Managed Workplace 9.0 Domain Configuration Guide

Domain Configuration Guide
TABLE OF CONTENTS
Welcome.......................................................................................................... v
Where To Get More Help................................................................................................vi
Contact Us ......................................................................................................................vi
Documentation ..........................................................................................................vi
Technical Support ......................................................................................................vi
AVG Partner Portal ................................................................................................... vii
Domain Configuration ................................................................................... 1
About Domain Configuration...........................................................................................2
Windows Server 2012 Domain Controllers GPO Settings ................................................3
Configuring the Workstation and Member Server Firewall........................................3
Enabling Remote Desktop Services on Clients............................................................5
Enabling Remote Assistance on Clients ......................................................................5
Enabling Remote Event Log Management on Clients.................................................6
Enabling MBSA Scans..................................................................................................6
Configuring Windows Services for Domain Members ................................................7
Configuring Microsoft Updates for Domain Members ...............................................8
Enabling Windows Remote Management Settings ....................................................8
Linking GPO to Forest/Domain ...................................................................................9
Downloading the Computer Startup Script ................................................................9
Installing the Computer Startup Script .......................................................................9
Windows Server 2008 Domain Controllers GPO Settings .............................................10
Configuring the Workstation and Member Server Firewall......................................10
Enabling Remote Desktop Services on Clients..........................................................12
Enabling Remote Assistance on Clients ....................................................................12
Enabling Remote Event Log Management on Clients...............................................13
Enabling MBSA Scans................................................................................................13
Configuring Windows Services for Domain Members ..............................................14
Configuring Microsoft Updates for Domain Members .............................................15
Enabling Windows Remote Management Settings ..................................................15
Linking GPO to Forest/Domain .................................................................................16
Downloading the Computer Startup Script ..............................................................16
Installing the Computer Startup Script .....................................................................16
Windows Server 2003 Domain Controllers GPO Settings ..............................................17
Configuring the Workstation and Member Server Firewall......................................17
Enabling Terminal Service (RDP) on Clients..............................................................19
Enabling Remote Assistance on Clients ....................................................................19
Enabling MBSA Scans................................................................................................19
Configuring Windows Services for Domain Members .............................................20
Configuring Microsoft Updates for Domain Members ............................................21
Enabling Windows Remote Management Settings ..................................................21
Linking GPO to Forest/Domain .................................................................................22
Downloading the Computer Startup Script ..............................................................22
iii
Installing the Computer Startup Script .....................................................................23
WELCOME
This guide provides you with a reference to assist you in configuring a Windows
Domain environment so that all member devices can be managed by Onsite
Manager.
All procedures listed in this guide assume that the user has sufficient security
privileges to perform the operations.
v
Where To Get More Help
Setup Guide Contains instructions about how to install and configure
Managed Workplace.
Online Help Contains all the information from the User Guide optimized for
use online.
Integration Guide: Service Desks Contains the procedures required to
integrate Professional Services Automation (PSA) tools or service desks with
Managed Workplace.
Release Notes Provides last-minute information about the product and
documentation.
Domain Configuration Document Contains an overview of domain
configuration.
Knowledgebase Contains hundreds of articles to help you use Managed
Workplace, including self-guided troubleshooting tools, advanced topics, and
answers to frequently asked questions. To explore the Knowledgebase, click
here. (You must log into the Partner Portal to access the Knowledgebase.)
Educational Video Series An online video resource for instruction about
Managed Workplace. Click here to view the videos currently available. (You
must log into the Partner Portal to access the videos.)
Training AVG offers a series of live and on-demand technical training courses
for all registered Partners. For more information, click here. (You must log into
the Partner Portal to access the Training.)
Contact Us
Documentation
We are committed to making your experience with our product the best it can
be. If you find any errors or omissions in our documentation, or have
suggestions for improving it, write to us:
[email protected]
Technical Support
Our Technical Support team is committed to delivering best-in-class support to
our Partners.
vi
Domain Configuration Guide
Hours
8:00 AM EST to 8:00 PM EST, Monday to Friday.
Call
International
+1-855-738-1661
Email
To contact a representative by email:
[email protected]
AVG Partner Portal
Click this link to access the AVG Partner Portal, click and then log in with your
Username and Password.
