Managed Workplace 9.1 Domain Configuration Guide · 2015-06-16 · AVG Technical Support is limited to best-effort advice when configuring GPOs in live environments. Domain Configuration

AVG Business Managed Workplace® 9.1

Domain Confi guration Guide

TABLE OF CONTENTS
Welcome.......................................................................................................... vWhere To Get More Help................................................................................................viContact Us ......................................................................................................................vi
Documentation..........................................................................................................viTechnical Support ......................................................................................................viAVG Partner Portal ...................................................................................................vii

Domain Configuration ................................................................................... 1About Domain Configuration...........................................................................................2Windows Server 2012 Domain Controllers GPO Settings ................................................3

Configuring the Workstation and Member Server Firewall........................................3Enabling Remote Desktop Services on Clients............................................................5Enabling Remote Assistance on Clients ......................................................................5Enabling Remote Event Log Management on Clients.................................................6Enabling MBSA Scans..................................................................................................6Configuring Windows Services for Domain Members ................................................7Configuring Microsoft Updates for Domain Members ...............................................8Enabling Windows Remote Management Settings ....................................................8Linking GPO to Forest/Domain ...................................................................................9IWindows Server 2008 Domain Controllers GPO Settings .........................................9Configuring the Workstation and Member Server Firewall........................................9Enabling Remote Desktop Services on Clients..........................................................11Enabling Remote Assistance on Clients ....................................................................11Enabling Remote Event Log Management on Clients...............................................12Enabling MBSA Scans................................................................................................13Configuring Windows Services for Domain Members ..............................................13Configuring Microsoft Updates for Domain Members .............................................14Enabling Windows Remote Management Settings ..................................................15Linking GPO to Forest/Domain .................................................................................15

Windows Server 2003 Domain Controllers GPO Settings ..............................................15Configuring the Workstation and Member Server Firewall......................................16Enabling Terminal Service (RDP) on Clients..............................................................17Enabling Remote Assistance on Clients ....................................................................18Enabling MBSA Scans................................................................................................18Configuring Windows Services for Domain Members .............................................18Configuring Microsoft Updates for Domain Members ............................................20Enabling Windows Remote Management Settings ..................................................20Linking GPO to Forest/Domain .................................................................................21

iii

WELCOME

This guide provides you with a reference to assist you in configuring a Windows Domain environment so that all member devices can be managed by Onsite Manager.

All procedures listed in this guide assume that the user has sufficient security privileges to perform the operations.

v

Where To Get More HelpSetup Guide Contains instructions about how to install and configure Managed Workplace.

Online Help Contains all the information from the User Guide optimized for use online.

Integration Guide: Service Desks Contains the procedures required to integrate Professional Services Automation (PSA) tools or service desks with Managed Workplace.

Release Notes Provides last-minute information about the product and documentation.

Domain Configuration Document Contains an overview of domain configuration.

Knowledgebase Contains hundreds of articles to help you use Managed Workplace, including self-guided troubleshooting tools, advanced topics, and answers to frequently asked questions. To explore the Knowledgebase, click here. (You must log into the Partner Portal to access the Knowledgebase.)

Educational Video Series An online video resource for instruction about Managed Workplace. Click here to view the videos currently available. (You must log into the Partner Portal to access the videos.)

Training AVG offers a series of live and on-demand technical training courses for all registered Partners. For more information, click here. (You must log into the Partner Portal to access the Training.)

Contact UsDocumentation

We are committed to making your experience with our product the best it can be. If you find any errors or omissions in our documentation, or have suggestions for improving it, write to us:

[email protected]

Technical SupportSupport hours and contact information can be found on the AVG Partner Portal:

AVG Managed Workplace Technical Support

vi D o m a i n C o n f i g u r a t i o n G u i d e

mailto:[email protected]

http://lpisupportkb.levelplatforms.com/display/2/index.aspx?tab=browse&c=&cpc=&cid=&cat=&catURL=&r=0.1171365

http://levelplatforms.com/LPIPortal/Connect/

http://www.levelplatforms.com/LPIPortal/Learn/OTL.aspx

http://www.levelplatforms.com/LPIPortal/Learn/

AVG Partner PortalClick this link to access the AVG Partner Portal, click and then log in with your Username and Password.

