SlideShare uma empresa Scribd logo

Best practices to shape and secure your 1:1 program for Windows

Securly
Securly

In this white-paper we outline a checklist of items that K-12 IT admins need to be cognizant of to keep kids safe on school issued Windows devices

Educação
1 de 25
Baixar para ler offline
TECH BRIEF / AUGUST 2016 / V1.5 Best practices to shape & secure your 1:1 program for Windows
Overview Device Settings Guest Mode Conclusion About Securly Securly SSL Certificate Deployment Sign-in Restriction Safe Browsing Incognito Mode and Browser History Safe Search on Google Developer Tools Blocking Chrome:// URLs Blocking SPDY protocol Blocking QUIC protocol Allowed Apps and Extensions Force Install AutoLogOut (recommended for shared devices) Block users from terminating your forced installed extension Disabling IPv6 with Group Policy Offsite Filtering Importing the Chrome Group Policy Object Copying over the necessary Creating the Group Policy Object for Chrome Contents Proxy Settings 2 2 2 4 4 5 6 6 7 7 8 8 9 10 10 11 12 13 15 16 17 23 23
A key requirement of a 1:1 Windows deployment is security – ensuring students are using the device safely and productively. This document addresses several aspects of Windows Server and Group Policy that are important to configure correctly for a successful 1:1 experience. The Device Settings are only pushed down to the Windows device if the device is joined to your organizations Active Directory domain. It is critical that users do not have administrative privileges. With such privileges, a user can bypass any restrictions placed on the machine. Since Securly does MItM (Man In the Middle) SSL interception to decrypt SSL websites, it is required that all Windows devices have our SSL certificate installed to them. This is accomplished via Group Policy. Our certificate can be downloaded from here. Open “Group Policy Management”. At the top level of your domain right click and “Create a GPO in this domain, and Link it here…”. Title the new GPO “Securly SSL” and then click “OK”. Overview Device Settings Securly SSL Certificate Deployment 2 1 2 3
Right click the new GPO and select “Edit…”. From within the Group Policy Editor navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certificate Authorities. Click “Next” on the first certificate import wizard screen as no items are configurable. On the second screen “File to import”, click on “Browse…” and navigate to the downloaded file from above and then click next. 3 On the right-hand pane, select “Import…”. 4 5 6 7 8
It is necessary to import the Chrome Group Policy Object (GPO) so that Active Directory can manage the Chrome settings to ensure compliance. Copying over the necessary files Importing the Chrome Group Policy Object 4 Download the Group Policy templates from Google at: https://support.google.com/- chrome/a/answer/187202?hl=en Extract the files from the zip file. Copy over “chrome.admx” from Down- loadLocationpolicy_templateswindowsad- mx to C:windowsPolicyDefinitions. Copy over “chrome.admx” from Down- loadLocationpolicy_templateswindowsad- mxen-US chrome.adml to C:windowsPoli- cyDefinitionsen-US (replace en-US with your respective languages folder). 1 2 3 4 On the last screen click “Finish” and then “OK”.9
Creating the Group Policy Object for Chrome 5 Open “Group Policy Management”. At the Students OU level of your domain right click and “Create a GPO in this domain, and Link it here…”. Title the new GPO “Google Chrome Lockdown”. 1 2 All of the options below are found on the right-hand side for the Google Chrome policy settings. 6 3 Right click the newly created GPO and select “Edit…”. 4 Navigate to Computer Configuration > Policies > Administrative Templates (ADMX Files) > Google > Google Chrome. 5
Guest Mode Just like the Guest Mode and Incognito Modes allow the students the ability to browse without being audited, this setting if not configured correctly, can allow students to use even their Gmail ids to login and browse without a good account of how they spent their time online. Double click on the policy to "Restrict which users..." and select the "Enabled" option. Specify your domain(s) in the Options dialog and click "OK". As shown above, by using *@domain command separate list, we can prevent students from logging in with @gmail.com. Sign-in Restriction 6 We recommend disabling Guest Mode to allow better auditing of student activity. The guest mode otherwise allows the PC to be used without the district user policy in place. This mode is similar to the Incognito Mode supported by the Chrome browser – which we also recommend turning off in a subsequent section. Double click the policy option named “Enable guest mode in browser”. Select “Disabled” and click “OK”.
This setting allows you to safe guard your students against malicious sites. While Chromebooks are gener- ally hardened and immune to most forms of malware, it is important to note that the User Settings from the admin console apply to the Chrome browser even on other devices such as Windows machines. Further, malicious sites can also include Phishing or other sites that involve platform independent vulnerabilities that target the user directly – e.g. identity theft, financial theft, password theft etc. You can safely leave the following settings on for this section: Double click on the policy option titled "Enable Safe Browsing" and select "Enabled". Click "OK". Double click on the policy to "Restrict which users..." and select the "Enabled" option. Specify your domain(s) in the Options dialog and click "OK". Safe Browsing 7 Incognito Mode and Browser History To prepare evidence reports, we recommend keeping browser histo- ry turned on. Further, we find that the Incognito Mode bypasses pre-installed security apps and can be used to evade district filtering policy. The following settings are recommended. Double click on "Incognito mode availability" and select "Enabled". From the drop-down list, choose "Incognito mode disabled.
8 Safe Search on Google If your district’s web filter does not support Safe Search for Google, the following setting allows you to enforce this directly via the Chrome policy. This applies only to the Google search engine. In order to achieve safe search on other search engines, you need a web filter that is capable of enforcing this on those engines. Double click on the policy option "Force Google SafeSearch" and select "Enabled". Click "OK". Developer Tools Developer tools allow users to debug network, script, apps and other issues. In a 1:1 program however, these could be used to circumvent district policy or gain unfair advantage over other students by reverse engineering of edtech applications that transmit insecure data or have confidential information hidden away in the code. We recommend disabling the user of developer tools. Double click on the policy option "Disable Developer Tools" and select "Enabled". Click "OK".
