I recently recorded a podcast with Richard Campbell to talk about some of the latest changes with Group Policy especially around passwords in Group Policy Preference and mitigations for Pass The Hash. We then talk about some of the things we would like to see in the next version of Windows regarding security.
You can check out the podcast at http://runasradio.com/default.aspx?showNum=393
In this TechEd session I presented at TechEd New Zealand 2014 I covered some of the changes with Group Policy preferences recently as well as some of the new Group Policy improvements you can do to protect yourself against Pass the Hash attacks. Unfortunately at the end one of my Demo’s did not work however I actually did get it to work only a few minutes after the video ended. All I had to do was log off and on and the authentication attempt failed as expected. In any case it was a great session and best of all it was recorded in full video so you actually get to see me talk on stage rather than just look at my monitor.
Unfortunately they have only release the video as a WMV so you will need to click use this link to play the video. http://video.ch9.ms/sessions/teched/nz/2014/PCIT312_FINAL.wmv
Update: I had discovered that this original ADMX template were missing some Internet Explore 11 Group Policy settings. As a result the ADMX/ADML pack has now been re-released but can be downloaded using the same link below.
Microsoft has just released the Administrative Templates (ADMX/ADML) files that allow you to configure their newest Group Policy Administrative Template setting for Windows 8.1 Update and Windows Server 2012 R2 Update. These files are already provided with the operating system when you go to install it however this download allows you to update the policy settings even on an older version of the OS.
The changes to these files mainly include the support for the new group policy setting regarding the new UI setting for configuring the start screen and task bar.
The best way to deploy these files is to simply copy them to the Group Policy Central Store. This will update all your group policy objects in one easy step. Even if you are not running the latest OS in you environment there is no issues with updating the ADMX/ADML files as all the setting are fully backwards compatible and will just mean one less step to do when you do upgrade in the future.
Download the Windows 8.1 update ADMX/ADLM pack from http://www.microsoft.com/en-us/download/details.aspx?id=43413
The session that myself and Chris Jackson (a.k.a. AppCompatGuy) at TechEd New Zealand 2014 has now been published. So for your viewing pleasure I have embedded the video below:
This session covers Internet Explorer 11 with Enterprise Mode and how you can use Group Policy to manage the feature to enable you to migrated to the latest version of IE in your organisation. Myself and Chris has a blast doing this session and the session feedback has been excellent… So if you want a little bit of a laugh and learn a lot about IE Enterprise mode then by all means enjoy the video.
If you are after a copy of the video or slides for offline viewing then you can click on the source link below.
Microsoft has just released a patch MS14-051 (https://support.microsoft.com/kb/2976627) for Internet Explore on Windows 7 and Windows 8 that allows IT Admins to block out of date ActiveX controls from running in the browser. This move aligns IE with other browsers that actively block out of date version of plug-ins such as Java but is still very similar to the ActiveX kill list that Microsoft used to issue to block controls with known vulnerabilities. The key difference with this change is that it now uses an XML configuration file (see here) to publish what controls are out of date rather than hard coding them into a patch.
Interesting to note that while the name of blog post and update specifically say this is a ActiveX blocking update it is currently only going to be configured to block out of date versions of Java. Of course having and XML configuration file also means that Microsoft can also use the same mechanism for blocking other out of date controls (Flash, Silverlight etc) in the future.
It is also good to know that this change does *NOT* apply to web sites that are configured to run in the Intranet Zone or Trusted Zones meaning that all your our of date ActiveX controls you run on your intranet are not affected by this change. In addition to this Microsoft has now said they will give a grace period before they block the controls until September 9th.
To manage this new security feature Microsoft has also create four new group policy settings under Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management
- Turn on ActiveX control logging in Internet Explorer
- Remove Run this time button for outdated ActiveX controls in Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
- Turn off blocking of outdated ActiveX controls for Internet Explorer
For more details on these setting check out http://technet.microsoft.com/en-us/library/dn761713.aspx
To get these new Group Policy setting for your organisation you either need to install the MS14-051 update on the computer that you edit your GPO’s on OR you need to download the ADMX files from htp://www.microsoft.com/en-us/download/details.aspx?id=40905 and update your Group Policy Policydefenitions central or local store.
Additional Reference: http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx