Configuring AppLocker in Server 2008 R2 and Windows 7

Windows Server 2008 R2's AppLocker feature allows additional policy configuration for software use on servers. Here's an overview of the enhanced functionality.

Starting with Windows Server 2008 R2 for server platforms and Windows 7 for desktop platforms, the Software Restrictions policies functionality has been replaced with AppLocker.
With AppLocker and Group Policy, you can define what files to prohibit from being executed; this can include scripts, installation files, and standard executables.
The management goodness of AppLocker is that it can be applied via Group Policy locally or via a domain-based GPO. AppLocker exists in the Computer Configuration section of Group Policy under Windows Settings | Security Settings | Application Control Policies. From there, the AppLocker configuration provides an enhanced Group Policy configuration as shown in Figure A.
Figure A

Click the image to enlarge.
Within this section of Group Policy, you can craft myriad individual configurations, including policies that permit or deny users or groups the ability to run a file, an installation, or a script. Further, you can set this with exceptions and apply it in a granular fashion in Active Directory. If you don't want a full deny, you can configure AppLocker to only audit the iteration of an installation file, a script, or a standard executable.
The AppLocker feature is new to Windows Server 2008 R2 and will not apply to operating systems older than Windows Server 2008 R2 or Windows 7. For older OSs, you can apply Software Restriction Policies via a separate group policy object.
Visit Microsoft's site for more information about AppLocker.

READ MORE - Configuring AppLocker in Server 2008 R2 and Windows 7

Managing devices on Server 2008 Core Edition

Windows Server 2008 Core Edition requires some changes to how admins do standard tasks, such as device management. Find out more in this guide.
Windows Server 2008 Core Edition doesn't have any interfaces to speak of locally, so how do you manage hardware on the server? It's possible and easily done on the Core installation.
Like many other configurations in Windows, you need to enable firewall access. You can turn off the firewall for this task.
The next step is to enable access to the universal plug and play (UPnP) driver. You need group policy access to follow this step, so this can either be a domain-based group policy setting, or you can do it locally. My previous tip outlines accessing the group policy remotely.
The UPnP driver is located in the group policy at Computer Configuration | Administrative Templates | System | Device Installation.
Figure A shows this value being configured to an enabled state.
Read more »

READ MORE - Managing devices on Server 2008 Core Edition

Changing the computer name on Server 2008 Core

This tip explains how to rename a computer in one line.


In previous Windows Server 2008 Core Edition tips, I described how to configure the screen saver timeout and disable the Windows Firewall. This tip explains how to rename a computer in one line.

Default installations of Windows Server 2008 give the server a name like WIN-94CX1930EF21 or some other obscure pattern that doesn't fit into most computer infrastructures. You can change the computer name using the netdom command.

Netdom (which isn't a new tool) is an easy way to change the computer name after Windows Server 2008 is installed on Core Editions. You can also use it on the full installation versions.

It's pretty straightforward to use the netdom command. For example, let's go from the default name WIN-94CX1930EF21 to a computer name of SERVER13. This is the command you would enter:

netdom renamecomputer WIN-94CX1930EF21 /Newname SERVER13

Once this is complete, you get a friendly prompt that renaming a system may cause certain services to fail. Because of this warning, it is a good idea to rename the server early in the build process. Figure A shows this onscreen.
Figure A


The server is successfully renamed after the requested system reboot.

If you want to join the system to an Active Directory domain, the same command is used except extra parameters are required. If the computer account already has the correct name, a command like the following will join a Windows Server 2008 server to a domain:

netdom join /DOMAIN:RWVDEV server13 /userD:RWVDEV\Administrator /password:*

A few things to note: Some of the parameters have the letter D at the end of them, and the FQDN server name is the DC to authenticate the request against. Again, a reboot is required to take effect. There are a few other parameters with netdom, so check out the Help section to see if additional features, such as organizational unit placement and force reboot, suit you.

Rick Vanover is a systems administrator for Safelite AutoGlass in Columbus, Ohio. He has more than 12 years of IT experience, and he focuses on virtualization, Windows-based server administration, and system hardware.

READ MORE - Changing the computer name on Server 2008 Core

Disabling the firewall in Server 2008 Core Edition

For Windows Server 2008’s Core Edition, the default firewall configuration is one of the things most administrators want to turn off after installation.


You can complete this task with one line of code, which you’ll want to add to your script arsenal.
The use cases for Windows Server 2008 Core Edition include additional security for certain installation sites and networks, and certain products (for example, the free Hyper-V role) are only available on core editions.
In Windows Server 2008 systems, including the core installations, the Windows Firewall is enabled by default. For many administrators, the first step of a new Windows installation is to disable the Windows Firewall.

You can do this with the following Netsh command:

[netsh advfirewall set allprofiles state off]

Now the Windows Firewall is disabled for all network profiles. You can tweak the parameters to within what is run from Netsh. To determine what commands are available for Netsh, simply go into Netsh and enter a question mark (?) in one of the interactive contexts.

Figure A shows the advfirewall context.

Figure A


Visit TechNet for more information about Netsh in the advfirewall context.

Rick Vanover, a systems administrator for Safelite AutoGlass, has more than 12 years of IT experience and focuses on virtualization, Windows-based server administration and system hardware.

READ MORE - Disabling the firewall in Server 2008 Core Edition