chrome://history-frame chrome://chrome/history-frame The second 2 URLs stop the students from getting to the Chrome history and/or wiping the history should you want to keep it for posterity reasons. Blocking Chrome:// URLs 9 You should disable chrome://exten- sions and consider disabling chrome://settings. Chrome://exten- sions allows students to start/stop extensions, while chrome://settings and other chrome:// addresses provide settings or information that students typically do not need. We also recommend disabling the 2 other URLS to the blocked URLS at a minimum. Double click on the policy setting "Block access to a list of URLs" and select "Enabled". Click "Show..." and enter the URLs provided below. Click "OK".
Blocking SPDY protocol Blocking QUIC protocol You should block the SPDY protocol as it has been known to cause issues with Securly in how it is implemented within Google Chrome. Within the policy option, double click on"Disable SPDY protocol" and select "Disabled". Click "OK". You should block the QUIC protocol as it has been known to cause issues with Securly in how it is implemented within Google Chrome. Within the policy option, double click on"Disable QUIC protocol" and select "Disabled". Click "OK". 10
Proxy Settings 11 To make the best use of Securly we recommend that the use of a proxy be completely disabled. Within your Chrome lockdown GPO navigate to Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX..) > Google Chrome > Proxy Sever Double click on the policy option "Choose how to specify proxy server settings" and select "Enabled". From the drop-down list in the Options dialog, choose "Never use a proxy" and click "OK".
Along with force-installing security and other instructional apps, in order to prevent students from later installing games and other time-sinks or VPN/proxy apps, it is generally a good idea to configure this section as follows: Navigate within The Group Policy object to Computer Configuration > Policies > Admin- istrative Templates: Policy definitions (ADMX files).. > Google > Google Chrome > Exten- sions Double click on "Configure extension installation blacklist" and select "Enabled". Under the Options dialog, click "Show..." and enter in "*" to block all extensions (except those you have allowed). Click "OK". Allowed Apps and Extensions 12
Navigate within The Group Policy object to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files).. > Google > Google Chrome > Extensions > and double click on “Configure extension installation whitelist” Then click “OK” and “Apply” to save this as an allowed extension. Now this extension would need to be force installed. To achieve this Double click on “Configure the list of force-installed apps and extensions” On the show contents page for the value enter: “ohlcnddhihadnalofegeookbpglgadhe” Force Install AutoLogOut (recommended for shared devices) 13 Change this from the default of “Not Configured” to “Enabled” and then click on the “Show..” button.
You would then change this from the default value of “Not Configured” to “Enabled” and click on the “Show...” button. Within the “Show Contents” box you would enter in the ID “ohlcnddhihadnalofegeookbpglgadhe” and click “OK” and “Apply” and “OK” to save this. 14 A key requirement of a 1:1 Windows deployment is security – ensuring students are using the device safely and productively. This document addresses several aspects of Windows Server and Group Policy that are important to configure correctly for a successful 1:1 experience. The Device Settings are only pushed down to the Windows device if the device is joined to your organizations Active Directory domain. It is critical that users do not have administrative privileges. With such privileges, a user can bypass any restrictions placed on the machine.
This particular setting will when “disable” is chosen will stop the end users from using the built in task manager of Chrome from killing off your Chrome extensions that are forced down: Block users from terminating your forced installed extension 15
Disabling IPv6 with Group Policy 16 Go to: http://social.technet.microsoft.com/wiki/ contents/articles/5927.how-to-disable-ipv6- through-group-policy.aspx to get the “IPv6Configuration.zip” 1 Copy over “IPv6Configuration.admx” from DownloadLocationIPv6Configuration to C:windowsPolicyDefinitions. 3 Extract the files from the downloaded ZIP files.2 8 Right click this new GPO and select “Edit..” Navigate to Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX files..) > Network > IPv6 Configuration 9 Title this new GPO “Disable IPv6”7 Right click your OU with your devices in it and select “Create a GPO in this domain, and Link it here..” 6 Copy over “IPv6Configuration.adml” from DownloadLocationIPv6Configuration to C:windowsPolicyDefinitions. 4 Open “Group Policy Management”5
Offsite Filtering Part 1: Getting the script copied over: 17 Download the applicable attached script and edit it to replace the first IP address with your internal DNS servers IP. 1 Rename the saved script to setdns.bat2 Move the script to a shared folder from your server 3 Open up "Group Policy Management"4 Double click on “IPv6 Configuration Policy”10 Change this to “Enabled” and for “IPv6 Configu- ration” dropdown to “Disable IPv6 components” 11
18 Right click the newly created GPO and then click "Edit" 7 Name this "Copy Securly File"6 Create a new GPO object5 Go to Computer Configuration > Preferences > Windows Settings > Files , right click and go to "New" and then "file" 8 On the "New File Properties Window", uncheck "Archive" and check the hidden box. Click the "..." button for Source File(s) and navigate to the downloaded file. 9 For Destination file: input a locaiton that students do not have access to, such as "C:windowssetdns.bat. Click "Apply" and then "OK". 10
Part 2: Script actions 19 Name this policy "Securly DNS actions". Right click the newly created GPO and select "Edit". Open up "Group Policy Management".1 3 Create a new GPO object.2 4 In the Name area enter "Securly DNS".6 Drill down to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks and right click "Scheduled Tasks" and go to New > Scheduled Task (at least Windows 7). 5
20 Also check the "Run with highest privileges" box.9 Click on the "Triggers" tab and then click the "New" button. 11 In the window that popped up type in "System" and click the "check names" box then click “OK”. 8 Under "Security Options" click the "Change User or Group" button. 7 The completed General Tab should look like the below. 10
21 Change: Log to: "Microsoft-Windows-NetworkProfile/Op- erational" Source to: "Microsoft-Windows-NetworkProfile" Event ID to: 10000 Check the "stop task if it runs longer than:” to 30 minutes. Check the “Activate” box. Check the “Enabled” box. Click the “OK” box 13 For the "Program/Script" area, enter the path chosen in Part 1: ex: C:windowssetdns.bat then click "OK" to save the changes. 15 Open up "Group Policy Management".12 Click on the "Actions" tab and select "New".14
22 Click "Apply" to save all of the settings.16
Conclusion Securly is a cloud-based web filter that provides in-school and take-home filtering across all devices. For more information, please visit www.securly.com or email sales@securly.com About Securly By following these recommendations, the school IT and educators will be better able to shape and secure the kids’ online screen time on the 1:1 Chromebook deployments. 23
securly.com

