sign in sign up
<<
Home , AppLocker, User Account Control

ILTA HANDS‐ON Securing

8/23/2011

8024575v.1 ILTA HANDS‐ON

Table of Contents

About this lab ...... 3 About the Laboratory Environment ...... 4 Lab 1: Restricting Users ...... 5 Exercise 1. Verify the default rights of users ...... 5 Exercise 2. Adding a user to the local administrators group ...... 6 Exercise 3. Setting up an administrative console ...... 6 Lab 2: ...... 8 Exercise 1. Standard User Account Control ...... 8 Exercise 2. User Account Control Policy ...... 9 Exercise 3. Administrator Access – Protected Desktop ...... 10 Lab 3: File and Registry Virtualization ...... 11 Exercise 1. Demonstrate how file virtualization works ...... 11 Lab 4: ...... 13 Exercise 1. Permitting applications through the firewall ...... 13 Exercise 2. Creating a new inbound firewall rule ...... 14 Lab 5: Creating Security Policies ...... 15 Exercise 1. Create a Object to manage Security ...... 15 Exercise 2. Configure Default Firewall Policies ...... 15 Exercise 3. Configure Inbound Firewall Rules ...... 17 Exercise 4. Control Local User Accounts via Group Policy Preferences ...... 19 Exercise 5. Change the local administrator account password via Group Policy Preferences ...... 20 Exercise 6. Add a local administrator account for laptops only ...... 21 Lab 6: Configuring AppLocker ...... 22 Exercise 1. Configure AppLocker Rules ...... 22 Exercise 2. Configure AppLocker to enable auditing ...... 23 Exercise 3. Configure AppLocker to deny application access ...... 24

ILTA11 Securing Windows 7 Page 2

8024575v.1 ILTA HANDS‐ON

About this lab

This Laboratory session is designed to familiarize with some of the security features of the Windows 7 .

We will take you typical administrative tasks of managing security of Windows 7, such as restricting application access, and managing local security groups. The first part of the lab will focus on understanding and configuring local security features. The second part will focus on deploying and managing those settings through Group Policy.

This laboratory is targeted for the desktop administrator, and assumes that the participant has general experience with Windows 7, , and Group Policy technologies. While relevant experience is helpful, it is not required to complete the lab exercises.

ILTA11 Securing Windows 7 Page 3

8024575v.1 ILTA HANDS‐ON

About the Laboratory Environment

You will be working in teams of two, sharing a workstation between members. The workstation has been configured with Windows 2008 R2 Hyper‐V in order to house the virtual computers required for this lab.

We have configured two virtual machines as follows:

• SECW7‐DC: A Windows 2008R2 , with Active Directory, DNS, and DHCP installed.

• SECW7‐CLIENT: A Windows 7 SP1 x64 client, joined to our Active Directory domain.

Both virtual machines have been setup in a the ILTA11.local domain and exist on the same network.

Notes:

• You should use the IT.Manage account for the laboratory tasks, except where noted. Its password is Ilta11admin.

• The password for administrator is p@ssw0rd.

• Two typical users have also been setup: Ken and Sally. Their passwords are Ilta11user

• DO NOT USE THE CTRL‐ALT‐DEL KEY SEQUENCE, AS IT WILL DISRUPT YOUR VIRTUAL SERVER SESSION. You should use the RIGHT ALT‐DEL key sequence instead.

ILTA11 Securing Windows 7 Page 4

8024575v.1 ILTA HANDS‐ON

Lab 1: Restricting Users

< In this lab, we learn some of the security basics of account management. >

Exercise 1. Verify the default rights of users

1. Switch to the SECW7‐CLIENT virtual machine, and press the CTRL – ALT – DEL button (upper left corner). Login as it.manage. The password is Ilta11admin.

2. Launch Windows Explorer. ( => Type “explorer”)

3. Browse to Computer => C:\. Right click on the Program Files directory and choose Properties.

4. Select the Security tab. Note the default permissions for the folder. Click Users to see that users only have Read & execute, List folder contents and Read rights.

5. Click Advanced. More granular permissions are presented. Take note of permissions for TrustedInstaller and System by double clicking each name. They have full control, along with Administrators.

TIP – Introduced in Vista, the Trusted Installer service account is used by UAC to protect critical operating system files. As it is the owner of those critical files, it keeps applications (or users!) running as system or administrator from modifying operating system files. In some cases, only the Trusted Installer account has full access to files.

