AppLocker will block applications from running based on the descriptor. You can block programs by publisher, path, version, file name, publisher description or even hash. This feature is only available in Windows 7 and Microsoft Windows Server 2008 R2. While it can be used on an active directory domain, I use local group policy. You can also create exceptions to allow some programs through the rules.

AppLocker is a feature introduced that plays of the old hash rules to block programs.

Hash rules are rules created in group policy that analyze software. It considers the “footprint” of software to recognize it. This means that if the program is renamed, it will still be recognized. Renaming the software is an old trick used by people who write viruses. these hash rules in Group Policy can be used to either allow or disallow a program to run. The problem is that if the software is updated or the users simply download an old version, the software can run. This hash rule and many like it can stop a virus or trojan from running rampant in your network. This is available in local or domain group policy, although this video is made using the local GPO. It affects all users of that computer. This video was made on Windows 7, but is possible on XP, Vista, 2000, Windows Server 2003 and 2008.

this tutorial shows how to block USB drives by local group policy. This GPO setting was first available on Windows Vista. I perform this on Windows 7. Group Policy objects are only available to the professional and ultimate versions of Windows 7. These flash drives, also called thumb drives, pose a security threat to many businesses. They make it easy to remove sensitive data from the workplace.

A domain that uses NT 4.0 domain controllers and Windows 2000 Server domain controllers is referred to as a Windows 2000 Server mixed mode domain. After all Windows NT Servers have been removed or demoted into becoming only members of their domains, the forest functional level may be raised to a Windows 2000 Server native functional level. The added functionality in a 2000 Server native forest includes…

• Universal Groups: Universal groups are groups that may be referenced anywhere in the forest.
• Raising both levels at once: You may raise the domains functional level by raising the forest’s functional level.

After all Windows 2000 Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2003 functional level after all the domains have been raised to Windows Server 2003 functional level. The added functionality in a Server 2003 domain includes…

• Forest Trusts: Allows authentication between domains for sharing of resources.
• Domain Rename: Allows the renaming of a domain within the forest.
• Linked-value replication: In Windows 2000, when changes were made to a group, it would mean replication of the all properties of the group. The downside to this was that if the group was being modified on two domain controllers at the same time. One of the changes might not occur due to bandwidth issues. This is why there is a recommended cap of 5,000 users in a group for Server 2003.Linked-value replication modifies the individual membership change instead of the entire member attribute.
• Support for Read Only Domain Controllers: Read Only Domain Controllers (RODC) are a new feature of Server 2008 that may be used in a Server 2003 forest. A RODC will allow the caching of credentials in a remote location to prevent WAN traffic being consumed by authentication requests. Also it is required to run “adprep /rodcprep” on the Windows Server 2003 domain controllers.
• Improved Knowledge Consistency Checker algorithms and scalability: The intersite topology generator (ISTG) enables replication within forests through links. In a Windows 2000 forest, sites links must be manually created. There are also improvements in the algorithms in a Windows 2003 forest.
• Conversion of inetOrgPerson objects to user objects: inetOrgPerson objects are used for non-Microsoft directory services. With a Server 2003 forest, it is possible to convert an inetOrgPerson into a user object and vice versa.
• Support for dynamicObject auxiliary class: Used by certain applications and developers, dynamicObject is new to Server 2003.
• Support for application basic groups and LDAP query groups: These two new group types can be used to support role-base authorization in applications that use Authorization Manager.
• Deactivation and redefinition of attributes and object class: Attributes and object classes may not be deleted. With Server 2003 forests, they can be redefined or deactivated.

After all Windows 2003 Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2008 functional level after all the domains have been raised to Windows Server 2008 functional level. A Server 2008 functional level does not add any functionality to the Forest.

After all Windows 2008 (Non-R2) Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2008 R2 functional level after all the domains have been raised to Windows Server 2008 functional level. The only new feature is a very nice one. Microsoft has introduced a recycle bin into Active Directory. This requires a command in powershell.

“Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘mydomain.com’”

The original Windows domain used NT 4.0 domain controllers. The functionality in an NT Server domain includes…

• Local and global groups
• Global catalog support

A domain that uses NT 4.0 domain controllers and Windows 2000 Server domain controllers is referred to as a Windows 2000 Server mixed mode domain. After all Windows NT Servers have been removed or demoted into becoming only members of the domain, the domain functional level may be raised to a Windows 2000 Server native functional level. The added functionality in a 2000 Server native domain includes…

• Group nesting: Group nesting allows for groups to be placed in other groups for simplification of asset permissions. This is the method used for AGDLP method.
• Universal Groups: Universal groups are groups that may be referenced anywhere in the forest.
• Sid history: The System Identifier is a specific attribute that is applied to users and computers. It is used for identity purposes and every object in Active Directory has a unique SID.
• Group conversion: it is possible to convert a security group into a distribution group and vice versa.
• Raising both levels at once: You may raise the domains functional level by raising the forest’s functional level.

After all Windows 2000 Servers have been removed or demoted into becoming only members of the domain, the domain functional level may be raised to a Windows Server 2003 functional level. The added functionality in a Server 2003 domain includes…

• Netdom.exe: This utility is used to rename computer accounts in the domain. It can even be used to rename the domain controller! It doesn’t need to be run from server either. It can be run from any computer that is a member of the domain and has Windows Server 2003 SP1 Support Tools (suptools.msi).
• LastLogonTimestamp attribute: When a user or computer logs onto the domain, this attribute is applied to the account and replicated throughout the domain.
• userPassword attribute: There are four object classes in Active Directory. The most well known are users, computers, and groups. The fourth is inetOrgPerson. It is used with several non-Microsoft directory services in a similar fashion to users. At the Windows Server 2003 domain functional level, you can use userPassword attribute to set the same password for user and inetOrgPerson.
• Redirusr.exe and Redircmp.exe: These two commands can be used to redirect the default containers for for users or computers when joined to the domain. By default, the containers used for such a purpose are not organizational units and will not have Group Policy Objects (GPOs) applied to them.
• Authorization Manager policies: Used by applications, Authorization Manager stores authorization policies in Active Directory Domain Services.
• Constrained Delegation: It is possible with the Kerberos authentication protocol for applications to take advantage of the secure delegation of user credentials. This means that specific destination services can allowed by configuration of delegation.
• Selective Authentication: This deals with authentication between domains in the forest which is referred to a trust. This feature specifies users that when not in their domain are allowed to authenticate to the local domain controller. The local domain controller is not part of their domain either, but is able to authenticate the user do to a trust between the domains.

After all Windows 2003 Servers have been removed or demoted into becoming only members of the domain, the domain functional level may be raised to a Windows Server 2008 functional level. The added functionality in a Server 2008 domain includes…

• DFS-R of SYSVOL: File Replication Service (FRS) is the default replication method of the SYSVOL folder. In Windows Server 2008, a new method was introduced which is more robust and detailed at replication. Windows Server 2008 may be upgraded to the new replication service, Distributed File System Replication (DFS-R).
• Advanced Encryption Services: Kerberos protocol may use Advanced Encryption Services (AES 128 or AES 256) to increase security. AES replaces RC4-HMAC (Hash Message Authentication Code) encryption algorithm.
• Last interactive logon information: The time, the workstation used, number of failed logon attempts since last logon are updated in the attributes of the user object.
• Fine-grained password policies: Allows specific password policies to be applied to specific users or groups via Password Settings Object (PSO).

After all Windows 2008 (Non-R2) Servers have been removed or demoted into becoming only members of the domains, the domain functional level may be raised to a Windows Server 2008 R2 functional level.

• Authentication Mechanism Assurance: Allows group modification based on authentication method. A user can have access to different resources based on whether they authenticated with a certificate instead of just their name and password.
• Automatic SPN management: Exchange, IIS, and SQL service accounts can now be managed better. It is possible to assign the management of these accounts to specific users. Passwords of those accounts can be reset automatically. A class of domain accounts can be used to manage services on local computers.