Recomendados

Best practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksBest practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksSecurly
 
Delegated Admin by Securly
Delegated Admin by SecurlyDelegated Admin by Securly
Delegated Admin by SecurlySecurly
 
East Maine School District Case Study
East Maine School District Case StudyEast Maine School District Case Study
East Maine School District Case StudySecurly
 
Accessibility Workshop
Accessibility WorkshopAccessibility Workshop
Accessibility WorkshopLar Veale
 
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univ
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univMsuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univ
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univmsuonlineprogram
 
1:1 Device Theft in K-12 Schools
1:1 Device Theft in K-12 Schools1:1 Device Theft in K-12 Schools
1:1 Device Theft in K-12 SchoolsSecurly
 
Securly vs Hardware
Securly vs HardwareSecurly vs Hardware
Securly vs HardwareSecurly
 
Best practices to shape and secure your 1:1 program
Best practices to shape and secure your 1:1 programBest practices to shape and secure your 1:1 program
Best practices to shape and secure your 1:1 programSecurly
 

Recomendados

Best practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksBest practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksSecurly
 
Delegated Admin by Securly
Delegated Admin by SecurlyDelegated Admin by Securly
Delegated Admin by SecurlySecurly
 
East Maine School District Case Study
East Maine School District Case StudyEast Maine School District Case Study
East Maine School District Case StudySecurly
 