6. Select the Effective Permissions tab. Press Select. Type in Ken and choose Check Names. Press ok. Note the default permissions on the folder. Press ok twice.

7. Browse to C:\ProgramData. Right click on the directory. Choose Properties.

ILTA11 Securing Windows 7 Page 5

8024575v.1 ILTA HANDS‐ON

TIP – If you do not see C:\ProgramData, press the ALT key once while in Windows Explorer. Go to Tools => Folder Options. Select the View tab and make sure “Show hidden files, folders and drives” is selected.

8. Select the Security tab. Note the default permissions for the folder. Click Advanced.

9. Select the Effective Permissions tab. Press Select. Type in Ken and choose Check Names. Press ok. Note the default permissions on the folder. In the ProgramData folder, Ken can write and modify files, but not delete them. Press ok twice.

Exercise 2. Adding a user to the local administrators group

1. Logged in as it.manage, go to and type “users” in the search programs and files dialog. Select Edit local users and groups.

2. Click Groups and double click Administrators. Note that the IT Computer Management group is a member. The it.manage user gets local administrative rights via this domain group.

TIP – Adding a domain group to the administrators group is a more effective way to manage local administrative permissions, as it is more easy to manage one group rather than many individual user accounts on each machine.

3. IMPORTANT: To demonstrate managing the administrator group via Group Policy preferences in a later exercise, add Sally to the administrators group on the computer. Click Add and type “Sally” in the Check Names dialog. Press Ok twice.

Exercise 3. Setting up an administrative console Run as Administrator to run the console with the same administrative token>

1. Switch to a standard user. Go to => Shut Down => Switch user.

2. Login as Ken. The password is Ilta11user.

3. Go to => mmc. Select mmc.exe from the search results.

4. Click File => Add/Remove Snap‐in…

ILTA11 Securing Windows 7 Page 6

8024575v.1 ILTA HANDS‐ON

5. Choose Active Directory Users and Computers, Computer Management (select Local), Group Policy Management and Windows Firewall (Local) by clicking for each.

6. Your console will appear as below:

7. Go to File => Save As... Save the msc to the Desktop folder with name AdminTools.

8. Next, go to the Desktop. Right‐click on AdminTools and choose .

9. Enter administrative credentials at the UAC prompt. Press Enter. (it.manage ‐ Ilta11admin)

10. The console is now running as it.manage in Ken’s login session. Let’s confirm that.

11. Right‐click on the task bar and choose Start .

12. Select the Process tab. Note that it lists mmc.exe running as it.manage.

ILTA11 Securing Windows 7 Page 7

8024575v.1 ILTA HANDS‐ON

Lab 2: User Account Control

1. Be sure you are logged in as Ken on the SECW7‐CLIENT VM. The password is Ilta11user.

2. Go to => type “uac”. Click Change User Account Control settings from the search results.

3. Enter administrative credentials at UAC prompt. (it.manage ‐ Ilta11admin). Note the dimming of the desktop. This is known as the Secure Desktop.

4. Move the slider to see each of the different levels of UAC. Note the granularity of settings compared to Vista below:

Figure 1 ‐ Vista UAC Control Figure 2 ‐ Windows 7 UAC Control

5. Move the slider to see the available options. We recommend keeping on the highest setting.

TIP – The slider does not always represent the settings in group policy, so be sure to use a command like gpresult to determine effective UAC policy settings.

ILTA11 Securing Windows 7 Page 8

8024575v.1 ILTA HANDS‐ON

Exercise 2. User Account Control Policy Settings

1. Logged in as Ken, go to => type “local” Select “Local Security Policy”. Press Enter.

2. Dismiss “You do not have permission to perform this operation.” dialog. Close Local Security Policy.

3. Go to => type “local” Right click on Local Security Policy. Choose Run as administrator

4. Enter administrative credentials. Press Enter. (it.manage ‐ Ilta11admin)

5. Expand Local Policies => Security Options. Scroll down to the bottom and review the UAC local policy options.

6. Note the terms used in the options. Review the terminology below to understand each option. Take special note of “Virtualize file and registry write failures to per‐user locations” and “Run all Administrators in Admin Approval Mode”

Figure 3 ‐ UAC Local Policy Settings

Prompt for Elevation – When an administrative function is initiated, prompt appears to either elevate a user via consent or credentials in the form of a password or other authentication mechanism. This prompt changes depending on the publisher and certificate of the application.