Technical InformationTo find technical information such as product downloads, performance guidelines, libraries of policy modules, resource library, scripts and predefined reports, log into the AVG Partner Portal and in the main menu, click Download.

Partner ServicesTo find training information, including live and ‘on demand’ training, a list of courses, course descriptions and a course calendar, log into the AVG Partner Portal and in the main menu, click Learn.

To access Knowledgebase articles and frequently asked questions (FAQ), click Knowledgebase located under the Learn menu.

To view or participate in discussions about Managed Workplace, select Forums under the Connect menu.

D o m a i n C o n f i g u r a t i o n G u i d e vii

http://www.levelplatforms.com/LPIPortal/login.aspx

viii D o m a i n C o n f i g u r a t i o n G u i d e

DOMAIN CONFIGURATION

This document provides detailed information about the following topics:

• Domain Configuration

• Windows Server 2012 Domain Controllers GPO Settings



1

About Domain ConfigurationThe Onsite Manager sees everything on your customer networks, but in order to do so, certain configurations may need to be performed. These changes must be made to the Domain Profile.

The Domain Profile is used when the machine is connected or logged into the Domain, and the Standard Profile when it is not. Computers with Device Managers installed that may physically leave the network should not have the Standard Profile configured with the policies described below, because the ports being opened are not required for monitoring and management. You can manage this by creating a separate organizational unit (OU) for these devices.

Once the changes have been made, the Group Policy must be updated on each device for the changes to take effect. The policy will be updated the next time a user logs into the Domain from the device, or may be updated manually on each device.

Note: Update a device manually by opening a command prompt and issuing the command gpupdate /force

Caution: The GPO settings contained within this document are based on common network deployment models. Some networks may have tighter security requirements which some settings within this document do not meet. It is highly recommended that you consult your customer’s corporate network security policies before making GPO setting changes. Items within this document that you may want to reference with your customer’s corporate network security policy include the following:

• limiting which computers have access to remotely connect to other computers on the network. For example some networks may want to lock down so that only the Onsite Manager can access other workstations whereas others may allow all the computers within a complete subnet.

• Remote Desktop Connection. This document provides settings that allow a user to remotely connect to other PCs using Microsoft’s RDP client. This may not apply for networks that prefer to use other clients such as VNC.

Important: Because there is no way to predict what OUs exist on any given system, this guide works with defaults. Depending on your environment, you may have to apply the policies against objects other than those listed here.

Small Business Server and other Windows versions may have different paths in the management console to get to the policies, or different utilities to get there outside of the management console. However, the policy names and required settings will be consistent with those presented here. AVG Technical Support is limited to best-effort advice when configuring GPOs in live environments.

2 D o m a i n C o n f i g u r a t i o n G u i d e

Windows Server 2012 Domain Controllers GPO SettingsThe following GPO settings assume the Server 2012 Domain has a Domain Functional level and Forest Functional level of a Windows 2012 Server. The procedure below shows how to create a new Group Policy Object.

1 Click Start and navigate to Administrative Tools > Group Policy Management.

2 Expand Forest.

3 Expand Domains.

4 Expand the Domain in which the Onsite Manager is located.

5 Right-click Group Policy Objects and select New.

6 In the Name field, type LPI MW Default Group Policy.

7 Click OK.

Note: You do not have to create a new Group Policy Object. Editing any current object will have the same effect, providing there are no conflicts between multiple active Group Policy Objects.

Configuring the Workstation and Member Server Firewall1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Network > Network Connections > Windows Firewall > Domain Profile.