Accessibility Workshop
Accessibility WorkshopAccessibility Workshop
Accessibility WorkshopLar Veale
 
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univ
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univMsuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univ
Msuonlineorg blogspot in_2014_10_manonmaniam_sundaranar_univmsuonlineprogram
 
1:1 Device Theft in K-12 Schools
1:1 Device Theft in K-12 Schools1:1 Device Theft in K-12 Schools
1:1 Device Theft in K-12 SchoolsSecurly
 
Securly vs Hardware
Securly vs HardwareSecurly vs Hardware
Securly vs HardwareSecurly
 
Best practices to shape and secure your 1:1 program
Best practices to shape and secure your 1:1 programBest practices to shape and secure your 1:1 program
Best practices to shape and secure your 1:1 programSecurly
 
Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programSecurly
 
Security checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdfSecurity checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdfGeovaniGonalves6
 
Preventing malware using bluecoat
Preventing malware using bluecoatPreventing malware using bluecoat
Preventing malware using bluecoatPCCW GLOBAL
 
UiPath Extensions_v3.pdf
UiPath Extensions_v3.pdfUiPath Extensions_v3.pdf
UiPath Extensions_v3.pdfRohit Radhakrishnan
 
Total Security MAC User Guide
Total Security MAC User GuideTotal Security MAC User Guide
Total Security MAC User GuideQUICK HEAL TECHNOLOGIES LIMITED
 
Tips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome CrashesTips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome CrashesVikas Medhekar
 
License
LicenseLicense
LicenseRene Rodriguez
 
Intro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerIntro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerSysCloud
 
The Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad BlockersThe Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad BlockersMitoc Group
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieRichard van Delft
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
License
LicenseLicense
Licenserikiviji
 
Symantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSymantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSSLRenewals
 
Infographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With InsightInfographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With InsightInsight
 
Chrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and CountermeasuresChrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and CountermeasuresTom K
 
KJ
KJKJ
KJAzura Zura
 
Week8 siri
Week8 siriWeek8 siri
Week8 sirisirikeshava
 
Installing the mxp
Installing the mxpInstalling the mxp
Installing the mxpwaleed-ayoub
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
Best Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted ModeBest Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted ModeSecurly
 
Nlp whitepaper the securly way
Nlp whitepaper the securly wayNlp whitepaper the securly way
Nlp whitepaper the securly waySecurly
 

Mais conteúdo relacionado

Semelhante a Best practices to shape and secure your 1:1 program for Windows

Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programSecurly
 
Security checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdfSecurity checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdfGeovaniGonalves6
 
Preventing malware using bluecoat
Preventing malware using bluecoatPreventing malware using bluecoat
Preventing malware using bluecoatPCCW GLOBAL
 
Tips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome CrashesTips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome CrashesVikas Medhekar
 
Intro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerIntro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerSysCloud
 
The Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad BlockersThe Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad BlockersMitoc Group
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieRichard van Delft
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
Symantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSymantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSSLRenewals
 
Infographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With InsightInfographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With InsightInsight
 
Chrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and CountermeasuresChrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and CountermeasuresTom K
 
Installing the mxp
Installing the mxpInstalling the mxp
Installing the mxpwaleed-ayoub
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 

Semelhante a Best practices to shape and secure your 1:1 program for Windows (20)

Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook program
 
Security checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdfSecurity checklist - Google Workspace.pdf
Security checklist - Google Workspace.pdf
 
Preventing malware using bluecoat
Preventing malware using bluecoatPreventing malware using bluecoat
Preventing malware using bluecoat
 
UiPath Extensions_v3.pdf
UiPath Extensions_v3.pdfUiPath Extensions_v3.pdf
UiPath Extensions_v3.pdf
 
Total Security MAC User Guide
Total Security MAC User GuideTotal Security MAC User Guide
Total Security MAC User Guide
 
Tips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome CrashesTips and Tricks to Fix Google Chrome Crashes
Tips and Tricks to Fix Google Chrome Crashes
 
License
LicenseLicense
License
 
Intro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerIntro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance center
 
The Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad BlockersThe Ultimate Publisher's Need-to-Know Guide to Ad Blockers
The Ultimate Publisher's Need-to-Know Guide to Ad Blockers
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributie
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
License
LicenseLicense
License
 
Symantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSymantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management Guide
 
Infographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With InsightInfographic | 4 Reasons to Make the Switch to Chrome OS With Insight
Infographic | 4 Reasons to Make the Switch to Chrome OS With Insight
 
Chrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and CountermeasuresChrome Extensions: Threat Analysis and Countermeasures
Chrome Extensions: Threat Analysis and Countermeasures
 
KJ
KJKJ
KJ
 
Week8 siri
Week8 siriWeek8 siri
Week8 siri
 
Installing the mxp
Installing the mxpInstalling the mxp
Installing the mxp
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And Beyond
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainment
 

Mais de Securly

Best Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted ModeBest Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted ModeSecurly
 
Nlp whitepaper the securly way
Nlp whitepaper the securly wayNlp whitepaper the securly way
Nlp whitepaper the securly waySecurly
 
DNS to Anything - How Securly Works
DNS to Anything - How Securly WorksDNS to Anything - How Securly Works
DNS to Anything - How Securly WorksSecurly
 
David's Law
David's Law David's Law
David's Law Securly
 
Auditor by Securly
Auditor by SecurlyAuditor by Securly
Auditor by SecurlySecurly
 
Anti-Bullying Legislation in the United States
Anti-Bullying Legislation in the United StatesAnti-Bullying Legislation in the United States
Anti-Bullying Legislation in the United StatesSecurly
 
What is Securly?
What is Securly?What is Securly?
What is Securly?Securly
 
Lee's Summit
Lee's SummitLee's Summit
Lee's SummitSecurly
 
Baugo Community Schools
Baugo Community SchoolsBaugo Community Schools
Baugo Community SchoolsSecurly
 
Auditor Admin Config - Uswest
Auditor Admin Config - UswestAuditor Admin Config - Uswest
Auditor Admin Config - UswestSecurly
 
Auditor Admin Config - Useast
Auditor Admin Config - UseastAuditor Admin Config - Useast
Auditor Admin Config - UseastSecurly
 
Securly - Pickens County Case Study
Securly - Pickens County Case StudySecurly - Pickens County Case Study
Securly - Pickens County Case StudySecurly
 
Student Safety Reimagined - Product Brief
Student Safety Reimagined - Product BriefStudent Safety Reimagined - Product Brief
Student Safety Reimagined - Product BriefSecurly
 
Can social media save kids' lives?
Can social media save kids' lives?Can social media save kids' lives?
Can social media save kids' lives?Securly
 
Securly Product Brief
Securly Product BriefSecurly Product Brief
Securly Product BriefSecurly
 
Tom's River Case Study
Tom's River Case StudyTom's River Case Study
Tom's River Case StudySecurly
 
Managing Screen Time - The Student's Perspective
Managing Screen Time - The Student's PerspectiveManaging Screen Time - The Student's Perspective
Managing Screen Time - The Student's PerspectiveSecurly
 
Case Study: Webb City R-VII School District
Case Study: Webb City R-VII School DistrictCase Study: Webb City R-VII School District
Case Study: Webb City R-VII School DistrictSecurly
 
Case Study: Gila Crossing Community School
Case Study: Gila Crossing Community SchoolCase Study: Gila Crossing Community School
Case Study: Gila Crossing Community SchoolSecurly
 
Case Study: Summit Public Schools
Case Study: Summit Public SchoolsCase Study: Summit Public Schools
Case Study: Summit Public SchoolsSecurly
 

Mais de Securly (20)

Best Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted ModeBest Practices for Configuring YouTube Restricted Mode
Best Practices for Configuring YouTube Restricted Mode
 
Nlp whitepaper the securly way
Nlp whitepaper the securly wayNlp whitepaper the securly way
Nlp whitepaper the securly way
 
DNS to Anything - How Securly Works
DNS to Anything - How Securly WorksDNS to Anything - How Securly Works
DNS to Anything - How Securly Works
 
David's Law
David's Law David's Law
David's Law
 
Auditor by Securly
Auditor by SecurlyAuditor by Securly
Auditor by Securly
 
Anti-Bullying Legislation in the United States
Anti-Bullying Legislation in the United StatesAnti-Bullying Legislation in the United States
Anti-Bullying Legislation in the United States
 
What is Securly?
What is Securly?What is Securly?
What is Securly?
 
Lee's Summit
Lee's SummitLee's Summit
Lee's Summit
 
Baugo Community Schools
Baugo Community SchoolsBaugo Community Schools
Baugo Community Schools
 
Auditor Admin Config - Uswest
Auditor Admin Config - UswestAuditor Admin Config - Uswest
Auditor Admin Config - Uswest
 
Auditor Admin Config - Useast
Auditor Admin Config - UseastAuditor Admin Config - Useast
Auditor Admin Config - Useast
 
Securly - Pickens County Case Study
Securly - Pickens County Case StudySecurly - Pickens County Case Study
Securly - Pickens County Case Study
 
Student Safety Reimagined - Product Brief
Student Safety Reimagined - Product BriefStudent Safety Reimagined - Product Brief
Student Safety Reimagined - Product Brief
 
Can social media save kids' lives?
Can social media save kids' lives?Can social media save kids' lives?
Can social media save kids' lives?
 