Secure Desktop – The secure desktop is very similar to having to press CTRL ‐> ALT ‐> DEL at logon. It is an isolation environment where no script or application can run. The secure desktop “dimming” function is difficult for to reproduce. It can cause problems for remote tools, which the Only elevate UIAccess applications that are installed in secure locations policy addresses.

Admin Approval Mode – even when logged in as an administrator, AAM causes the administrator to run under a restricted user token and when necessary escalate to a higher privileged token via a UAC prompt.

Virtualize file and registry – This is a compatibility feature that allows “incompatible” 32‐bit applications to run on Windows 7 without compromising file and registry integrity.

ILTA11 Securing Windows 7 Page 9

8024575v.1 ILTA HANDS‐ON

Exercise 3. Administrator Access – Protected Desktop

1. Logged in as Ken, browse to C:\Temp. Double click to run googleearthwin‐peruser.exe.

2. Follow the prompts to install Google Earth. Note there are no UAC prompts as this is a “user only” installation. Admin approval mode does not affect actions within the user context. Instead, refer to the User Account Control: Behavior of the elevation prompt for standard users.

3. Uncheck the boxes at the end of the dialog so as not to run Google Earth (although it may be tempting).

4. Go to => Shut Down => Switch user. Switch to the administrative user, it.manage (Ilta11admin).

5. Let’s check the user token in Admin Access Mode. On the desktop, double click on the cmd

(user) shortcut on the desktop.

6. Type “whoami /all” at the prompt and press Enter.

7. Scroll to the top of the command window. Note that although the it.manage is a member of the Administrators group of the machine, it is set to “Deny only”. Close the window.

8. On the desktop, double click on the cmd (admin) shortcut on the desktop.

9. Press Yes at the UAC prompt to elevate the token.

10. Type “whoami /all” at the prompt and press Enter.

11. Scroll to the top of the command window. Note that although the it.manage is a member of the Administrators group of the machine, it is set to “Enabled group”. Close the window.

12. Let’s try to install an application as an administrator. Browse to C:\Temp. Double click to run googleearthwin‐peruser.exe.

ILTA11 Securing Windows 7 Page 10

8024575v.1 ILTA HANDS‐ON

13. Note the UAC icon flashing the in the tray. Even though this is a “user‐only installation”, the UAC warning appears because Google is a “non‐” publisher. (see Behavior of the elevation prompt in Admin Approval Mode) in Figure 3 above.

14. Follow the prompts to install Google Earth. Uncheck the boxes at the end of the dialog so as not to run Google Earth.

Lab 3: File and Registry Virtualization

Exercise 1. Demonstrate how file virtualization works

1. Logged in as it.manage, double click on the cmd (admin) shortcut on the desktop . Choose Yes to elevate credentials.

2. Double click on the cmd (user) shortcut on the desktop. Place them side by side on your screen.

3. On the cmd (admin) window type “dir > diradmin.txt”

4. On the cmd (user) window type “dir > diruser.txt”. You will get the message “Access is denied”

5. Right click on the task bar and choose Start Task Manager.

6. Select the Process tab.

7. Click the View menu item and choose Select Columns…

8. Scroll down until you see “User Account Control (UAC) Virtualization” Check the box. Press Ok.

ILTA11 Securing Windows 7 Page 11

8024575v.1 ILTA HANDS‐ON

9. On the task manager, select the the cmd process where UAC Virtualization is listed as Disabled. Right click and select UAC Virtualization.

10. Select Change Virtualization. It should now say Enabled.

11. Click on the cmd (user) window. Press the up arrow once to re‐display the command. Press Enter.

12. Note that the command now succeeds.

13. Switch to the cmd (admin) window. Type dir *.txt. Press Enter.

14. Note the diruser.txt file does not exist, but the diradmin.txt file does.

15. Go to and click on the username of the logged in user.

16. Browse to AppData ‐> Local ‐> Virtual Store ‐> Windows ‐> System32.

17. Note the diruser.txt file in the directory.

TIP – Beware of changing settings manually in applications where file and registry virtualization are in effect. If you change settings in the original destination location (e.g. the Program Files directory) the settings you pushed via Group Policy Preferences will be overridden by those in the Virtual Store.