Technical Information
To find technical information such as product downloads, performance
guidelines, libraries of policy modules, resource library, scripts and predefined
reports, log into the AVG Partner Portal and in the main menu, click Download.
Partner Services
To find training information, including live and ‘on demand’ training, a list of
courses, course descriptions and a course calendar, log into the AVG Partner
Portal and in the main menu, click Learn.
To access Knowledgebase articles and frequently asked questions (FAQ), click
Knowledgebase located under the Learn menu.
To view or participate in discussions about Managed Workplace, select Forums
under the Connect menu.
Domain Configuration Guide
vii
viii
Domain Configuration Guide
DOMAIN CONFIGURATION
This document provides detailed information about the following topics:
•
Domain Configuration
•
Windows Server 2012 Domain Controllers GPO Settings
•
Windows Server 2008 Domain Controllers GPO SettingS
•
Windows Server 2003 Domain Controllers GPO Settings
1
About Domain Configuration
The Onsite Manager sees everything on your customer networks, but in order
to do so, certain configurations may need to be performed. These changes
must be made to the Domain Profile.
The Domain Profile is used when the machine is connected or logged into the
Domain, and the Standard Profile when it is not. Computers with Device
Managers installed that may physically leave the network should not have the
Standard Profile configured with the policies described below, because the
ports being opened are not required for monitoring and management. You can
manage this by creating a separate organizational unit (OU) for these devices.
Once the changes have been made, the Group Policy must be updated on each
device for the changes to take effect. The policy will be updated the next time
a user logs into the Domain from the device, or may be updated manually on
each device.
Note: Update a device manually by opening a command prompt and issuing
the command gpupdate /force
Caution: The GPO settings contained within this document are based on
common network deployment models. Some networks may have tighter
security requirements which some settings within this document do not meet.
It is highly recommended that you consult your customer’s corporate network
security policies before making GPO setting changes. Items within this
document that you may want to reference with your customer’s corporate
network security policy include the following:
•
limiting which computers have access to remotely connect to other
computers on the network. For example some networks may want to lock
down so that only the Onsite Manager can access other workstations
whereas others may allow all the computers within a complete subnet.
•
Remote Desktop Connection. This document provides settings that allow a
user to remotely connect to other PCs using Microsoft’s RDP client. This
may not apply for networks that prefer to use other clients such as VNC.
Important: Because there is no way to predict what OUs exist on any given
system, this guide works with defaults. Depending on your environment, you
may have to apply the policies against objects other than those listed here.
Small Business Server and other Windows versions may have different paths in
the management console to get to the policies, or different utilities to get
there outside of the management console. However, the policy names and
required settings will be consistent with those presented here. AVG Technical
Support is limited to best-effort advice when configuring GPOs in live
environments.
2
Domain Configuration Guide
Windows Server 2012 Domain Controllers GPO Settings
The following GPO settings assume the Server 2012 Domain has a Domain
Functional level and Forest Functional level of a Windows 2012 Server. The
procedure below shows how to create a new Group Policy Object.
1
Click Start and navigate to Administrative Tools > Group Policy
Management.
2
Expand Forest.
3
Expand Domains.
4
Expand the Domain in which the Onsite Manager is located.
5
Right-click Group Policy Objects and select New.
6
In the Name field, type LPI MW Default Group Policy.
7
Click OK.
Note: You do not have to create a new Group Policy Object. Editing any
current object will have the same effect, providing there are no conflicts
between multiple active Group Policy Objects.
Configuring the Workstation and Member Server Firewall
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > Network > Network Connections > Windows Firewall > Domain
Profile.
