Welcome to Delicate template
Header
Just another WordPress site
Header

Increase Windows Network Security Through Group Policy Software Installations

March 15th, 2012 | Posted by Brett Edgar in Microsoft | Security | Windows

Seeing the rate at which companies have been successfully attacked by Java exploits while their users surf the web, I became increasingly alarmed and wondered how I was going to defend my own network. I had always known that Active Directory Group Policy could push out software, but I had never explored the option as I thought it sounded too involved.

Well, I was wrong. It’s really easy. I just enabled automatic installation (or upgrade!) of the Java 6 Runtime Environment on all of our Windows PCs. I followed the directions posted by Ivan Dretvich on his blog. Check them out here and here. It took me about 15 minutes, and most of that was trying to find the ORCA package he discusses. (Hint: you only need to select the “Tools” option under the “Windows Installer SDK” option from the Platform SDK installer.)

Initially, I restricted the GPO (Group Policy Object) to my computer as Ivan suggests. I had built this GPO with Java 6u31 packages on my DFS root. Before rebooting, I checked and verified that I had Java 6u30 installed. I rebooted, got a cup of coffee, then logged into my Windows 7 machine. Checking again revealed that I now had Java 6u31! Flawless. I fixed the GPO up so that it installs the 32-bit JRE on our few 32-bit machines, and then removed the restriction that applied it only to my computer.

Now, the next time my users reboot, they will automatically get the latest Java version without prompting. And I can breathe easier knowing that our interns aren’t going to click on a stupid link and get pwned by the Blackhole Exploit Kit or any of the other popular Java exploitation frameworks.

This was so easy to do that I can’t think of any reason why a corporate environment shouldn’t be doing this. I am going to move on to Adobe Flash and Adobe Reader next. If I can get all three of these packages to automatically update via GPO, then I will have eliminated 90% of the attacks my users are likely to experience. Plus, my users won’t have to hassle with following prompts to update software on their own. That’s a win.

GPO Software Installations For the Win!

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

One Response

Leave a Reply