Skip navigation

Security UPDATE--Group Policy and Corporate Policy--October 13, 2004

To receive Security UPDATE in HTML format in the near future, click the following link

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.


This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

The Unofficial Guide to IM for Executives

Security Administrator


1. In Focus: Group Policy and Corporate Policy

2. Security News and Features

- Recent Security Vulnerabilities

- Modify Your ASP.NET Applications for Added Security

- Microsoft Working on Spyware Solution

3. Security Matters Blog

- Security Fixes Available for Mac OS X

- Security Update for Firefox Preview Release

4. Security Toolkit


- Security Forum Featured Thread

5. New and Improved

- Use Certificates to Secure Your Files

- Monitor Keystrokes, Passwords, Emails, and Web Site Visits



In September, we converted our email newsletters to HTML. This change was based on audience feedback that led us to believe the scale had tipped in the favor of HTML email newsletters.

Wow, did you ever chime in with feedback on this one! You resoundingly told us, "Don't take away my text newsletters!" More than 1000 (and counting) of you have taken time out of your busy day to tell how you want your email newsletters delivered.

Now we're moving email newsletters back to text format. At the top of this newsletter, we've included a link for any reader who wants to sign up for the HTML format, which we will offer again when demand for this format has built up.

It's wonderful to see how responsive our audience is and how much you care about the content. We want to continue providing high-value content in these free email newsletters. Our sponsors and your clicks are what allow us to produce this high-quality content for free in the email newsletters.

We have been overwhelmed by your response and appreciate this incredible testament to the deep community relationship we have with you. In a meeting the other day, we were discussing how cool it is that thousands of you felt strongly enough to take the time to write us an email and tell us your thoughts!

We work really hard to listen to you, our loyal (and opinionated!) audience, and we feel privileged to have been the hub of this incredibly active Windows IT community over the past 10 years. Keep the feedback coming, because you know we're listening!

Best regards,

Karen Forster


==== Sponsor: Akonix ====

The Unofficial Guide to IM for Executives

This free white paper will help managers, directors and executives in all types of businesses understand Instant Messaging and the powerful benefits it brings to the workplace when properly managed and controlled. According to Giga Information Group, a large majority of mid- to large-sized organizations have no formal IT support for IM. This means employees are often logging onto public IM networks without permission and without protection from viruses and worms, corporate policy control or the ability to monitor and log conversations. Start protecting your organization and get the white paper now!


==== 1. In Focus: Group Policy and Corporate Policy ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Recently on a popular mailing list devoted to security on Microsoft platforms, a member explained that he had configured Group Policy to prevent people from installing unapproved software on their systems. He wrote that he wasn't content with Group Policy Objects (GPOs), because they only block the installation of software packaged in Windows Installer (.msi) files, which means that executables could still run and install programs.

In response, another list member suggested that administrators could adjust ACLs on areas of the registry (such as the HKEY_LOCAL_MACHINE\SOFTWARE subkey or HKEY_CURRENT_USER\Software subkey) and on directories (such as the Program Files directory) to restrict regular user accounts from having write access, which would prevent the installation of software. These actions could work but might break some applications that need to write to those areas of the registry and file system.

Another list member suggested that administrators could configure restrictions that prevent programs such as setup.exe and install.exe from running. This might work too, but some users will realize they can simply rename typical installation programs and the programs will run just fine.

Obviously, a combination of tactics is required. Completely restricting people from installing software on their systems, whether you use controls built into the OS or add-on controls from third parties, is challenging. The further you programmatically restrict activity on a system, the greater chance you have of breaking some application that users need.

As I read the message thread, it became clearer how much administrators struggle to outmaneuver the people who use the computers on their networks. It seems to me that there is an additional, less stressful way to address this particular problem. Companies can establish written guidelines that explain exactly what employees are allowed and not allowed to do with company computers and make employees liable for any misuse of company computers to deter employees from acting outside the guidelines.

If someone installs software on a computer without permission, somewhere along the line, an administrator will probably have to uninstall that software or rebuild the system to ensure some desired level of system integrity. This work costs the company money and is basically a waste of company time. So why not consider a corporate policy that lets you charge the negligent employee for the time and labor needed to restore a system to its original configuration? Of course, you could also add even stronger deterrents to your policies if your situation warrants them.


==== Sponsor: Security Administrator ====

Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows IT Pro that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Modify Your ASP.NET Applications for Added Security

The new Microsoft article "Programmatically check for canonicalization issues with ASP.NET" ( ) recommends program code adjustments for applications that use ASP.NET. The changes will help strengthen overall security because they prevent intruders from gaining access to files they shouldn't be able to access.