3
Configure the following:
a
Windows Firewall: Allow local program exceptions
Select Not configured
b Windows Firewall: Define inbound program exceptions
Select Not configured
c
Windows Firewall: Protect all network connections
Select Enabled.
d Windows Firewall: Do not allow exceptions
Select Not Configured
e
Windows Firewall: Allow inbound file and printer sharing Exception
Domain Configuration Guide
3
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
f
Windows Firewall: Allow ICMP exceptions
Select Enabled
Enable the Allow inbound echo request check box.
g
Windows Firewall: Allow logging
Select Not Configured
h Windows Firewall: Prohibit notifications
Select Not Configured
i
Windows Firewall: Allow local port exceptions
Select Not Configured
j
Windows Firewall: Define inbound port exceptions
Select Enabled
Click Show. In the Show Contents dialog, type in the following:
5985:TCP:<OM IP Address>:enabled:WinRM
k
Windows Firewall: Allow inbound remote administration exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
l
Windows Firewall: Allow inbound Remote Desktop exceptions
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
Caution: The LocalSubnet setting does not allow computers from
networks other than the same subnet to connect to all devices to
4
Domain Configuration Guide
which the GPO is applied. Care should be taken when setting this. If
additional networks need to connect to devices, adjust the setting
accordingly.
m Windows Firewall: Prohibit unicast response to multicast or broadcast
requests
Select Not Configured
n Windows Firewall: Allow inbound UPnP framework exceptions
Select Not Configured
Enabling Remote Desktop Services on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > Windows Components > Remote Desktop Services > Remote
Desktop Session Host > Connections.
3
Configure the following:
a
Allow users to connect remotely by using Remote Desktop Services.
Select Enabled
Enabling Remote Assistance on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > System >Remote Assistance.
3
Configure the following:
a
Allow only Windows Vista or later connections
Select Disabled
b Turn on session logging
Select Not Configured
c
Turn on bandwidth optimization
Select Not Configured
d Customize warning messages
Select Not Configured
Domain Configuration Guide
5
e
Configure solicited Remote Assistance
Select Enabled
Choose Allow helpers to remotely control the computer
Set Maximum ticket time (value) to 1
Set maximum ticket time (units) to Hours
Choose Mailto as the Method for sending email invitations
Enabling Remote Event Log Management on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings >
Security settings > Windows Firewall with Advanced Security > Inbound
Rules.
3
Right-click Inbound Rules and select New Rule.
4
Select the Predefined option button, and from the list select Remote Event
Log Management.
5
Click Next.
6
Ensure that all rules are selected.
7
Select the Allow the connection option.
8
Click Finish.
Enabling MBSA Scans
To successfully run MBSA scans, you must enable the Log on as a batch job
policy.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings >
Security settings >Local Policies> User Rights Assignment.
3
Configure the following:
Log on as batch job
Check: Define these policy settings
Click Add User or Group
Type the user and group name, and click OK.
6
Domain Configuration Guide
Configuring Windows Services for Domain Members
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings>
Security Settings > System Services.
3
Configure the following:
a
Windows Management Instrumentation (WMI)
Check: Define this policy setting
Startup Type: Automatic
b Remote Registry
Check: Define this policy setting
Startup Type: Automatic
c
Remote Procedure Call (RPC)
Check: Define this policy setting
Startup Type: Automatic
d Background Intelligent Transfer Service
Check: Define this policy setting
Startup Type: Automatic
e
Windows Update
Check: Define this policy setting
Startup Type: Automatic
Only required by Managed Workplace if the site uses Patch
Management.
f
Windows Remote Management (WS-Management) Properties
Check: Define this policy setting
Select service startup mode: Automatic
Note: When you apply a system service startup policy to Windows XP
machine, additional steps may need to be performed so that the service
account handling the monitoring can connect to Windows Management
Instrumentation. Follow the procedure below to configure the security
appropriately.
1
Open the group policy, go to Computer configuration > Windows Settings
> Security Settings > System Services.
Domain Configuration Guide
7
2
Open the property page for Windows Management Instrumentation
service from the list.
3
Click Edit Security.
4
Add the following permission:
Authenticated Users > Read
Note: When you add Authenticated Users, the default permission box
selected will be Start, Stop and Pause which you need to change to only
“Read”.
5
Apply the group policy to the Windows XP workstations and restart the
affected machines.
Configuring Microsoft Updates for Domain Members
Managed Workplace does not use GPO settings to define the update server to
managed clients, so any WSUS policies that are in place on the Domain will
interfere with normal operations of Patch Management.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Update
3
Set all policies to Not Configured.
Enabling Windows Remote Management Settings
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Remote Management (WinRM) > WinRM Service
3
Configure Allow remote server management through WinRM by doing the
following:
•
Select Enabled.