ILTA11 Securing Windows 7 Page 12

8024575v.1 ILTA HANDS‐ON

Lab 4: Windows Firewall

In this lab, we discover how to manage the built in Windows Firewall.

Exercise 1. Permitting applications through the firewall

1. Go to => Shut Down => Switch user. Log in as Ken on the ILTA11‐SECW7‐CLIENT, double

click Google Earth on the desktop .

2. Google Earth will take a few seconds to launch. You will get the pop‐up below:

3. Click Allow Access and enter administrative credentials. (it.manage ‐ Ilta11admin). Click ok.

4. You will get several warnings about Google Earth not being able to contact servers. Dismiss each dialog. Choose Exit, then ok.

5. Go to Start => type “firewall”. Select Allow a program through Windows Firewall . Note that googleearth.exe is now listed.

6. Select

ILTA11 Securing Windows 7 Page 13

8024575v.1 ILTA HANDS‐ON

7. Enter administrative credentials. (it.manage ‐ Ilta11admin). Click ok.

8. Check the two boxes to allow Home/Work (Private) and Public networks.

9. Click ok.

TIP: Referring to the local Windows Firewall exclusions can be helpful when populating firewall exclusions for Group Policy.

Exercise 2. Creating a new inbound firewall rule

1. Login to SECW7‐DC as administrator (p@ssw0rd).

2. Go to Start ‐> type services.msc Press Enter.

3. Right click on Services(Local) and choose Connect to another computer…

4. Type SECW7‐CLIENT and choose ok.

5. Wait a few seconds. Note the Error 1722: The RPC server is unavailable. Click ok.

6. Switch to the SECW7‐CLIENT VM.

7. Go to Start => type “Firewall”.

8. Click on Windows Firewall. (Note the separate networks available to the firewall. )

9. Click on Allow programs to communicate through Windows Firewall (Note the pre‐configured rules available to setup. )

10. Select

11. Enter administrative credentials. (it.manage ‐ Ilta11admin). Click ok.

12. Put a check box in Remote Service Management. Click on Details to find out a more specific description. Click OK.

13. Switch back to SECW7‐DC. Attempt to connect to services on SECW7‐CLIENT again using steps 1‐4)

ILTA11 Securing Windows 7 Page 14

8024575v.1 ILTA HANDS‐ON

Lab 5: Creating Security Policies

In this lab, we learn how to manage the Windows Firewall using Group Policy.

Exercise 1. Create a Group Policy Object to manage Security

1. Focus on the DC virtual machine, and login as the administrator account. The password for the account is p@ssw0rd. 2. Launch the Group Policy Management Console by double clicking the icon on the desktop. 3. Expand the Ilta11.local forest, and navigate to Domains => ilta11.local => WIN7. 4. Right click the WIN7 OU, and click Create a GPO in this domain, and Link it here… Name the GPO “Win7 Security Settings”, and click OK. We will primarily be using this group policy object to configure our security settings.

Exercise 2. Configure Default Firewall Policies

1. Right click the GPO you just created and choose Edit. 2. Navigate to Computer Configuration => Policies=> Windows Settings => Security Settings => Windows Firewall with Advanced Security. Click on the Windows Firewall with Advanced Security icon to see Overview:

ILTA11 Securing Windows 7 Page 15

8024575v.1 ILTA HANDS‐ON

The Overview gives you summary information on how the policy will configure the Windows 7 Firewall. At this time, it is unconfigured. 3. The first thing we are going to do configure the Firewall state. To do so, click the Windows Firewall Properties link. 4. For most environments, it is recommended to enable the Windows Firewall to block inbound connections for the Domain, Private, and Public networks. Do so by clicking on the Domain Profile tab, and change the Firewall state to On (recommended). For Inbound connections, change it to Block (default). Leave the Outbound connections as Not Configured. Repeat these same changes to the Private Profile and Public Profile tabs.

ILTA11 Securing Windows 7 Page 16

8024575v.1 ILTA HANDS‐ON

5. Click the OK button to apply the changes:

6. To check the status of the policy, switch to the Windows 7 client and reboot it. Once prompted, login as IT.Manage, and navigate to Start => => System and Security, and click the Windows Firewall link. Note the following message:

7. We can also verify that the firewall is operational. Switch to the Domain Controller, and try to ping the Windows 7 workstation. Open a command prompt, and type “ping secw7‐client”. Note that the requests time out.

