • Disabled
• Automatic Updates detection frequency
  • Enabled
  • Check for updates at the following interval (hours): 4
• Allow Automatic Updates immediate installation
  • Enabled
• Delay Restart for scheduled installations
  • Enabled
  • Wait the following period before proceeding with a scheduled restart (minutes): 5
• Re-prompt for restart with scheduled installations
  • Enabled
  • Wait the following period before prompting again with a scheduled restart (minutes): 480
• Allow non-administrators to receive update notifications
  • Enabled
• Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
  • Enabled

A few notes on the above values: You’ve got to let Automatic Updates reboot the computer; time and time again I’ve seen installations go literally months without applying patches because a user doesn’t want to be bothered with maintaining his machine. That’s OK; we’ll do it for him. Don’t check for updates more often than 3 or 4 hours; Microsoft says it can cause problems, and I, for one, don’t need any more problems with Windows than I already have. The 480 minute re-prompt number works out to 8 hours; I figure if someone actually doing their job sees a notice, they don’t need to be nagged again. Let it update once they’ve gone home. The power management setting is mostly wishful thinking on my part. Maybe someday I’ll go around and set up Wake-on-LAN in the BIOS on all those machines.

That was a lot of work, but there’s still plenty to do. Create a nearly identical GPO called Automatic Updates-Servers. The only change I make is to set the Configure Automatic Updates value to 3 – Auto download and notify for install. This prevents the possibility of a server rebooting while in use, disrupting work flow and generally wreaking havoc, but it also prevents the server from staying up to date unless you put forth an effort to keep it so. Hint: A particularly easy way to complete 90% of the work on your second GPO is to duplicate, then rename, the first one.

You can now close the Group Policy Object Editor.

Tie GPOs to Machines

So far, nothing we have done has affected any machine, but that’s about to change. What we’d like to see is for the server policy to apply to all of our servers and for the desktop policy to apply to everything else. The first step in making that happen is to define which machines are servers.

Open up Active Directory Users and Computers. If you can’t find it under Start -> Administrative Tools, then go to Start -> Run, enter dsa.msc and click OK. Navigate in the left pane down through your domain to the Computers folder. Right-click on the Computers folder and select New -> Group. Name the group Servers, leave the scope and type as a global security group, then click OK. It should show up in the list in the right pane.

Double-click your new group and select the Members tab. Add each server, one-by-one using the Add button and making sure the Select this object type field contains the word Computers. You can change it by clicking the Object Types button. Click OK when complete, then close the Active Directory Users and Computers window.

Next, we tie the Automatic Updates-Servers GPO to our new Servers security group. Back in GPMC, select the servers GPO and click on the Scope tab. In the bottom window, click the Add button and type Servers into the window, then click OK. Your security group should now be listed in the Security Filtering table. Highlight the other entry in the table (Authenticated Users) and click Remove, then OK. Now servers and only servers will be able to use the Automatic Updates-Servers GPO.

Last but certainly not least, link your new GPOs to the domain. In the left pane of GPMC, locate your domain name; it should be directly under the folder called Domains. Right-click your domain and choose Link an Existing GPO. Highlight both of your new GPOs with shift-click then click OK.

You are now in business. Your policies are complete and in place.

Check Your Work

If you log on to a domain member machine and look at the Automatic Updates page of the control panel, all the settings should be grayed out, but should match the values you set in your policies. If they’re not grayed out, you can wait, or you can give your policies a push.

Group policy flows gradually to domain member machines. They update at reboot time, but sometimes it takes more than one reboot for new policies to take effect. If you are impatient, or if a machine seems to get stuck, you can hurry along the process by running the command gpupdate /force from within a command window on the stuck machine. That, and maybe a reboot, usually get things moving along.

Another way to check is by examining the Windows Registry. Nearly all Group Policy operates by forcing certain registry settings on member computers, which then modify the computer’s behavior. Enter the following in a command window on any computer:

reg query hklm\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions

and it should display the value 0×3 on servers and 0×4 on all other machines. You can run all your queries from one machine if you prepend each query target with its IP address or hostname, as follows:

reg query \\hostname\hklm\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions

If the value is not found, try the gpupdate trick or a reboot. If it is found but does not match what you expected, make sure your Servers security group contains the right machine names; also make sure it is properly linked to the server GPO.