This is a video about auditing account logon events. It records successful and failed account log on events to a Microsoft Windows server 2008 domain. In an Active Directory environment, these events will be recorded to the domain controllers event viewer and must be viewed there. This feature is available on Server 2008, 2003, and 2000. You may also enact these policies on Windows 2000, XP, Vista, or 7, if they are a member of the domain. If they are not members of a domain, you may record them locally, but remember they must be viewed locally.

A PSO is a password policy that is available in a Microsoft Windows Server 2008 Domain Controller. It is more granular than Active Directory group policy because it is applied to a particular user or group. Group Policy Objects (GPO) sre applied to an entire organizational unit (OU). You may try to apply several PSOs to a person, but one will take precedence. The one with the lowest number will be the policy applied. To use the features in this video, you must promote your domain to a Server 2008 level.

This is a short video about how to create password policies in a Server 2008 Active Directory domain. The policies are already configured, but this shows how to modify them. You can also use similar methods in Microsoft Windows Server 2003 and 2000 Server. Similar settings are also available in local group policy in an Microsoft Management Console (MMC). You can set these policies locally on Microsoft Windows 7, Vista, XP, or 2000.

The policies are located at…
Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies / Password Policy

The six settings are…
Enforce Password History
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption

This is a video on how to audit object access on a Server 2008 domain controller (DC) and a client of the domain. I deny permission to a folder for a user and then view the record in the security log in event viewer. Remember that events are always recorded on the local machine. These type of events can be done on Microsoft Windows Server 2008, 2003, 2000, 7, XP, or Vista. They don’t require active directory. If you are in a workgroup you’ll need to set local group policy (GPO).

Name of auditing – server 2008 defaults
Audit Account Logon Events -successful and failed
Triggered anytime you log into the domain. If the computer or user authenticates to the DC it’s an account logon event.

Audit Logon events – successful and failed
Creates an event when you logon to a computer. You log into a domain, an event is recorded on the DC. You log in locally, the event is recorded on that machine. You access a folder, you authenticate to that machine and the event is recorded on that machine.

Audit Account Management – successful only
Audits events for creation, deletion, or modification of users, groups, computers, or passwords.

Audit Directory Service Account – successful only
Audits events specified on the security of objects in AD.

Audit Policy Change – successful only
Audits events that modify user rights.

Audit Privilege use – none
Not sure. Is this the Security setting in GPME? “audits the use of a privilege or user right.”

Audit System Events – sucess and failure
Audits success, failure, or changes that affect they system or security log.

Audit Process tracking – success
Audits events such as program activation and process exit

audit object access – success
Audits access to objects such as files, folders, registry keys, and printers that have their access control list (ACL) or security tab. Requires enable options on those items as well

This is a video about how to update software through group policy. In the last video, I installed Firefox 3.0, in this video I upgrade to Firefox 3.5. I use a a Microsoft installer (MSI) package and a GPO (group policy object) in an active directory domain (requires domain controller) to do this. This operation may be performed on Server 2000, 2003, or 2008 and client operating systems of Windows 2000, XP, Vista, or 7. You may assign the program to specific users or computers so that it will be installed. You can also publish the software so that the user may decide to install the software.

This is a video about how to install software through group policy. I install Firefox 3.0 through a MSI (Microsoft Installer Package) that is accessible through a local share. To do this it requires a GPO (group policy object) be applied on the domain (Server with active directory). You may assign the program to specific users or computers so that it will be installed. You can also publish the software so that the user may decide to install the software. You can do this on Server 2008 domain controller and Windows 7, but it also available for 2003, 2000, XP, or Vista

The Security Configuration Wizard is used to create security templates as XML documents. The SCWCMD command converts one into a group policy (GPO). I do this on Microsoft Windows Server 2008 but it is also available on Microsoft Windows Server 2003. Usually, you would use this on a domain controller or in an active directory environment.