Exercise 3. Configure Inbound Firewall Rules

1. From the Domain Controller, go back to the Win7 Security Settings policy, and navigate to the Windows Firewall with Advanced Security node. 2. Right click the Inbound Rules, and click New Rule…. Click the Custom option, and then click Next. Leave the default All programs option on, and click Next.

3. For the Protocol and Ports screen, change the Protocol type to ICMPv4: ILTA11 Securing Windows 7 Page 17

8024575v.1 ILTA HANDS‐ON

Click Next. 4. Leave the local and remote IP addresses as default, and click Next. 5. Leave the option of Allow the connection selected, and click Next. 6. Apply this rule to all three profiles by making sure Domain, Private, and Public are checked. Click Next. 7. Name the Rule “Allow Ping”, and click Finish. 8. Let’s create one more inbound rule that allows us management of the client. Click the Inbound Rules, and click New Rule…. Click the Predefined option, and select Remote Administration from the drop down dialog. Click Next when finished. Click Next, Next, and Finish past the remaining dialogs.

9. We are now ready to test our Firewall updates. From the domain controller, launch Computer Management by clicking Start => All Programs => Administrative Tools => Computer

ILTA11 Securing Windows 7 Page 18

8024575v.1 ILTA HANDS‐ON

Management. Connect to the client workstation by clicking Action => Connect to another computer, typing in secw7‐client, and click OK. 10. The connection should fail as our client workstation has not received our latest updates in our firewall policy. To force our clients to receive the updates, you can wait past the default policy refresh interval, force a policy refresh on the client, or simply reboot the client. Let’s force a policy refresh by switching to our Win7 client workstation, opening up a command prompt, and typing “gpupdate /force”.

11. Once the update is complete, switch back to the DC, and reconnect to the secw7‐client in computer manager. It should now work correctly. You can also attempt to ping the workstation as you did in the last step of the previous exercise. It should also now be functional.

You now have configured your firewall policy so that your Windows 7 clients will have the firewall enabled to block inbound connections, but ping traffic and remote administration will be allowed.

Exercise 4. Control Local User Accounts via Group Policy Preferences

1. Flip to the domain controller. If you have completed the previous exercise, you should have Computer Manager open and connected to the secw7‐client workstation. Navigate to System Tools => Local Users and Groups => Groups, and double click the Administrators group. You should see Sally as a member. 2. To remove her, we will create a Group Policy Preference. On our Domain Controller, launch the Group Policy Management Console from the desktop, if it is not already opened. 3. Navigate to our Win7 Security Settings policy by drilling down to the Win7 OU in our domain. Once you find the policy, right click it, and choose Edit. 4. When the policy opens, go to Computer Configuration => Preferences => Control Panel Settings => Local Users and Groups. Click Action => New => Local Group.

ILTA11 Securing Windows 7 Page 19

8024575v.1 ILTA HANDS‐ON

5. For the group name, type in Administrators. Then click the Add… button on the bottom of the dialog box. In the Local Group Member box, browse for the account by clicking the Ellipses, and typing in Sally, and clicking OK. Once the account is added, choose the Remove from this group option, and click OK.

6. Click the OK button to complete the preference change. Our new group policy preference will now update the local administrator group, and remove Sally from it. Perform a GPUpdate on our client computer (or reboot it), and then reconnect to it using computer management. You should now see that she is no longer an administrator.

Exercise 5. Change the local administrator account password via Group Policy Preferences Even though we’ve removed Sally from the local administrator’s group, she somehow knows what the local administrator account password is! In this exercise, we will change this password.

1. Go back to our Win7 Security Settings policy, and navigate to the Local Users and Groups section (Computer Configuration => Preferences => Control Panel Settings => Local Users and Groups). Click Action => New => Local User. 2. From the dialog, type administrator for the user name, and change the password and confirmation password to sorrysally. Uncheck the User must change password option.

ILTA11 Securing Windows 7 Page 20

8024575v.1 ILTA HANDS‐ON

3. Click OK when finished.

Exercise 6. Add a local administrator account for laptops only Our laptop users sometime run into situations where they need administrative rights when they are on the road, disconnected from the domain. One way to permit these installations is to create a local account that has administrative credentials.

