I’d first look into this: Apply High-Security Template (hisecws) <http://www.tech-faq.com/understanding-security-templates.html> http://www.tech-faq.com/understanding-security-templates.html
And pick/test a security template that doesn’t break anything in your environment. Here is a copy/pasta dirty list I have of some settings and gpo’s I use to tweak windows. Hopefully it helps you. Un-Hide Extensions for known file types Set default view in Explorer to ‘Details’ Tons of Start Menu Clean-up, small icons, disable the garbage UAC Tweaks Screen saver: 10 Minutes and Lock PC Appearance: Turn off all the eye candy effects Disable hibernation Power scheme settings and close lid settings Disable services (Alerter, Help and Support, SSDP, Telnet Turn off System Sounds Enable TrueType IE Cleanup/Tweaks Remove all those MS links Firewall Policy (Remote and Local) Disable USB Drives Remove Path Footer from IE Print Jobs Junk Mail settings Disable AutoPlay PopUp Blocker settings for internal applications/owa Tight Password Policy Account Lockout settings Audit Policy Windows Update Settings (Remote and Local) Rename Admin Account policy Software Restriction Policy (Blacklists Applications) Outlook: Force Spell Check Encrypt Traffic Global Safelists Remove Open Confirmations for Office Docs Disable AutoArchive Prevent addition of POP3, http, and imap accounts Prevent PST usage Disable sounds Windows 7 centric: Corporate Logo applied to default logon picture Disable Sounds Turn off Defender Turn off Windows Mail Prevent First use Dialog boxes Disable Messenger Hide Windows Market Place Restore QuickLaunch Show Run Command Restore Control Panel view Sam From: Rankin, James R [mailto:[email protected]] Sent: Monday, March 21, 2011 3:33 PM To: NT System Admin Issues Subject: Re: Win 7 configuration options? Ah, already used those. I was hoping there was actually a "standard" GPO I could use. I've already hacked those in with GPP, cheers tho! Typed frustratingly slowly on my BlackBerry® wireless device _____ From: "Tom Miller" <[email protected]> Date: Mon, 21 Mar 2011 16:29:11 -0400 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: Win 7 configuration options? Okay, let me take a look. I had to do something special to turn Libraries off when we had a XenDesktop pilot. The pilot is done and my notes don't cover what I'm looking for, but I think I did something like this: http://technet.microsoft.com/en-us/library/ee617161(WS.10).aspx And for Libraries: http://www.petri.co.il/remove-libraries-and-favorites-from-windows-explorer.htm Although for both I thought I used GPO settings. For Win 7, it's best to install the RSAT tools on a Win 7 box and create the policies from that PC, so you'll be able to see all the settings. Tom >>> "Garcia-Moran, Carlos" <[email protected]> 3/21/2011 3:54 PM >>> >>> +1 and Action Center Too, id be interested Cheers! From: Rankin, James R [mailto:[email protected]] Sent: Monday, March 21, 2011 3:49 PM To: NT System Admin Issues Subject: Re: Win 7 configuration options? Can you disable Libraries via GPO? Please share if there is a way...libraries are a pain for users used to the old ways Typed frustratingly slowly on my BlackBerry® wireless device _____ From: "Tom Miller" <[email protected]> Date: Mon, 21 Mar 2011 14:29:19 -0400 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: Win 7 configuration options? We are starting the Win 7 rollout here as well. The only two things I added to our standard settings were 1) Disable the really annoying "Action Center" and 2) Disable Windows Libraries. Windows Libraries are a neat idea, but at least in my work environment it will just add to confusion. I can send you GPO edits for these if you want. Tom >>> "Steven M. Caesare" <[email protected]> 3/21/2011 2:25 PM >>> Oh agreed. We are using Group Policy for enforcing the US Government Baseline security settings… but that’s been implemented by my network team here, and focused specifically on the policy settings we have to implement to comply with the mandates. But by and large it looks like the desktop group here has had almost zero configuration definitions or best practices for all the other Win configuration options… I’m trying to collect whatever collateral to put in front of them that I can on short notice to get them thinking on what they can do from a centralized configuration perspective… do they can take a stab at building a config document to generate an image to validate against. -sc From: William Robbins [mailto:[email protected]] Sent: Monday, March 21, 2011 2:19 PM To: NT System Admin Issues Subject: Re: Win 7 configuration options? Well, in my past positions, we started off with business needs, and looked to see what we could accomplish with GPO's. Typically it was things to meet/exceed existing security polcies, but were sometimes as trite as setting a facility specific wallpaper. I suppose, not knowing what you are needing to accomplish, I can't offer much advice save the term "baby steps." GPO's are awesome magical beings that when used inappropriately, or in error can wreak havoc faster than you can say Rumplstilkskin! - WJR On Mon, Mar 21, 2011 at 13:01, Steven M. Caesare <[email protected]> wrote: Awesome, thanks WJR. Next question… how do folks define what they want in their organizations? Do you go through this ginormous document? Do you just decide on SOME things you want to do initially (redirect default save locations, etc…), and then refine over time? How do you go about deciding settings things that_AREN’T_ managed via GPO? My gut and initial reading seems to reinforce the idea that I want’ very little customization in the image itself… just the OS and necessary drivers.. with just the things I cannot manage via GPO. After that we’ll layer apps on as individual packages. Is that how you folks are addressing client lifecycle configuration and management? Thanks. -sc From: William Robbins [mailto:[email protected]] Sent: Monday, March 21, 2011 1:52 PM To: NT System Admin Issues Subject: Re: Win 7 configuration options? Lest I be thought completely useless: Group Policy Settings Reference for Windows and Windows Server http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb&displaylang=en> &displaylang=en - WJR On Mon, Mar 21, 2011 at 12:32, Steven M. Caesare <[email protected]> wrote: So… I’m being pulled in to a Windows 7 rollout project that previously has had very little adult supervision… and as such needs to have several parts of it rebooted. We need to quickly do some work to define what configuration options we want in the base image we are going to deploy. The obvious goal is to manage as much via GPO as possible… but not everything is GPO-manageable (power setting, etc…?). Regardless as to if the setting is set via GPO, it still needs to be decided upon. So my question is: Other than paging through the GPO MMC snapin and looking at each setting, is there good comprehensive doc that lists everything out that we can use as the basis for discussion? If this does exist, does it cover all the things not managed via GPO as well? Thanks. -sc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
