How to apply WMI Filter to Windows 10 or Windows Server 2016

Windows 10 Technical Preview Start MenuAs you are probably already aware, Microsoft is soon going to be releasing the next version of Windows called… drum roll… Windows 10. Some of you might have already download the production by downloading the technical preview of Windows 10 as part of the Insider Preview. However, what you might not know is that the version number of Windows 10 is also taking a big leap forward from 6.3 to 10.0 (as you can see below).

Windows 8.1 Version Number

Win81Version

Windows 10 Version Number (Technical Preview 2)

Win10Version

 

Whenever Windows changes version number there is always applications compatibility issues. These have largely been mitigated for Windows 10 applications HOWEVER… WMI filter queries are affected by this change.

The example below might be familiar as it is a common way to apply a GPO to all Versions of WIndows after 7. It would also automatically work for Windows 8 and Windows 8.1 but it will fail for Windows 10.

select * from Win32_OperatingSystem where Version >= “6.1”

The problem stems from the comparison that WMI does as it treats the version as a string and not a number. This means that Version “10” is actually lower than “6.0” as 1 is lower that 6.

As you can see below in my example the same WMI filter as above is evaluating as False on my Windows 10 computer (called Win10).

Win10WMI

 

So… To have a WMI filter that matches Windows 7 or later (including Windows 10) then you need to use the following WMI filter:

select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

This will evaluate true for Windows 10 AND any version of Windows greater that Windows 7 (6.1) as the report below shows.

Win10WMI2

 

In this example I have added used the like operator with the % wildcard so it will match any preview build of Windows 10. This will not work if Microsoft release a version of the OS with 11 version number, but as Microsoft have now said that Windows is going to be a service its a safe bet that this will work for a long while to come.

Of course the final version of Windows 10 has not been released yet so this might still change. However if you are testing Windows 10 in your environment now and you are wondering why the WMI filters GPO’s are applying this is your you can get going today.

Note: The same is also true for Windows Server 2016 as it has the same OS version number.

Thanks to Michale Niehaus for his help with this article.

 

How to stop local administrators from bypassing Group Policy

image_thumb.pngBefore I begin this article might be, for some of you, this will be well know information and it might all seem rather logical. But I continue to see questions being asked on forums as how as a Group Policy administrator can I prevent my users with local admin making a specific change or installing software/drivers on their own computer.

The short answer is you CANT!!!!

You need to think of local administrator are “gods” of their own computers and as such they have the power to do anything on the computer, including overriding any group policies. So, if you knowingly grant local admins for a user to their computer simply assume that you have lost all control of that computer. So always be REALLY sure that the person you are granting local admin access to REALLY has to have that level of access.

Of course user might not always be tech savvy enough to work around GPO restrictions. But if they are not, I would really question why you are granting local admin access to that computer in the first place. However, if you at least start with that assumption that you have lost control of the computers that you have delegated local admin permission on, then you might take a second thought before actually delegating that access to begin with.

For a more detail explanation as to why this is the case then I recommend you read Mark Russinovich (very old but still relevant) blog post at http://blogs.technet.com/b/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx . Put simply, a local admin can break group policy by surgically applying permissions to the registry keys of the GPO being applied so that even the SYSTEM account does not have permission to read or change those registry keys. For example if you try to apply permission to prevent users from installing software , or worse drives, then the local admin can override this setting and install software if they know what they are doing.

Also keep in mind that the same applies to the now deprecated Power Users group  (see http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx ) as members of that group have the same effective access as local administrator.

Also importantly is to remember Law 3 of the 10 Immutable Laws of Security “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” which means that a stolen computer can also be easily compromised.

So, by now you might be thinking that all is lost… Security is too hard… we should all get new job. Well, not quiet…

Most of these problems can be mitigated if you just ensure users should only run as standard users level of access and that you have deployed BitLocker (or other full disk encryption software) to your computers. This is fairly common practice now and it does offer good level of confidence that your users, or someone malicious, cannot easily break in to your computers OS’s.

