WindowSecurity.com - Unless you have been living under a rock, you have been watching the IT community stand up and take notice of all of the security issues that keep rising up, day after day. One of the most prevalent areas where you have seen this attention to security is within group policy.
Group Policy is one of the core operations that is performed by Windows Active Directory. Within the past two years, Microsoft has doubled the number of Group Policy settings that they ship with the operating system. There are now nearly 1,700 settings in a standard Group Policy. The emphasis on most of the Group Policy settings is security.
New applications are constantly being provided to help protect against the spyware, viruses, worms, malware and other malicious code that runs through our networks and the Internet. Microsoft and other companies are trying to develop solutions as fast as they can, but the core problem is still not being addressed.
The core problem to many of the security issues on a Windows computer is that the baseline security is not configured properly. When you get a computer installed for the first time, it is no where near as secure as it should be. Even if you go through every Control Panel setting and Group Policy option, you won't get the computer to the baseline security that you desire.
The only way to get a Windows computer to a security level that will be near bulletproof is to make additional Registry changes that are not exposed through any interface, except Regedt32.exe. There are many ways to get these Registry changes completed on every computer in the enterprise, but some are certainly more efficient than others.
The reality of the problem
You may think there are not that many Registry settings that can help protect your computer. The reality of the overall problem becomes prevalent when you start researching and investigating the abundance of "Registry hacks" that are discussed in Microsoft Knowledge Base articles.
Another place that you might find Registry-related security fixes is within the newsgroups. For example, I monitor a Group Policy question board and the last question that I had was with regard to controlling USB devices. A quick search on the Internet says to modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor Registry value to control a USB device. If you do an exhaustive search through any existing tool that is provide by Microsoft, you will not find a way to control this value without manually updating the Registry. Let's first take a look
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