Maintaining Patched Systems

Your GPOs will do a reasonably thorough job of keeping your systems up to date, but you still have work to do. Put Patch Tuesday on your calendar—Microsoft publishes new security updates on the second Tuesday of every month. Your desktops should automatically update themselves within a day or two, but you’ll have to patch the servers yourself. On each one, either go to Start -> All programs -> Windows Update, or find the yellow shield in the systray (the row of tiny icons in the lower right corner of your screen) and apply the patches that should be downloaded and ready to install.

I also recommend checking the patch state of each machine with MBSA, the Microsoft Baseline Security Analyzer (of which the latest version, currently 2.1.1, is available here). MBSA can scan a single machine, all machines on your domain, or a LAN segment. It displays quite a bit of information, but the most critical is the list of missing patches. If a machine is chronically behind, it may be more than just group policy slowness. Many malware infections disable automatic updates, so a reformat and reinstall may be in order.

Congratulations!

Your machines are patched. You have taken a critical step that every security policy framework and every set of security regulations requires. And you have eliminated much of your vulnerability to the most popular current malware attacks. And you are no longer a Group Policy newbie!

AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. The main purpose of AutoRun is to provide helpful actions and capabilities when removable media or network shares are mounted. When such a device is mounted, the autorun.inf file from the media is parsed. This file specifies which commands the system should run. Many companies use this functionality to automatically start up their installers when a CD-ROM is inserted, but attackers can also use it to run data extraction sessions or automatic installations of malware.

AutoRun and AutoPlay can be friendly features, but they are almost never necessary in an enterprise environment.  The security risk typically far outweighs any benefit.

All AutoRun/AutoPlay features are controlled by values stored in the Windows registry. There are a number of ways to set these values, including

• Group Policy
• Double-clicking a .REG file containing registry settings

Disabling AutoRun Using Group Policy

If you think that Windows Group Policy would be the most convenient and thorough way to distribute such a policy, you’d be partly right. The only gotcha is that a number of people report that it doesn’t always get every machine. I’d recommend both belt and suspenders—use a GPO to catch future machines, but set each existing machine by hand to make sure none fall through the cracks today.

Before configuring Group Policy, you must ensure that one of the following updates has been applied to each of the machines you intend to configure. Note that only one update applies to each machine.

• Update for Windows Server 2003 for Itanium-based Systems (KB967715)
• Update for Windows Server 2003 x64 Edition (KB967715)
• Update for Windows Server 2003 (KB967715)
• Update for Windows XP x64 Edition (KB967715)
• Update for Windows 2000 (KB967715)
• Windows Vista-based and Windows Server 2008-based systems must have update 950582 (Security bulletin MS08-038) installed to take advantage of the registry key settings that disable AutoRun.

This update will create a new registry entry, HonorAutorunSetting. Without the update, autorun.inf gets read even with AutoRun disabled, but simply does not execute any AutoPlay commands inside. This still allows attacks to be made using autorun.inf, and HonorAutorunSetting should be set to 1 to disable this. The default is 1 after the patch is applied.

To disable all AutoRun features in Windows Server 2003, Windows XP Professional and Windows 2000,

• Click Start, click Run, type gpmc.msc in the Open box, and then click OK. If you don’t yet have GPMC installed, do so first.
• Choose an appropriate Group Policy Object in the left pane (or create a new one and attach it in the appropriate place), right-click it, and select Edit.
• Under Computer Configuration, expand Administrative Templates, and then click System.
• In the Settings pane, right-click Turn off Autoplay, and then click Properties. Note: In Windows 2000, the policy setting is named Disable Autoplay.
• Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
• Click OK to close the Turn off Autoplay Properties dialog box.

Windows will propagate the group policy settings to all machines controlled by the edited Group Policy Object. Once the settings have been applied to a computer, it must be rebooted before the changes take effect.

Disabling AutoRun Using a Registry File

Create a file called autorun.reg containing the following lines.  Some of the lines here are long; make sure you don’t break them in the middle somewhere when you cut and paste the text below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

On each computer to be updated, browse to this file and double-click it. The computer must be rebooted for the changes to take effect.