•
In the IPv4 filter field, type *.
4
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Remote Management (WinRM) > WinRM Client
5
Configure Trusted Hosts by doing the following:
•
8
Select Enabled.
Domain Configuration Guide
•
In the TrustedHostsLists field, type *.
Linking GPO to Forest/Domain
1
Select the Forest to which you want to link the LPI MW Default Group
GPO.
2
From the drop-down menu, select Action.
3
Click Link an Existing GPO.
4
Select LPI MW Default Group.
5
Click OK.
Downloading the Computer Startup Script
You can download the Startup Script in a .VBS file format from within Service
Center.
1
In Service Center, click Configuration and then click Site Management.
2
Click the name of the Site with which you are working.
3
Click the Resources tab.
4
Click Download Sample Startup Script to download the
Domain_Sample_Startup_Script.vbs file.
5
Click either Save or Open.
Installing the Computer Startup Script
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings.
3
Double-click Scripts (Startup/Shutdown).
4
Double click Startup.
5
Click Show Files.
6
Copy the Domain_Sample_Startup_Script.vbs file into the Explorer
window opened in the previous step. Close the Explorer window.
7
Click Add.
8
Enter Domain_Sample_Startup_Script.vbs and click OK.
Domain Configuration Guide
9
Windows Server 2008 Domain Controllers GPO Settings
The following GPO settings assume the Windows 2008 Domain has a Domain
Functional level and Forest Functional level of a Windows 2008 Server. The
procedure below shows how to create a new Group Policy Object.
1
Click Start and navigate to Administrative Tools > Group Policy
Management.
2
Expand Forest.
3
Expand Domains.
4
Expand the Domain in which the Onsite Manager is located.
5
Right-click Group Policy Objects and select New.
6
In the Name field, type LPI MW Default Group Policy.
7
Click OK.
Note: You do not have to create a new Group Policy Object. Editing any
current object will have the same effect, providing there are no conflicts
between multiple active Group Policy Objects.
Configuring the Workstation and Member Server Firewall
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > Network > Network Connections > Windows Firewall > Domain
Profile.
3
Configure the following:
a
Windows Firewall: Allow local program exceptions
Select Not configured
b Windows Firewall: Define inbound program exceptions
Select Not configured
c
Windows Firewall: Do not allow exceptions
Select Not Configured
d Windows Firewall: Allow inbound file and printer sharing Exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
10
Domain Configuration Guide
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
e
Windows Firewall: Allow ICMP exceptions
Select Enabled
Enable the Allow inbound echo request check box.
f
Windows Firewall: Allow logging
Select Not Configured
g
Windows Firewall: Prohibit notifications
Select Not Configured
h Windows Firewall: Allow local port exceptions
Select Not Configured
i
Windows Firewall: Define inbound port exceptions
Select Enabled
Click Show. In the Show Contents dialog, type in the following:
5985:TCP:<OM IP Address>:enabled:WinRM
j
Windows Firewall: Allow inbound remote administration exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
k
Windows Firewall: Allow inbound Remote Desktop exceptions
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
Caution: The LocalSubnet setting does not allow computers from
networks other than the same subnet to connect to all devices to
which the GPO is applied. Care should be taken when setting this. If
additional networks need to connect to devices, adjust the setting
accordingly.
Domain Configuration Guide
11
l
Windows Firewall: Prohibit unicast response to multicast or broadcast
requests
Select Not Configured
m Windows Firewall: Allow inbound UPnP framework exceptions
Select Not Configured
Enabling Remote Desktop Services on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > Windows Components > Remote Desktop Services > Remote
Desktop Session Host > Connections.
3
Configure the following:
a
Allow users to connect remotely by using Remote Desktop Services.
Select Enabled
Note: For Windows Server 2008 R2, this option is called Remote Desktop
Services. For Windows Server 2008, this option is called Terminal Services.
Enabling Remote Assistance on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Administrative
Templates: Policy definitions (ADMX files) retrieved from the local
machine > System >Remote Assistance.