3 Configure the following:

a Windows Firewall: Allow local program exceptions

Select Not configured

b Windows Firewall: Define inbound program exceptions


c Windows Firewall: Protect all network connections

Select Enabled.

d Windows Firewall: Do not allow exceptions

Select Not Configured

e Windows Firewall: Allow inbound file and printer sharing Exception

D o m a i n C o n f i g u r a t i o n G u i d e 3

Select Enabled

In the Allow Unsolicited Incoming Messages From field, enter the local subnet. For greater security, you can specify the IP address of the Onsite Manager server. However, make sure that by introducing this limitation you are not impacting actions of users who are not using Managed Workplace.

f Windows Firewall: Allow ICMP exceptions

Select Enabled

Enable the Allow inbound echo request check box.

g Windows Firewall: Allow logging


h Windows Firewall: Prohibit notifications


i Windows Firewall: Allow local port exceptions


j Windows Firewall: Define inbound port exceptions

Select Enabled

Click Show. In the Show Contents dialog, type in the following:

5985:TCP:<OM IP Address>:enabled:WinRM

k Windows Firewall: Allow inbound remote administration exception

Select Enabled


l Windows Firewall: Allow inbound Remote Desktop exceptions

Select Enabled


Caution: The LocalSubnet setting does not allow computers from networks other than the same subnet to connect to all devices to


which the GPO is applied. Care should be taken when setting this. If additional networks need to connect to devices, adjust the setting accordingly.

m Windows Firewall: Prohibit unicast response to multicast or broadcast requests


n Windows Firewall: Allow inbound UPnP framework exceptions


Enabling Remote Desktop Services on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.


a Allow users to connect remotely by using Remote Desktop Services.

Select Enabled

Enabling Remote Assistance on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > System >Remote Assistance.


a Allow only Windows Vista or later connections

Select Disabled

b Turn on session logging


c Turn on bandwidth optimization


d Customize warning messages



e Configure solicited Remote Assistance

Select Enabled

Choose Allow helpers to remotely control the computer

Set Maximum ticket time (value) to 1

Set maximum ticket time (units) to Hours

Choose Mailto as the Method for sending email invitations

Enabling Remote Event Log Management on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Windows Settings > Security settings > Windows Firewall with Advanced Security > Inbound Rules.

3 Right-click Inbound Rules and select New Rule.

4 Select the Predefined option button, and from the list select Remote Event Log Management.

5 Click Next.

6 Ensure that all rules are selected.

7 Select the Allow the connection option.

8 Click Finish.

Enabling MBSA Scans To successfully run MBSA scans, you must enable the Log on as a batch job policy.

1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Windows Settings > Security settings >Local Policies> User Rights Assignment.


Log on as batch job

Check: Define these policy settings

Click Add User or Group

Type the user and group name, and click OK.


Configuring Windows Services for Domain Members1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Windows Settings> Security Settings > System Services.


a Windows Management Instrumentation (WMI)

Check: Define this policy setting

Startup Type: Automatic

b Remote Registry



c Remote Procedure Call (RPC)



d Background Intelligent Transfer Service



e Windows Update



Only required by Managed Workplace if the site uses Patch Management.

f Windows Remote Management (WS-Management) Properties


Select service startup mode: Automatic

Note: When you apply a system service startup policy to Windows XP machine, additional steps may need to be performed so that the service account handling the monitoring can connect to Windows Management Instrumentation. Follow the procedure below to configure the security appropriately.

1 Open the group policy, go to Computer configuration > Windows Settings > Security Settings > System Services.


2 Open the property page for Windows Management Instrumentation service from the list.

3 Click Edit Security.

4 Add the following permission:

Authenticated Users > Read

Note: When you add Authenticated Users, the default permission box selected will be Start, Stop and Pause which you need to change to only “Read”.

5 Apply the group policy to the Windows XP workstations and restart the affected machines.

Configuring Microsoft Updates for Domain MembersManaged Workplace does not use GPO settings to define the update server to managed clients, so any WSUS policies that are in place on the Domain will interfere with normal operations of Patch Management.


2 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Update

3 Set all policies to Not Configured.

Enabling Windows Remote Management Settings1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Remote Management (WinRM) > WinRM Service

3 Configure Allow remote server management through WinRM by doing the following:

• Select Enabled.

• In the IPv4 filter field, type *.

4 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Remote Management (WinRM) > WinRM Client

5 Configure Trusted Hosts by doing the following:

• Select Enabled.


• In the TrustedHostsLists field, type *.