1. Go back to our Win7 Security Settings policy, and navigate to the Local Users and Groups section (Computer Configuration => Preferences => Control Panel Settings => Local Users and Groups). Click Action => New => Local User. 2. From the dialog, type Laptopadmin for the user name, and change the password and confirmation password to laptoppassword. Uncheck the User must change password option. Do NOT click OK yet. 3. We only want our laptops to get this user account, so we will need to apply filtering to our group policy preference. Click the common tab, and choose the Item‐Level targeting option. Click the Targeting… button. 4. Click the New button, and notice all of the various options that can be used as criteria for filtering. In our case, we will choose Portable Computer to indicate laptops. Check off all of the subsequent options, and click OK. Click OK once again to complete our policy.

ILTA11 Securing Windows 7 Page 21

8024575v.1 ILTA HANDS‐ON

5. We now need to add the laptopadmin user into our local administrators group. To do so, create another GPP under local users and groups by clicking Action => New => Local Group. 6. For the group name, type in Administrators. Then click the Add… button on the bottom of the dialog box. Type in laptopadmin in the Name box, and choose the Add to this Group option. Click OK. 7. Click the common tab, and add a filter to the GPP as you did in steps 3 and 4 of this exercise. 8. Finally, we need to order our GPPs so that our user is created before it is added to the administrators group. Just make sure the laptopadmin order is numerically below the administrators group change, as in the following screenshot:

Lab 6: Configuring AppLocker

Exercise 1. Configure AppLocker Rules Applocker works with the principle of least privilege, meaning that applications, installations, and scripts are denied access if no rules are configured. The first step to configuring AppLocker is to setup default rules for our clients.

1. Go back to our Win7 Security Settings Policy in Group Policy Management Console. Navigate to Computer Configuration => Policies => Windows Settings => Security Settings => Application Control Policies => Applocker. Notice that there are no configured rules in the overview. 2. Drill down to Executable Rules. Click Action => Create Default Rules. This will create default Applocker rules that allow everyone to launch applications in the Program Files, and Windows directory. It also allows local administrators to launch all applications.

ILTA11 Securing Windows 7 Page 22

8024575v.1 ILTA HANDS‐ON

3. In a similar fashion, create the default rules under the Rules and Script Rules nodes. 4. After the default rules have been configured, we will create an executable rule that denies access to running Google Earth. To do so, right click on the Executable Rules node, and click Create New Rule… 5. Click Next, and then change the action to Deny. Click Next. Change the primary condition to Path, and click Next. For the Path, type in *googleearth.exe and click Next. Click Next to skip adding publisher exceptions, and finally click Create to create the rule.

You have now created a rule that will deny the googleearth application from running.

Exercise 2. Configure AppLocker to enable auditing One great feature of Applocker is the ability to run audit mode. When audit mode is enabled, Applocker will review applications that are executed on the machine, but will not deny application execution. It will log these events for further review.

1. Go back to the Applocker section of our policy until the overview appears. Click the Configure Rule Enforcement link. For executable rules click the Configured option, and then select Audit only from the drop down list. Click OK when finished. 2. Out Win7 Security Settings policy should now be configured with AppLocker in audit mode. To our setting, flip to our client workstation, and reboot the client to apply the policy. Login as the user Ken with a password of Ilta11user. 3. Launch the by searching for it in the search bar. Click => type “event” Select “Event Viewer”. Once launched, navigate to Application and Services => Microsoft => Windows => AppLocker => EXE and DLL. This is where writes events related to executable activity on the workstation. Note that Windows process executions are now being recorded. 4. Keep the Event viewer open, but launch Adobe Reader from the desktop. Go back to the event viewer, and push F5 to refresh the events. Note that Applocker auditing recorded that GoogleEarth.exe was allowed to run. 5. Now launch Google Earth, and refresh the event viewer. You should see an AppLocker event telling you that Google Earth would be denied.

ILTA11 Securing Windows 7 Page 23

8024575v.1 ILTA HANDS‐ON

Exercise 3. Configure AppLocker to deny application access

1. Flip back to the Domain Controller, and go back to our Win7 Security Policy in Group Policy Management. Navigate to the AppLocker policy. 2. Click the Configure Rule Enforcement link, and change the executables rules dropdown to Enforce Rules. Click OK when finished. 3. Flip to the client, and reboot it again to get the new security changes. Login as Ken, and test launching Google Earth. It should be denied.

ILTA11 Securing Windows 7 Page 24

8024575v.1