3
Configure the following:
a
Allow only Vista or later connections
Select Disabled
b Turn on session logging
Select Not Configured
c
Turn on bandwidth optimization
Select Not Configured
d Customize Warning Messages
Select Not Configured
e
12
Solicited Remote Assistance
Domain Configuration Guide
Select Enabled
Choose Allow helpers to remotely control the computer
Set Maximum ticket time (value) to 1
Set maximum ticket time (units) to Hours
Choose Mailto as the Method for sending e-mail invitations
f
Offer Remote Assistance
Select Not Configured
Enabling Remote Event Log Management on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings >
Security settings > Windows Firewall with Advanced Security > Inbound
Rules.
3
Right-click Inbound Rules and select New Rule.
4
Select the Predefined option button, and from the list select Remote Event
Log Management.
5
Click Next.
6
Ensure that all rules are selected.
7
Select the Allow the connection option.
8
Click Finish.
Enabling MBSA Scans
To successfully run MBSA scans, you must enable the Log on as a batch job
policy.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings >
Security settings >Local Policies> User Rights Assignment.
3
Configure the following:
Log on as batch job
Check: Define these policy settings
Click Add User or Group
Type the user and group name, and click OK.
Domain Configuration Guide
13
Configuring Windows Services for Domain Members
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings>
Security Settings > System Services.
3
Configure the following:
a
Windows Management Instrumentation (WMI)
Check: Define this policy setting
Startup Type: Automatic
b Remote Registry
Check: Define this policy setting
Startup Type: Automatic
c
Remote Procedure Call (RPC)
Check: Define this policy setting
Startup Type: Automatic
d Background Intelligent Transfer Service (BITS)
Check: Define this policy setting
Startup Type: Automatic
e
Windows Update
Check: Define this policy setting
Startup Type: Automatic
Only required by Managed Workplace if the site uses Patch
Management.
f
Windows Remote Management (WS-Management) Properties
Check: Define this policy setting
Select service startup mode: Automatic
Note: When you apply a system service startup policy to Windows XP
machine, additional steps may need to be performed so that the service
account handling the monitoring can connect to Windows Management
Instrumentation. Follow the procedure below to configure the security
appropriately.
1
14
Open the group policy, go to Computer configuration > Windows Settings
> Security Settings > System Services.
Domain Configuration Guide
2
Open the property page for Windows Management Instrumentation
service from the list.
3
Click Edit Security.
4
Add the following permission:
Authenticated Users > Read
Note: When you add Authenticated Users, the default permission box
selected will be Start, Stop and Pause which you need to change to only
“Read”.
5
Apply the group policy to the Windows XP workstations and restart the
affected machines.
Configuring Microsoft Updates for Domain Members
Managed Workplace does not use GPO settings to define the update server to
managed clients, so any WSUS policies that are in place on the Domain will
interfere with normal operations of Patch Management.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Update
3
Set all policies to Not Configured.
Enabling Windows Remote Management Settings
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Remote Management (WinRM) > WinRM Service
3
Configure Allow automatic configuration of listeners by doing the
following:
•
Select Enabled.
•
In the IPv4 filter field, type *.
4
Navigate to Computer Configuration > Administrative Templates: Policy
definitions (ADMX files) retrieved from the local machine > Windows
Components > Windows Remote Management (WinRM) > WinRM Client
5
Configure Trusted Hosts by doing the following:
•
Select Enabled.
Domain Configuration Guide
15
•
In the TrustedHostsLists field, type *.
Linking GPO to Forest/Domain
1
Select the Forest to which you want to link the LPI MW Default Group
GPO.
2
From the drop-down menu, select Action.
3
Click Link an Existing GPO.
4
Select LPI MW Default Group.
5
Click OK.
Downloading the Computer Startup Script
You can download the Startup Script in a .VBS file format from within Service
Center.
1
In Service Center, click Configuration and then click Site Management.
2
Click the name of the Site with which you are working.
3
Click the Site Resources tab.
4
Click Download Sample Startup Script to download the
Domain_Sample_Startup_Script.vbs file.
5
Click either Save or Open.
Installing the Computer Startup Script
16
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings.
3
Double-click Scripts.
4
Double click Startup.
5
Click Show Files.
6
Copy the Domain_Sample_Startup_Script.vbs file into the Explorer
window opened in the previous step. Close the Explorer window.