Microsoft Working on Spyware Solution

During a recent trip to the Computer History Museum in Mountain View, California, Microsoft Chairman and Chief Software Architect Bill Gates revealed that his company is working on an antispyware software solution. Gates didn't say when the company would ship the technology or whether it would be bundled with Windows or shipped as a standalone product.


==== Announcements ====

(from Windows IT Pro and its partners)

Get the Charter Issue of Windows IT Pro!

Windows & .NET Magazine is now Windows IT Pro! Act now to get our special charter issue rate of just $39.95--that's 52% off the cover price! The September issue shows you how to plug DNS holes and select the best scripting editor, plus learn more about the business side of IT. And discover the top 10 PC trends we think you need to keep an eye on. This is a limited-time offer, so order today!

Microsoft Exchange Connections October 24-27 in Orlando, FL

Microsoft and Windows IT Pro team up to produce the essential conference for network administrators and IT managers on Exchange Server and Outlook technology. Register early, and attend sessions at concurrently run Windows Connections for free. See the complete conference brochure online or call 800-505-1201 for more information.

Join Itzik Ben-Gan, William Vaughn, and Gert Drapers in Brussels!

Learn from SQL Server Magazine experts at Europe's premiere SQL Server event--Brussels SQL Server Day on October 26. Join Microsoft and SQL Server Magazine for a free, full-day event that gives SQL Server users the tools they need to unleash the power of SQL Server 2000, deploy SQL Server Express, and get ready for SQL Server 2005. Register now!


==== 3. Security Matters Blog ====

by Mark Joseph Edwards,

Check out these recent entries in the Security Matters blog:

Security Fixes Available for Mac OS X

For those of you who support Apple systems on your network, be aware that a new set of security patches for Apple Mac OS X is available now.

Security Update for Firefox Preview Release

If you're using the Mozilla Firefox Web browser, you might need to install an update to protect your systems against possible attacks. On September 29, Alex Vincent reported a vulnerability that might let intruders delete files on a user's system. Mozilla issued an update for the browser on October 1.

==== 4. Security Toolkit ====


by John Savill,

Q: Why can't clients view a Web site that I'm hosting on a system that has Windows XP Service Pack 2 (SP2) installed?

Find the answer at

Security Forum Featured Thread

A reader writes that he wants to move some data into a shared read-only area in his file system. The data should ideally retain its current permissions to the extent that only those with access now can still access the data after the migration. To achieve this goal, he proposes to use the Everyone group with a "deny" attribute to ensure that, despite existing permissions, the highest level of access available to the user community will be read-only. He would also like to prevent anyone from mass-copying data out of this area. He wants to know whether what he's trying to achieve is possible and, if so, how he can do it. Join the discussion at


==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at )

Are You "Getting By" Using Fax Machines or Relying on a Less Savvy Solution That Doesn't Offer Truly Integrated Faxing from Within User Applications?

Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and discover how to select the fax technology that's right for your organization. Register now!


==== 5. New and Improved ====

by Renee Munshi, [email protected]

Use Certificates to Secure Your Files

EldoS offers EldoS PKI Tools, which encrypts and signs files using X.509 certificates and manages the certificates. EldoS PKI Tools lets you perform simple file operations such as packing files into a .zip archive, sending files as email attachments, and securely deleting files. You can also perform advanced security operations such as signing and encrypting files and folders. All operations are performed with just a few clicks. EldoS PKI Tools uses digital certificates instead of passwords to provide better information security and integrity. EldoS PKI Tools supports smart cards and USB tokens for storing certificates. EldoS PKI Tools runs on Windows 2003/XP/2000/Me/98. For more information, or to purchase and download EldoS PKI Tools, go to

Monitor Keystrokes, Passwords, Emails, and Web Site Visits

iOpus Software's ActMon replaces STARR PC & Internet Monitor. ActMon monitoring software claims several unique features: "kernel-level" file protection that makes files completely inaccessible and invisible to unauthorized users, "kernel-level" keyboard recording that even logs the keystrokes entered during Windows XP/2000 logon, and an activity data log that's protected with 256-bit encryption and that can run in an endless loop. In addition to its unique features, ActMon performs the usual monitoring tasks, tracking keyboard strokes, passwords, incoming and outgoing chat conversations, email messages, and visited Web sites. The ActMon PRO Edition adds advanced features such as flexible network functions to send and receive reports via the Internet or a local network. ActMon PRO costs $69.95, with discounts available for multiple users, sites, and nonprofit organizations. ActMon runs under Windows 2003/XP/2000/Me/98. You can purchase ActMon or download a free 30-day trial version at

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.