Active Directory Configuration

    

 

 

Build 2.0


2017-07-05

 


Table of Contents

 

1       Creating a Shared folder for SAMLite scan scripts. 3

2       Setting up Scheduled Tasks scanning. 10

2.1         Creating the SAMLiteScan Group Policy Object. 10

2.2         Setting up Scheduled Scans for Windows Vista/2008. 12

2.3         Setting up Scheduled Scans for Windows 7 and later. 18

3       Setting up Logon Script Scanning. 26

3.1         Creating the SAMLiteLogonScan Group Policy Object. 26

3.1.1          Option 1: Logon script on SAMLite Server share. 28

3.1.2          Option 2: Distribute Logon script files in Group Policy Object. 29

4       Creating a WMI Filter for Windows XP and 2003. 33

4.1         Applying the WMI Filter to the SAMLiteLogonScan GPO.. 35

5       Excluding Computers from the SAMLiteScan policy. 37

6       Adding Software Restriction Policies. 41

 


 

1         Creating a Shared folder for SAMLite scan scripts

On the SAMLite server create a folder called Scan in the SAMLite V5 installation folder. This folder will be used to store the samlite scanning scripts that will be used by the machines to be scanned.

Right click on the Scan folder and select properties. Then click on the Sharing tab.

Select Advanced sharing

Select Share this folder

Click on Permissions

Give “Everyone” read only permissions to this folder.

Click OK, and OK again and select the Security tab

 

Click Edit

Click Add…

Type Everyone and click ok.

Ensure Everyone has read & execute, List folder contents and Read access only.

Click OK and close.

Copy the samlite scanning scripts and SAMScanConfig.txt to the Scan folder

 

Edit the SAMScanConfig.txt file. Replace YourSAMLiteServerAddress in the IncomingPath with the correct IP address or working fully qualified domain for the SAMLite server.

 

 


 

2         Setting up Scheduled Tasks scanning

The Scheduled tasks scan only works for Windows Vista/2008 and later machines by default. For scanning Windows XP/2003 machines please refer to the “Setting up Logon Script Scanning” section.

2.1       Creating the SAMLiteScan Group Policy Object

Launch Group Policy Management and select Group Policy Objects

Right-click blank space and select New

Right click on SAMLiteScan and select Edit, to set up the Scheduled tasks.


 

 

2.2       Setting up Scheduled Scans for Windows Vista/2008

Go to Computer Configuration, Preferences, Control Panel Settings, Scheduled Tasks

Right click blank spot and select New -> Scheduled Task

Replace YourSAMLiteServer with the appropriate address.

 Add //B to the arguments to prevent script errors and prompts from displaying (recommended for production environments). Example:

//B \\YourSAMLiteServer\Scan\localscan.vbs

Set Daily 12 AM. Click Advanced

Set the interval and repetition as appropriate for your environment and needs. You may not need the scans to be done every hour or even more than once a day.

 

Stop task if it runs for 15 minutes.

Start task even if on batteries. Don’t stop if battery mode begins.

Common tab should look like the above. Ensure that “Remove this item when it is no longer applied” is selected so that the task is removed when the policy no longer applies.

Click on “Targeting…” to set up item-level targeting


 

Set up item-level targeting as above. This ensures this older type Scheduled Task is only applied to older operating systems.


 

2.3       Setting up Scheduled Scans for Windows 7 and later

Next create a Scheduled Task for Windows 7 and later operating systems.

Go to Computer Configuration, Preferences, Control Panel Settings, Scheduled Tasks

Right click blank spot and select New -> Scheduled Task (Windows Vista and later)

Type in NT Authority\System for the user account (do not click on Change User or Group).

Click on Run whether user is logged on or not

 

The above will pop up, click cancel.

Select Do not store password and Run with highest privileges

Create a new trigger.

Set the delay and interval as appropriate for your environment and needs. You may not need the scans to be done every hour or even more than once a day.

Replace 10.243.1.171 with your SAMLite server address. Add //B to the arguments to prevent script errors and prompts from displaying (recommended for production environments). Example:

//B \\YourSAMLiteServer\Scan\localscan.vbs

 

 

Click OK. You now have created the SAMLiteScan group policy object.

Next link it to the domain you wish it to be applied to.

Right click on the target domain.

Select Link an Existing GPO.

Select SAMLiteScan, click OK.