7
Click Add.
8
Enter Domain_Sample_Startup_Script.vbs and click OK.
Domain Configuration Guide
Windows Server 2003 Domain Controllers GPO Settings
The following GPO settings assume the Windows 2003 Domain has a Domain
Functional level and Forest Functional level of Windows Server 2003.
1
Click Start and navigate to Administrative Tools > Group Policy
Management.
2
Expand Forest.
3
Expand Domains.
4
Expand the Domain in which the Onsite Manager is located.
5
Right-click Group Policy Objects and select New.
6
In the Name field, type LPI MW Default Group Policy.
7
Click OK.
Configuring the Workstation and Member Server Firewall
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates >
Network > Network Connections > Windows Firewall > Domain Profile.
3
Configure the following:
a
Windows Firewall: Do not allow exceptions
Select Not Configured
b Windows Firewall: Define program exceptions
Select Not configured
c
Windows Firewall: Allow local program exceptions
Select Not configured
d Windows Firewall: Allow remote administration exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
e
Windows Firewall: Allow file and printer sharing exception
Select Enabled
Domain Configuration Guide
17
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
f
Windows Firewall: Allow ICMP exceptions
Select Enabled
Enable the Allow Inbound Echo Request check box.
g
Windows Firewall: Allow remote desktop exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local
subnet. For greater security, you can specify the IP address of the
Onsite Manager server. However, make sure that by introducing this
limitation you are not impacting actions of users who are not using
Managed Workplace.
Caution: The LocalSubnet setting does not allow computers from
networks other than the same subnet to connect to all devices to
which the GPO is applied. Care should be taken when setting this. If
additional networks need to connect to devices, adjust the setting
accordingly.
h Windows Firewall: Allow UPnP framework exception
Select Not Configured
i
Windows Firewall: Prohibit notifications
Select Not Configured
j
Windows Firewall: Allow logging
Select Not Configured
k
Windows Firewall: Prohibit unicast response to multicast or broadcast
requests
Select Not Configured
l
Windows Firewall: Define port exceptions
Select Enabled.
Click the Show button, and in the Show Contents dialog box, type
5985:TCP:<OM IP address>:enabled:WinRM
m Windows Firewall: Allow local port exceptions
Select Not Configured
18
Domain Configuration Guide
Enabling Terminal Service (RDP) on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates >
Windows Components > Terminal Services.
3
Configure the following:
•
Allow users to connect remotely using Terminal Services
Select Enabled
Enabling Remote Assistance on Clients
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates > System
>Remote Assistance.
3
Configure the following:
a
Solicited Remote Assistance
Select Enabled
Choose Allow helpers to remotely control the computer
Set Maximum ticket time (value) to 1
Set maximum ticket time (units) to Hours
Choose Mailto as the Method for sending e-mail invitations
Enabling MBSA Scans
To successfully run MBSA scans, you must enable the Log on as a batch job
policy.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings >
Security settings >Local Policies> User Rights Assignment.
3
Configure the following:
Log on as batch job
Check: Define these policy settings
Click Add User or Group
Type the user and group name, and click OK.
Domain Configuration Guide
19
Configuring Windows Services for Domain Members
The Policy being updated will not start the Windows services because a policy
update may be received while the device is up and logged into the Domain.
The services will not be started until either manually started by a user or
during the boot process.
These changes will only affect the startup for services when the device is
joined to the Domain.
Configure the Window Services for Domain members using the Group Policy
Management Tool on the Domain Controller.
1
Right-click LPI MW Default Group and select Edit.
2
In the Group Policy Object Editor window, navigate to Computer
Configuration > Windows Settings > Security Settings > System Services
3
Configure the following:
a
Windows Management Instrumentation (WMI)
Select Startup Type: Automatic
b Remote Registry
Select Startup Type: Automatic
c
Remote Procedure Call (RPC)
Select Startup Type: Automatic
d Background Intelligent Transfer Service (BITS)
Select Startup Type: Automatic
e
Windows Update
Select Startup Type: Automatic
Windows Update is only required by Managed Workplace if the site
uses Patch Management.