Linking GPO to Forest/Domain1 Select the Forest to which you want to link the LPI MW Default Group

GPO.

2 From the drop-down menu, select Action.

3 Click Link an Existing GPO.

4 Select LPI MW Default Group.

5 Click OK.

IWindows Server 2008 Domain Controllers GPO Settings The following GPO settings assume the Windows 2008 Domain has a Domain Functional level and Forest Functional level of a Windows 2008 Server. The procedure below shows how to create a new Group Policy Object.


2 Expand Forest.

3 Expand Domains.




7 Click OK.

Note: You do not have to create a new Group Policy Object. Editing any current object will have the same effect, providing there are no conflicts between multiple active Group Policy Objects.


2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Network > Network Connections > Windows Firewall > Domain Profile.


a Windows Firewall: Allow local program exceptions



b Windows Firewall: Define inbound program exceptions


c Windows Firewall: Do not allow exceptions


d Windows Firewall: Allow inbound file and printer sharing Exception

Select Enabled


e Windows Firewall: Allow ICMP exceptions

Select Enabled

Enable the Allow inbound echo request check box.

f Windows Firewall: Allow logging


g Windows Firewall: Prohibit notifications


h Windows Firewall: Allow local port exceptions


i Windows Firewall: Define inbound port exceptions

Select Enabled

Click Show. In the Show Contents dialog, type in the following:

5985:TCP:<OM IP Address>:enabled:WinRM

j Windows Firewall: Allow inbound remote administration exception

Select Enabled


k Windows Firewall: Allow inbound Remote Desktop exceptions


Select Enabled


Caution: The LocalSubnet setting does not allow computers from networks other than the same subnet to connect to all devices to which the GPO is applied. Care should be taken when setting this. If additional networks need to connect to devices, adjust the setting accordingly.

l Windows Firewall: Prohibit unicast response to multicast or broadcast requests


m Windows Firewall: Allow inbound UPnP framework exceptions


Enabling Remote Desktop Services on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.


a Allow users to connect remotely by using Remote Desktop Services.

Select Enabled

Note: For Windows Server 2008 R2, this option is called Remote Desktop Services. For Windows Server 2008, this option is called Terminal Services.


2 Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > System >Remote Assistance.



a Allow only Vista or later connections

Select Disabled

b Turn on session logging


c Turn on bandwidth optimization


d Customize Warning Messages


e Solicited Remote Assistance

Select Enabled




Choose Mailto as the Method for sending e-mail invitations

f Offer Remote Assistance


Enabling Remote Event Log Management on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Windows Settings > Security settings > Windows Firewall with Advanced Security > Inbound Rules.

3 Right-click Inbound Rules and select New Rule.

4 Select the Predefined option button, and from the list select Remote Event Log Management.

5 Click Next.

6 Ensure that all rules are selected.

7 Select the Allow the connection option.

8 Click Finish.






Log on as batch job




Configuring Windows Services for Domain Members1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Policies > Windows Settings> Security Settings > System Services.





b Remote Registry






d Background Intelligent Transfer Service (BITS)



e Windows Update




Only required by Managed Workplace if the site uses Patch Management.

f Windows Remote Management (WS-Management) Properties











Configuring Microsoft Updates for Domain MembersManaged Workplace does not use GPO settings to define the update server to managed clients, so any WSUS policies that are in place on the Domain will interfere with normal operations of Patch Management.


2 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Update




2 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Remote Management (WinRM) > WinRM Service

3 Configure Allow automatic configuration of listeners by doing the following:

• Select Enabled.


4 Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine > Windows Components > Windows Remote Management (WinRM) > WinRM Client


• Select Enabled.

• In the TrustedHostsLists field, type *.


GPO.




5 Click OK.

Windows Server 2003 Domain Controllers GPO SettingsThe following GPO settings assume the Windows 2003 Domain has a Domain Functional level and Forest Functional level of Windows Server 2003.