Securly Product Brief
Securly Product BriefSecurly Product Brief
Securly Product Brief
 
Tom's River Case Study
Tom's River Case StudyTom's River Case Study
Tom's River Case Study
 
Managing Screen Time - The Student's Perspective
Managing Screen Time - The Student's PerspectiveManaging Screen Time - The Student's Perspective
Managing Screen Time - The Student's Perspective
 
Case Study: Webb City R-VII School District
Case Study: Webb City R-VII School DistrictCase Study: Webb City R-VII School District
Case Study: Webb City R-VII School District
 
Case Study: Gila Crossing Community School
Case Study: Gila Crossing Community SchoolCase Study: Gila Crossing Community School
Case Study: Gila Crossing Community School
 
Case Study: Summit Public Schools
Case Study: Summit Public SchoolsCase Study: Summit Public Schools
Case Study: Summit Public Schools
 

Último

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 

Último (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 

Best practices to shape and secure your 1:1 program for Windows

  • 1. TECH BRIEF / AUGUST 2016 / V1.5 Best practices to shape & secure your 1:1 program for Windows
  • 2. Overview Device Settings Guest Mode Conclusion About Securly Securly SSL Certificate Deployment Sign-in Restriction Safe Browsing Incognito Mode and Browser History Safe Search on Google Developer Tools Blocking Chrome:// URLs Blocking SPDY protocol Blocking QUIC protocol Allowed Apps and Extensions Force Install AutoLogOut (recommended for shared devices) Block users from terminating your forced installed extension Disabling IPv6 with Group Policy Offsite Filtering Importing the Chrome Group Policy Object Copying over the necessary Creating the Group Policy Object for Chrome Contents Proxy Settings 2 2 2 4 4 5 6 6 7 7 8 8 9 10 10 11 12 13 15 16 17 23 23
  • 3. A key requirement of a 1:1 Windows deployment is security – ensuring students are using the device safely and productively. This document addresses several aspects of Windows Server and Group Policy that are important to configure correctly for a successful 1:1 experience. The Device Settings are only pushed down to the Windows device if the device is joined to your organizations Active Directory domain. It is critical that users do not have administrative privileges. With such privileges, a user can bypass any restrictions placed on the machine. Since Securly does MItM (Man In the Middle) SSL interception to decrypt SSL websites, it is required that all Windows devices have our SSL certificate installed to them. This is accomplished via Group Policy. Our certificate can be downloaded from here. Open “Group Policy Management”. At the top level of your domain right click and “Create a GPO in this domain, and Link it here…”. Title the new GPO “Securly SSL” and then click “OK”. Overview Device Settings Securly SSL Certificate Deployment 2 1 2 3
  • 4. Right click the new GPO and select “Edit…”. From within the Group Policy Editor navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certificate Authorities. Click “Next” on the first certificate import wizard screen as no items are configurable. On the second screen “File to import”, click on “Browse…” and navigate to the downloaded file from above and then click next. 3 On the right-hand pane, select “Import…”. 4 5 6 7 8
  • 5. It is necessary to import the Chrome Group Policy Object (GPO) so that Active Directory can manage the Chrome settings to ensure compliance. Copying over the necessary files Importing the Chrome Group Policy Object 4 Download the Group Policy templates from Google at: https://support.google.com/- chrome/a/answer/187202?hl=en Extract the files from the zip file. Copy over “chrome.admx” from Down- loadLocationpolicy_templateswindowsad- mx to C:windowsPolicyDefinitions. Copy over “chrome.admx” from Down- loadLocationpolicy_templateswindowsad- mxen-US chrome.adml to C:windowsPoli- cyDefinitionsen-US (replace en-US with your respective languages folder). 1 2 3 4 On the last screen click “Finish” and then “OK”.9
  • 6. Creating the Group Policy Object for Chrome 5 Open “Group Policy Management”. At the Students OU level of your domain right click and “Create a GPO in this domain, and Link it here…”. Title the new GPO “Google Chrome Lockdown”. 1 2 All of the options below are found on the right-hand side for the Google Chrome policy settings. 6 3 Right click the newly created GPO and select “Edit…”. 4 Navigate to Computer Configuration > Policies > Administrative Templates (ADMX Files) > Google > Google Chrome. 5
  • 7. Guest Mode Just like the Guest Mode and Incognito Modes allow the students the ability to browse without being audited, this setting if not configured correctly, can allow students to use even their Gmail ids to login and browse without a good account of how they spent their time online. Double click on the policy to "Restrict which users..." and select the "Enabled" option. Specify your domain(s) in the Options dialog and click "OK". As shown above, by using *@domain command separate list, we can prevent students from logging in with @gmail.com. Sign-in Restriction 6 We recommend disabling Guest Mode to allow better auditing of student activity. The guest mode otherwise allows the PC to be used without the district user policy in place. This mode is similar to the Incognito Mode supported by the Chrome browser – which we also recommend turning off in a subsequent section. Double click the policy option named “Enable guest mode in browser”. Select “Disabled” and click “OK”.
  • 8. This setting allows you to safe guard your students against malicious sites. While Chromebooks are gener- ally hardened and immune to most forms of malware, it is important to note that the User Settings from the admin console apply to the Chrome browser even on other devices such as Windows machines. Further, malicious sites can also include Phishing or other sites that involve platform independent vulnerabilities that target the user directly – e.g. identity theft, financial theft, password theft etc. You can safely leave the following settings on for this section: Double click on the policy option titled "Enable Safe Browsing" and select "Enabled". Click "OK". Double click on the policy to "Restrict which users..." and select the "Enabled" option. Specify your domain(s) in the Options dialog and click "OK". Safe Browsing 7 Incognito Mode and Browser History To prepare evidence reports, we recommend keeping browser histo- ry turned on. Further, we find that the Incognito Mode bypasses pre-installed security apps and can be used to evade district filtering policy. The following settings are recommended. Double click on "Incognito mode availability" and select "Enabled". From the drop-down list, choose "Incognito mode disabled.
  • 9. 8 Safe Search on Google If your district’s web filter does not support Safe Search for Google, the following setting allows you to enforce this directly via the Chrome policy. This applies only to the Google search engine. In order to achieve safe search on other search engines, you need a web filter that is capable of enforcing this on those engines. Double click on the policy option "Force Google SafeSearch" and select "Enabled". Click "OK". Developer Tools Developer tools allow users to debug network, script, apps and other issues. In a 1:1 program however, these could be used to circumvent district policy or gain unfair advantage over other students by reverse engineering of edtech applications that transmit insecure data or have confidential information hidden away in the code. We recommend disabling the user of developer tools. Double click on the policy option "Disable Developer Tools" and select "Enabled". Click "OK".
  • 10. chrome://history-frame chrome://chrome/history-frame The second 2 URLs stop the students from getting to the Chrome history and/or wiping the history should you want to keep it for posterity reasons. Blocking Chrome:// URLs 9 You should disable chrome://exten- sions and consider disabling chrome://settings. Chrome://exten- sions allows students to start/stop extensions, while chrome://settings and other chrome:// addresses provide settings or information that students typically do not need. We also recommend disabling the 2 other URLS to the blocked URLS at a minimum. Double click on the policy setting "Block access to a list of URLs" and select "Enabled". Click "Show..." and enter the URLs provided below. Click "OK".
  • 11. Blocking SPDY protocol Blocking QUIC protocol You should block the SPDY protocol as it has been known to cause issues with Securly in how it is implemented within Google Chrome. Within the policy option, double click on"Disable SPDY protocol" and select "Disabled". Click "OK". You should block the QUIC protocol as it has been known to cause issues with Securly in how it is implemented within Google Chrome. Within the policy option, double click on"Disable QUIC protocol" and select "Disabled". Click "OK". 10
  • 12. Proxy Settings 11 To make the best use of Securly we recommend that the use of a proxy be completely disabled. Within your Chrome lockdown GPO navigate to Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX..) > Google Chrome > Proxy Sever Double click on the policy option "Choose how to specify proxy server settings" and select "Enabled". From the drop-down list in the Options dialog, choose "Never use a proxy" and click "OK".
  • 13. Along with force-installing security and other instructional apps, in order to prevent students from later installing games and other time-sinks or VPN/proxy apps, it is generally a good idea to configure this section as follows: Navigate within The Group Policy object to Computer Configuration > Policies > Admin- istrative Templates: Policy definitions (ADMX files).. > Google > Google Chrome > Exten- sions Double click on "Configure extension installation blacklist" and select "Enabled". Under the Options dialog, click "Show..." and enter in "*" to block all extensions (except those you have allowed). Click "OK". Allowed Apps and Extensions 12
