The following GPO settings assume the Windows 2003 Domain has a Domain Functional level and Forest Functional level of Windows Server 2003.
- Click Start and navigate to Administrative Tools > Group Policy Management.
- Expand Forest.
- Expand Domains.
- Expand the Domain in which the Onsite Manager is located.
- Right-click Group Policy Objects and select New.
- In the Name field, type LPI MW Default Group Policy.
- Click OK.
Configuring the Workstation and Member Server Firewall
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
- Configure the following:
- Windows Firewall: Do not allow exceptions
Select Not Configured - Windows Firewall: Define program exceptions
Select Not configured - Windows Firewall: Allow local program exceptions
Select Not configured - Windows Firewall: Allow remote administration exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local subnet. For greater security, you can specify the IP address of the Onsite Manager server. However, make sure that by introducing this limitation you are not impacting actions of users who are not using Barracuda Managed Workplace. - Windows Firewall: Allow file and printer sharing exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local subnet. For greater security, you can specify the IP address of the Onsite Manager server. However, make sure that by introducing this limitation you are not impacting actions of users who are not using Barracuda Managed Workplace. - Windows Firewall: Allow ICMP exceptions
Select Enabled
Enable the Allow Inbound Echo Request check box. - Windows Firewall: Allow remote desktop exception
Select Enabled
In the Allow Unsolicited Incoming Messages From field, enter the local subnet. For greater security, you can specify the IP address of the Onsite Manager server. However, make sure that by introducing this limitation you are not impacting actions of users who are not using Barracuda Managed Workplace.
Caution: The LocalSubnet setting does not allow computers from networks other than the same subnet to connect to all devices to which the GPO is applied. Care should be taken when setting this. If additional networks need to connect to devices, adjust the setting accordingly. - Windows Firewall: Allow UPnP framework exception
Select Not Configured - Windows Firewall: Prohibit notifications
Select Not Configured - Windows Firewall: Allow logging
Select Not Configured - Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Select Not Configured Windows Firewall: Define port exceptions
Select Enabled.
Click the Show button, and in the Show Contents dialog box, type
5985:TCP:<OM IP address>:enabled:WinRM
- Windows Firewall: Allow local port exceptions
Select Not Configured
- Windows Firewall: Do not allow exceptions
Enabling Terminal Service (RDP) on Clients
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Terminal Services.
- Configure the following:
- Allow users to connect remotely using Terminal Services
Select Enabled
- Allow users to connect remotely using Terminal Services
Enabling Remote Assistance on Clients
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Administrative Templates > System >Remote Assistance.
- Configure the following:
- Solicited Remote Assistance
Select Enabled
Choose Allow helpers to remotely control the computer
Set Maximum ticket time (value) to 1
Set maximum ticket time (units) to Hours
Choose Mailto as the Method for sending e-mail invitations
- Solicited Remote Assistance
Enabling MBSA Scans
To successfully run MBSA scans, you must enable the Log on as a batch job policy.
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security settings >Local Policies> User Rights Assignment.
- Configure the following:
Log on as batch job
Check: Define these policy settings
Click Add User or Group
Type the user and group name, and click OK.
Configuring Windows Services for Domain Members
The Policy being updated will not start the Windows services because a policy update may be received while the device is up and logged into the Domain. The services will not be started until either manually started by a user or during the boot process.
These changes will only affect the startup for services when the device is joined to the Domain.
Configure the Window Services for Domain members using the Group Policy Management Tool on the Domain Controller.
- Right-click LPI MW Default Group and select Edit.
- In the Group Policy Object Editor window, navigate to Computer Configuration > Windows Settings > Security Settings > System Services
- Configure the following:
- Windows Management Instrumentation (WMI)
Select Startup Type: Automatic - Remote Registry
Select Startup Type: Automatic - Remote Procedure Call (RPC)
Select Startup Type: Automatic - Background Intelligent Transfer Service (BITS)
Select Startup Type: Automatic - Windows Update
Select Startup Type: Automatic
Windows Update is only required by Barracuda Managed Workplace if the site uses Patch Management.
- Windows remote Management (WS-Management)
Select service startup mode: Automatic
- Windows Management Instrumentation (WMI)
Note: When you apply a system service startup policy to Windows XP machine, additional steps may need to be performed so that the service account handling the monitoring can connect to Windows Management Instrumentation. Follow the procedure below to configure the security appropriately.
- Open the group policy, go to Computer configuration > Windows Settings > Security Settings > System Services.
- Open the property page for Windows Management Instrumentation service from the list.
- Click Edit Security.
- Add the following permission:
Authenticated Users > Read
Note: When you add Authenticated Users, the default permission box selected will be Start, Stop and Pause which you need to change to only “Read”. - Apply the group policy to the Windows XP workstations and restart the affected machines.
Configuring Microsoft Updates for Domain Members
Barracuda Managed Workplace does not use GPO settings to define the update server to managed clients, so any WSUS policies that are in place on the Domain will interfere with normal operations of Patch Management.
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Administrative Templates> Windows Components > Windows Update (2008 and later) or Automatic Updates (2003).
- Set all policies to Not Configured.
Enabling Windows Remote Management Settings
- Right-click LPI MW Default Group and select Edit.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
- Configure Allow automatic configuration of listeners by doing the following:
- Select Enabled.
- In the IPv4 filter field, type *.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client
- Configure Trusted Hosts by doing the following:
- Select Enabled.
- In the TrustedHosts_List field, type *.
Note: If you cannot locate the Windows Remote Management (WinRM) policies under Computer Configuration > Administrative Templates > Windows components in the Group Policy Editor, you may be required to follow these additional steps:
- Download and install Microsoft update KB936059 from the following URL:
http://support.microsoft.com/kb/936059 - After you have installed the Microsoft update, in the Group Policy Editor, go to Compouter Configuration > Administrative Templates.
- Select Add/Remove Templates.
- In the Add/Remove Templates window, click Add.
- Import the following templates:
- C:\Windows\Inf\Windowsremoteshell.adm
- C:\Windows\Inf\Windowsremotemanagement.adm
- Click Close.
Linking GPO to Forest/Domain
- Select the Forest to which you want to link the LPI MW Default Group GPO.
- From the drop-down menu, select Action.
- Click Link an Existing GPO.
- Select LPI MW Default Group.
- Click OK.