Note: If you have no updated the domain policy templates, the "Windows
Update" service may be displayed as "Automatic Updates".
a
Windows remote Management (WS-Management)
Select service startup mode: Automatic
Note: When you apply a system service startup policy to Windows XP
machine, additional steps may need to be performed so that the service
account handling the monitoring can connect to Windows Management
Instrumentation. Follow the procedure below to configure the security
appropriately.
20
Domain Configuration Guide
1
Open the group policy, go to Computer configuration > Windows Settings
> Security Settings > System Services.
2
Open the property page for Windows Management Instrumentation
service from the list.
3
Click Edit Security.
4
Add the following permission:
Authenticated Users > Read
Note: When you add Authenticated Users, the default permission box
selected will be Start, Stop and Pause which you need to change to only
“Read”.
5
Apply the group policy to the Windows XP workstations and restart the
affected machines.
Configuring Microsoft Updates for Domain Members
Managed Workplace does not use GPO settings to define the update server to
managed clients, so any WSUS policies that are in place on the Domain will
interfere with normal operations of Patch Management.
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates>
Windows Components > Windows Update (2008 and later) or Automatic
Updates (2003).
3
Set all policies to Not Configured.
Enabling Windows Remote Management Settings
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Administrative Templates >
Windows Components > Windows Remote Management (WinRM) >
WinRM Service
3
Configure Allow automatic configuration of listeners by doing the
following:
4
•
Select Enabled.
•
In the IPv4 filter field, type *.
Navigate to Computer Configuration > Administrative Templates >
Windows Components > Windows Remote Management (WinRM) >
WinRM Client
Domain Configuration Guide
21
5
Configure Trusted Hosts by doing the following:
•
Select Enabled.
•
In the TrustedHosts_List field, type *.
Note: If you cannot locate the Windows Remote Management (WinRM)
policies under Computer Configuration > Administrative Templates > Windows
components in the Group Policy Editor, you may be required to follow these
additional steps:
1
Download and install Microsoft update KB936059 from the following URL:
http://support.microsoft.com/kb/936059
2
After you have installed the Microsoft update, in the Group Policy Editor,
go to Compouter Configuration > Administrative Templates.
3
Select Add/Remove Templates.
4
In the Add/Remove Templates window, click Add.
5
Import the following templates:
6
•
C:\Windows\Inf\Windowsremoteshell.adm
•
C:\Windows\Inf\Windowsremotemanagement.adm
Click Close.
Linking GPO to Forest/Domain
1
Select the Forest to which you want to link the LPI MW Default Group
GPO.
2
From the drop-down menu, select Action.
3
Click Link an Existing GPO.
4
Select LPI MW Default Group.
5
Click OK.
Downloading the Computer Startup Script
You can download the Startup Script in a .VBS file format from within Service
Center.
22
1
In Service Center, click Configuration and then click Site Management.
2
Click the name of the Site with which you are working.
3
Click the Site Resources tab.
Domain Configuration Guide
4
Click Download Sample Startup Script to download the
Domain_Sample_Startup_Script.vbs file.
5
Click either Save or Open.
Installing the Computer Startup Script
1
Right-click LPI MW Default Group and select Edit.
2
Navigate to Computer Configuration > Policies > Windows Settings.
3
Double-click Scripts.
4
Double click Startup.
5
Click Show Files.
6
Copy the Domain_Sample_Startup_Script.vbs file into the Explorer
window opened in the previous step. Close the Explorer window.
7
Click Add.
8
Enter Domain_Sample_Startup_Script.vbs and click OK.
Domain Configuration Guide
23
24
Domain Configuration Guide
© 2014 AVG Technologies. All rights reserved. No part of this publication may
be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, without the prior written permission of AVG Technologies. While
every precaution has been taken in the preparation of this document, AVG
Technologies assumes no responsibility for errors or omissions. Neither is any
liability assumed for damages resulting from the use of the information
contained herein.
Managed Workplace is a registered trademark of AVG Technologies.
Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated
in the United States, and/or other countries.
Microsoft, Windows, and Windows Server are trademarks or registered
trademarks of Microsoft Corporation in the United States and/or other
countries.
All other brands, product names, company names, trademarks, and service
marks are the properties of their respective owners.
This guide was updated on October 9, 2014 10:39 am
User Guide
25