  • 14. Navigate within The Group Policy object to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files).. > Google > Google Chrome > Extensions > and double click on “Configure extension installation whitelist” Then click “OK” and “Apply” to save this as an allowed extension. Now this extension would need to be force installed. To achieve this Double click on “Configure the list of force-installed apps and extensions” On the show contents page for the value enter: “ohlcnddhihadnalofegeookbpglgadhe” Force Install AutoLogOut (recommended for shared devices) 13 Change this from the default of “Not Configured” to “Enabled” and then click on the “Show..” button.
  • 15. You would then change this from the default value of “Not Configured” to “Enabled” and click on the “Show...” button. Within the “Show Contents” box you would enter in the ID “ohlcnddhihadnalofegeookbpglgadhe” and click “OK” and “Apply” and “OK” to save this. 14 A key requirement of a 1:1 Windows deployment is security – ensuring students are using the device safely and productively. This document addresses several aspects of Windows Server and Group Policy that are important to configure correctly for a successful 1:1 experience. The Device Settings are only pushed down to the Windows device if the device is joined to your organizations Active Directory domain. It is critical that users do not have administrative privileges. With such privileges, a user can bypass any restrictions placed on the machine.
  • 16. This particular setting will when “disable” is chosen will stop the end users from using the built in task manager of Chrome from killing off your Chrome extensions that are forced down: Block users from terminating your forced installed extension 15
  • 17. Disabling IPv6 with Group Policy 16 Go to: http://social.technet.microsoft.com/wiki/ contents/articles/5927.how-to-disable-ipv6- through-group-policy.aspx to get the “IPv6Configuration.zip” 1 Copy over “IPv6Configuration.admx” from DownloadLocationIPv6Configuration to C:windowsPolicyDefinitions. 3 Extract the files from the downloaded ZIP files.2 8 Right click this new GPO and select “Edit..” Navigate to Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX files..) > Network > IPv6 Configuration 9 Title this new GPO “Disable IPv6”7 Right click your OU with your devices in it and select “Create a GPO in this domain, and Link it here..” 6 Copy over “IPv6Configuration.adml” from DownloadLocationIPv6Configuration to C:windowsPolicyDefinitions. 4 Open “Group Policy Management”5
  • 18. Offsite Filtering Part 1: Getting the script copied over: 17 Download the applicable attached script and edit it to replace the first IP address with your internal DNS servers IP. 1 Rename the saved script to setdns.bat2 Move the script to a shared folder from your server 3 Open up "Group Policy Management"4 Double click on “IPv6 Configuration Policy”10 Change this to “Enabled” and for “IPv6 Configu- ration” dropdown to “Disable IPv6 components” 11
  • 19. 18 Right click the newly created GPO and then click "Edit" 7 Name this "Copy Securly File"6 Create a new GPO object5 Go to Computer Configuration > Preferences > Windows Settings > Files , right click and go to "New" and then "file" 8 On the "New File Properties Window", uncheck "Archive" and check the hidden box. Click the "..." button for Source File(s) and navigate to the downloaded file. 9 For Destination file: input a locaiton that students do not have access to, such as "C:windowssetdns.bat. Click "Apply" and then "OK". 10
  • 20. Part 2: Script actions 19 Name this policy "Securly DNS actions". Right click the newly created GPO and select "Edit". Open up "Group Policy Management".1 3 Create a new GPO object.2 4 In the Name area enter "Securly DNS".6 Drill down to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks and right click "Scheduled Tasks" and go to New > Scheduled Task (at least Windows 7). 5
  • 21. 20 Also check the "Run with highest privileges" box.9 Click on the "Triggers" tab and then click the "New" button. 11 In the window that popped up type in "System" and click the "check names" box then click “OK”. 8 Under "Security Options" click the "Change User or Group" button. 7 The completed General Tab should look like the below. 10
  • 22. 21 Change: Log to: "Microsoft-Windows-NetworkProfile/Op- erational" Source to: "Microsoft-Windows-NetworkProfile" Event ID to: 10000 Check the "stop task if it runs longer than:” to 30 minutes. Check the “Activate” box. Check the “Enabled” box. Click the “OK” box 13 For the "Program/Script" area, enter the path chosen in Part 1: ex: C:windowssetdns.bat then click "OK" to save the changes. 15 Open up "Group Policy Management".12 Click on the "Actions" tab and select "New".14
  • 23. 22 Click "Apply" to save all of the settings.16
  • 24. Conclusion Securly is a cloud-based web filter that provides in-school and take-home filtering across all devices. For more information, please visit www.securly.com or email sales@securly.com About Securly By following these recommendations, the school IT and educators will be better able to shape and secure the kids’ online screen time on the 1:1 Chromebook deployments. 23