Where’s the ADM?

As I’ve mentioned, I’ve been hard at work adapting the NIST Windows XP hardening guidelines in 800-68. Any hardening guideline should be examined for appropriateness to one’s corporate environment.
One thing I noticed about both NIST’s writeup and Microsoft is that neither provides an ADM template. They both have settings that are not part of group policy such as disabling autorun or disabling auto admin logon. Microsoft seems to be providing a vbscript that will “patch” the Security Configuration Editor to have these settings. That would work well when I am applying the security settings to a computer being used to create a disk image for future deployment, but I dont see how I could use that to deploy through group policy.
Unless someone has a better idea, it looks like I’m going to be creating my own ADM file soon.

5 Comments

  1. Did you every find an ADM? I tried your first link about talking to MS but it didn’t resolve. My company is going through this now and I’d rather not have to recreate the wheel of 400+ FDCC settings.
    Thanks,
    Melissa

  2. That link was to the very next post. I’ve fixed the link. It turns out I was doing something stupid, and didn’t see the XP settings because I was looking from a Windows 2000 DC. doh! That would cause you to see only the win2k compatible settings Here’s the link http://www.infosecblog.org/2006/11/i-spoke-with-my-microsoft.html
    Here’s a link about what you need to do to see the MSS settings. http://blogs.technet.com/fdcc/archive/2008/01/29/why-don-t-all-of-the-fdcc-settings-appear-in-the-group-policy-editor.aspx
    You may need to go into a pull down menu to see all settings. I think its under advanced to make sure all policies are viewable. (I’m not in front of GPMC to look at the exact setting).
    If you dont know how to take the FDCC policy file and import it into your environment, this article could help http://blogs.technet.com/fdcc/archive/2007/12/01/importing-fdcc-group-policy-objects.aspx Not sure all that vbscript is really needed. I’d just create a policy and import the xml. The vbscript is more about making updates easier. I haven’t used that.

Comments are closed.