3         Setting up Logon Script Scanning

This method works on Windows XP/2003 machines. For more recent Windows versions it is recommended to use the Scheduled Task method which does not require users to logon regularly.

3.1       Creating the SAMLiteLogonScan Group Policy Object

Launch Group Policy Management and select Group Policy Objects

Right-click blank space and select New

Click OK

 

Edit the SAMLiteLogonScan policy and go to User Configuration, Policies, Windows Settings, Scripts (Logon/Logoff).

Right click Logon, click Properties.

There are two main options for configuring SAMLite Logon scripts. The first option is for the clients to run the logon script directly from the share on the SAMLite server. The second option is to distribute the logon scripts along with the Group Policy Object and for the clients to run the logon scripts from the Group Policy Object.


 

3.1.1       Option 1: Logon script on SAMLite Server share

This option is better if you prefer the logon script and settings to be on the SAMLite Server itself.

Click Add…

Enter the above details (replace “TheSAMLiteServerAddress” with the address of the SAMLite server). Add //B to the arguments to prevent script errors and prompts from displaying (recommended for production environments). Example:

//B \\YourSAMLiteServer\Scan\localscan.vbs

Click OK. Then OK again.


 

3.1.2       Option 2: Distribute Logon script files in Group Policy Object

This option is better if the clients have lower bandwidth to the SAMLite server or you want different logon scripts and settings for different Group Policies.

Click Show Files

Copy the login script files into this folder.

Close the window.

Go back to Logon Properties and click Add…

Click Browse.

 

Select sam.bat and Open.

 

Click OK.

Click OK. And you are now done with Configuring Logon Script scanning.

 

 

 


 

4         Creating a WMI Filter for Windows XP and 2003

Next create a WMI Filter for Windows XP and 2003 only. This is if you wish to limit the SAMLiteLogonScan policy to only XP and 2003 machines (the scheduled task policy will work for newer Windows OS).

Right click in the blank space and select New…

Click Add

Set the query accordingly. Click OK

Click Save.


 

4.1       Applying the WMI Filter to the SAMLiteLogonScan GPO

 

Select the SAMLiteLogonScan GPO.

Click on the drop-down in WMI Filtering and select “Windows XP/2003 only”

Click Yes.

You now have created the SAMLiteLogonScan group policy object and ensured that it can only apply to the Windows XP/2003 machines.

You may also wish to add the Software Restriction policies to this group policy object. To do that refer to Section 2 “Adding Software Restriction Policies.”

Next link it to the domain you wish it to be applied to.

 


 

5         Excluding Computers from the SAMLiteScan policy

To apply the SAMLiteScan policy on only certain computers. Select the SAMLite Scan GPO then in the Security Filtering section remove Authenticated Users and add the Group containing the computers you want scanned.

To apply the SAMLiteScan policy on all computers except certain computers or groups ( https://support.microsoft.com/en-us/kb/816100 )

Click on Add…

Add the object (click on Object Types and select Computers if you want to add Computers individually instead of groups)

 

 

Click OK.

Then click on Advanced... (at bottom right of main GPMC console)



 

Select the object/group and scroll down in the permissions and click on Deny for “Apply group policy”

Click Yes

Note: policy changes due to a change in a machine’s group membership only take into effect after the machine is rebooted.


 

6         Adding Software Restriction Policies

These policies are to prevent running of unsigned scripts from the Scan shared folder (in case an attacker sets up an alternative server, shared folder with a malicious script). This is optional but recommended.

Go to Computer Configuration, Policies, Windows Settings, Security Settings, Software Restriction Policies. Select Action on top menu and New Software Restriction Policies.

Select Additional Rules

Right click in blank area and select New Certificate Rule.

Click browse to look for the certificate you want to use.

Using ISA’s certificate

Browse to the location containing the samlite scan script.


 

Change to view Signed files (use the bottom right drop-down menu)

Find and select localscan.vbs and click open.

 

Select Security Level Unrestricted and click OK.

Click Yes.

Select Enforce certificate rules and click OK.

Right click on blank area and select New Path Rule

Add the path to SAMLite Server’s scan share, and make sure it’s disallowed. (Replace 10.243.1.171 with the appropriate address).

 

You now should see something like the above.

This prevents unsigned scripts from running in the specified path, while scripts signed by the selected certificate can run from that path. Other scripts elsewhere should be unaffected by this policy.