Increase Windows Network Security Through Group Policy Software Installations
March 14, 2012 | POSTED BY BRETT EDGAR IN WINDOWS, SECURITY, MICROSOFT
Seeing the rate at which companies have been successfully attacked by Java exploits while their users surf the web, I became increasingly alarmed and wondered how I was going to defend my own network. I had always known that Active Directory Group Policy could push out software, but I had never explored the option as I thought it sounded too involved.
Well, I was wrong. It's really easy. I just enabled automatic installation (or upgrade!) of the Java 6 Runtime Environment on all of our Windows PCs. I followed the directions posted by Ivan Dretvich on his blog. Check them out here and here. It took me about 15 minutes, and most of that was trying to find the ORCA package he discusses. (Hint: you only need to select the "Tools" option under the "Windows Installer SDK" option from the Platform SDK installer.)
Initially, I restricted the GPO (Group Policy Object) to my computer as Ivan suggests. I had built this GPO with Java 6u31 packages on my DFS root. Before rebooting, I checked and verified that I had Java 6u30 installed. I rebooted, got a cup of coffee, then logged into my Windows 7 machine. Checking again revealed that I now had Java 6u31! Flawless. I fixed the GPO up so that it installs the 32-bit JRE on our few 32-bit machines, and then removed the restriction that applied it only to my computer.
Now, the next time my users reboot, they will automatically get the latest Java version without prompting. And I can breathe easier knowing that our interns aren't going to click on a stupid link and get pwned by the Blackhole Exploit Kit or any of the other popular Java exploitation frameworks.
This was so easy to do that I can't think of any reason why a corporate environment shouldn't be doing this. I am going to move on to Adobe Flash and Adobe Reader next. If I can get all three of these packages to automatically update via GPO, then I will have eliminated 90% of the attacks my users are likely to experience. Plus, my users won't have to hassle with following prompts to update software on their own. That's a win.
GPO Software Installations For the Win!