2 Expand Forest.

3 Expand Domains.





7 Click OK.


2 Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.


a Windows Firewall: Do not allow exceptions


b Windows Firewall: Define program exceptions


c Windows Firewall: Allow local program exceptions


d Windows Firewall: Allow remote administration exception

Select Enabled


e Windows Firewall: Allow file and printer sharing exception

Select Enabled


f Windows Firewall: Allow ICMP exceptions

Select Enabled

Enable the Allow Inbound Echo Request check box.

g Windows Firewall: Allow remote desktop exception


Select Enabled


Caution: The LocalSubnet setting does not allow computers from networks other than the same subnet to connect to all devices to which the GPO is applied. Care should be taken when setting this. If additional networks need to connect to devices, adjust the setting accordingly.

h Windows Firewall: Allow UPnP framework exception


i Windows Firewall: Prohibit notifications


j Windows Firewall: Allow logging


k Windows Firewall: Prohibit unicast response to multicast or broadcast requests


l Windows Firewall: Define port exceptions

Select Enabled.

Click the Show button, and in the Show Contents dialog box, type 5985:TCP:<OM IP address>:enabled:WinRM

m Windows Firewall: Allow local port exceptions


Enabling Terminal Service (RDP) on Clients1 Right-click LPI MW Default Group and select Edit.

2 Navigate to Computer Configuration > Administrative Templates > Windows Components > Terminal Services.


• Allow users to connect remotely using Terminal Services

Select Enabled



2 Navigate to Computer Configuration > Administrative Templates > System >Remote Assistance.


a Solicited Remote Assistance

Select Enabled




Choose Mailto as the Method for sending e-mail invitations





Log on as batch job




Configuring Windows Services for Domain Members The Policy being updated will not start the Windows services because a policy update may be received while the device is up and logged into the Domain. The services will not be started until either manually started by a user or during the boot process.

These changes will only affect the startup for services when the device is joined to the Domain.

Configure the Window Services for Domain members using the Group Policy Management Tool on the Domain Controller.



2 In the Group Policy Object Editor window, navigate to Computer Configuration > Windows Settings > Security Settings > System Services



Select Startup Type: Automatic

b Remote Registry




d Background Intelligent Transfer Service (BITS)


e Windows Update


Windows Update is only required by Managed Workplace if the site uses Patch Management.

Note: If you have no updated the domain policy templates, the "Windows Update" service may be displayed as "Automatic Updates".

a Windows remote Management (WS-Management)











Configuring Microsoft Updates for Domain Members Managed Workplace does not use GPO settings to define the update server to managed clients, so any WSUS policies that are in place on the Domain will interfere with normal operations of Patch Management.


2 Navigate to Computer Configuration > Administrative Templates> Windows Components > Windows Update (2008 and later) or Automatic Updates (2003).



2 Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service

3 Configure Allow automatic configuration of listeners by doing the following:

• Select Enabled.


4 Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client


• Select Enabled.

• In the TrustedHosts_List field, type *.

Note: If you cannot locate the Windows Remote Management (WinRM) policies under Computer Configuration > Administrative Templates > Windows components in the Group Policy Editor, you may be required to follow these additional steps:


1 Download and install Microsoft update KB936059 from the following URL: http://support.microsoft.com/kb/936059

2 After you have installed the Microsoft update, in the Group Policy Editor, go to Compouter Configuration > Administrative Templates.

3 Select Add/Remove Templates.

4 In the Add/Remove Templates window, click Add.

5 Import the following templates:

• C:\Windows\Inf\Windowsremoteshell.adm

• C:\Windows\Inf\Windowsremotemanagement.adm

6 Click Close.


GPO.




5 Click OK.



U s e r G u i d e 23

© 2015 AVG Technologies. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of AVG Technologies. While every precaution has been taken in the preparation of this document, AVG Technologies assumes no responsibility for errors or omissions. Neither is any liability assumed for damages resulting from the use of the information contained herein.

Managed Workplace is a registered trademark of AVG Technologies.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.

Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

Microsoft, Windows, and Windows Server are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.

All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners.

This guide was updated on May 20, 2015 1:44 pm

Documents

Managed Workplace 9.1 Domain Configuration Guide · 2015-06-16 · AVG Technical Support is limited to best-effort advice when configuring GPOs in live environments. Domain Configuration