But of course there is no such thing as perfect security and just doing one or a few things is never enough. For example, malicious users or software can become local admin by taking advantage of local privilege escalation attacks or they can break BitLocker by launching DMA attacks via the Firewire port of your computers.

So when it comes to securing your computers in your environment Group Policy is NEVER then only answer. Instead it should be a part of a multi layered approach to securing your environment.

Vulnerability in Group Policy Fixed with MS15-011 & MS15-014

COG1_thumb.pngToday Microsoft published hotfix MS15-011 and MS15-014 that addressed a potential issues that could allow an man in the middle attack on computer. This vulnerability affected system that could be compromised by a man in the middle or what I like to call a “Coffee Shop Attack”. The summary is that by interfering with the traffic that is being sent to a client a malicious person can force a client to fall back to default weaker security settings. Once this is done it would then be possible to trick a client into running a malicious logon script.

Therefore Microsoft has released two hotfixes to fix this vulnerability:

  • MS015-011 – Microsoft has change the fall back behaviour of security setting if it encounters a corrupt Client Side Extension file.
  • MS015-014 – Microsoft has enable mutual authentication for Group Policy UNC paths meaning that a client cannot be tricked into access the same path using a different protocol such as WebDAV.

Needless to say that this is an important update to Windows and one that particularly changes the behaviour of Group Policy to mitigate the threat.

For a much more detail explanation of this see:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

This update can only be downloaded via Windows Update but you can get more information on the individual patches at:

https://technet.microsoft.com/en-us/library/security/ms15-011

https://technet.microsoft.com/en-us/library/security/ms15-014

Out Now: Remote Server Admin Tools for Windows 10 Technical Preview

Windows 10 Technical Preview Start MenuMicrosoft has just released the Windows 10 Technical Preview to the public. As per normal Windows 10 has a number of admin tools installed out of the box. But on top of that there is also the Remote Server Admin Tools (RSAT) that can be used for managing the server components of Windows Server. Ironically the next preview version of Windows Server has not yet been released…

But according to the release notes, these tools can be used to manage the October 2014 Windows Server preview version with the exception of the DNS Tools and IP Address Management Tools (IPAM).

Source: http://www.microsoft.com/en-us/download/details.aspx?id=45520

Work Folders Client for iPad

Work Folders iPad LogoWork Folders which is the feature that was released with Windows Server 2012 R2 and Windows 8.1 is a “OneDrive” like feature that allows users synchronise their “work” files on their devices. The key difference with this feature is that the files are stored on premise on the back end instead of the cloud which is far more palatable for companies that are still nervous about moving to the cloud.

Originally this client for this feature was for Windows 8.1 and then it was released for Windows 7 with promise that an iPad version of the app would be coming soon. Well, finally Microsoft have made good on this promise and they have now released the iPad.

Work Folders iPad App

What is really great about this release is that it now makes the Work Folders feature a truly cross platform feature. But more importantly it enables your iPad loving managers that seem have their Apple device surgically attached to the hand actually do “work” on their tables. Why is this even important you ask? Well, most workplaces are of course political and managers are normally the people you need to win over to get anything approved. Another added advantage of this feature is that the licensing is also included with Windows (you mileage may vary). So this is also a much cheaper alternative to solution like Box.com which also offers synchronisation cross platform but at a per user cost to the business.

Finally the iPad version of the app also offline support and encryption to ensure that the information in the app is always secure.

So, if you have already got Work Folders deployed in your organisation then download the app and get started. But, if this is the first time you have heard about this feature and you are still after more information then I suggest you check out my many other blog post here or even my TechEd 2013 and TechEd 2014.

Source: http://blogs.technet.com/b/filecab/archive/2015/01/16/work-folders-for-ios-ipad-app-release.aspx

iTunes Link: https://itunes.apple.com/us/app/work-folders/id950878067?mt=8