Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Five must-have Group Policy settings to protect peoples privacy in Windows 8 and Internet Explorer 10

Padlock User ControlWindows 8 offers new Group Policy settings to protect the privacy of the people using the computer, and also comes with a slew of new security features, that (surprise, surprise!) can also be centrally managed with Group Policy.

1. Turn off Windows Location Provider

This policy setting, located in Computer configuration, Administrative Templates, Windows Components, Location and Sensors, Windows Location Provider, turns off the Windows Location Provider feature for this computer when enabled. If you enable this policy setting all programs on the computer will not be able to use the Windows Location Provider feature.

2. Do not enumerate connected users on domain-joined computers

This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon user interface will not enumerate any connected users on domain-joined computers. When not configured, connected users will be enumerated on domain-joined computers.

This policy is located in Computer configuration, Administrative Templates, System, Logon

3. Enumerate local users on domain-joined computers

This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, the Logon user interface will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, local users on domain-joined computers will not be shown.

This policy is located in Computer configuration, Administrative Templates, System, Logon

4. Download roaming profiles on primary computers only

When using roaming profiles, logging on to a new machine might take a long time, when the profile size on the server is big. The roaming profile is copied from the server to the client and synchronized between the two hosts on successive logoffs. This typically creates a fast user experience when using a computer, but when you’re only logging on to a computer once (for instance a presentation computer) the initial copy might take ages, while you’re not going to take advantage of the locally cached profile again any time soon…

When you designate a primary computer in the Active Directory attribute msDS-PrimaryComputer for a user account in Active Directory, and enable this policy, computers that are not configured as (one of the) primary computer(s) for the user will not download the roaming profile for the user.

This policy also requires the Windows Server 2012 version of the Active Directory schema to function.

Note:
This basically means you need to prepare your Active Directory environment for Windows Server 2012 Domain Controllers, but don’t necessarily need to implement Windows Server 2012 Domain Controllers. Your down-level Domain Controllers will suffice.

5. Turn off Tracking Protection

This policy setting, located in Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, Privacy can be used to disable the Do Not Track functionality in Internet Explorer. This feature helps users control whether third parties van automatically collect information about their browsing based on the sites that they visit. Do Not Track does this by identifying third-party content that is used by multiple websites that users have visited.

By default, Do Not Track is enabled in Windows 8. If you want to disable users (and malware) to enable this functionality, make sure you configure this Group Policy setting as ‘disabled’.

  

Further reading

How to configure a “Primary Computer” (a.k.a. msDS-PrimaryComputer property) in Windows 8 
Windows 8 setup shows 'Do Not Track' options 
Microsoft will give Windows 8 users 'Do Not Track' options for IE10 
IE 10 "Do Not Track" options for Windows 8 explained  
Windows Location Provider    
Manage Privacy in Windows 8  
Microsoft Leans Pro-Privacy With Its Do Not Track Browser Settings  
Windows 8 Certification and Privacy Statement

Posted: Monday, August 20, 2012 1:20 PM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled