Windows Gatekeeper FAQs

Q: What's the easiest way to digitally sign an internally developed application's executable?

Jan De Clercq — Wed, 30 May 2012 13:00:00 GMT

By Jan De Clercq
To digitally sign an executable, you can use Microsoft’s Authenticode code-signing technology and the Sign Tool command-line utility.

Q: What firewall ports should we open to make IPSec work through our firewalls?

Jan De Clercq — Fri, 25 May 2012 13:00:00 GMT

By Jan De Clercq
To use IPSec through your firewalls, here are the ports to open and what they’re used for.

Q: What is the krbtgt account used for in an Active Directory (AD) environment?

Jan De Clercq — Wed, 23 May 2012 16:22:28 GMT

By Jan De Clercq
The krbtgt Active Directory account is a special account used with the Kerberos protocol for user authentication.

Q: Is there any way to influence the interval at which Windows security policies are applied?

Jan De Clercq — Wed, 11 Apr 2012 13:00:00 GMT

By Jan De Clercq
Windows security policy settings refresh every 16 hours by default but you can change that interval with a registry hack.

Q: How can we verify that a Software Restriction Policy (SRP) rule we defined for one of our applications is effectively applied?

Jan De Clercq — Wed, 04 Apr 2012 13:00:00 GMT

By Jan De Clercq
Software Restriction Policy (SRP) rules generate events in the Windows application event log, but you can get more detail by enabling verbose trace logging.

Q: Can I apply a different password policy to two different Active Directory (AD) organizational units (OUs)?

Jan De Clercq — Wed, 28 Mar 2012 13:05:08 GMT

By Jan De Clercq
Active Directory doesn’t support different password policies on different organizational units (OUs), but you can use shadow groups as a workaround.

Q: What could prevent security policy settings that have been defined in a domain-wide Group Policy Object (GPO) from being applied to Windows 7 clients?

Jan De Clercq — Thu, 22 Mar 2012 12:32:41 GMT

By Jan De Clercq
A corrupt security database on Windows 7 clients can prevent GPO security settings from being applied, but you can use esentutl.exe to fix the problem.

Q: What's the best way to retrieve the audit policy in effect for a Windows machine?

Jan De Clercq — Wed, 29 Feb 2012 13:00:00 GMT

By Jan De Clercq
The most reliable tool to retrieve the effective audit policy from a Windows machine is the auditpol.exe command-line tool.

Q: In addition to Certification Authority (CA)–level auditing settings, are there any other configuration settings that must be set to enable auditing of CA management actions?

Jan De Clercq — Wed, 29 Feb 2012 11:00:00 GMT

By Jan De Clercq
Setting up auditing in Windows is always a two step process: You configure what to audit, then you configure the audit policy.

Q: How can I make sure that a given Windows account is assigned only a single Certification Authority (CA) management role?

Jan De Clercq — Tue, 28 Feb 2012 13:00:00 GMT

By Jan De Clercq
To ensure a Windows account is assigned only a single Certification Authority (CA) management role, you must use certutil to enable role separation on your Windows CA.

Q: How can I implement the public key infrastructure (PKI) management roles that are defined in the Common Criteria Certificate Issuing and Management Components Security Level 4 standard?

Jan De Clercq — Mon, 27 Feb 2012 11:10:19 GMT

By Jan De Clercq
Microsoft software supports 4 public key infrastructure (PKI) management roles, which you can implement through the Microsoft Management Console.

Q: Can I store my Encrypting File System (EFS) private key on my smart card?

Jan De Clercq — Tue, 31 Jan 2012 13:00:00 GMT

By Jan De Clercq
With Windows Server 2008, Windows Vista, and later, you can store EFS private keys on users’ smart cards and control these settings with Group Policy.

Q: How can I disable or enable the Windows Firewall for a specific network connection?

Jan De Clercq — Mon, 30 Jan 2012 13:00:00 GMT

By Jan De Clercq
You can control specific network connections through the Microsoft Management Console (MMC) Windows Firewall with Advanced Security snap-in.

Q: Can we disable the default Windows administrative shares (C$, D$, Admin$, IPC$) to lock down some of our Windows servers?

Jan De Clercq — Sun, 29 Jan 2012 11:00:00 GMT

By Jan De Clercq
You can remove the administrative shares on Windows servers and prevent them from being created automatically, although Microsoft doesn’t recommend it.

Q: How can I find out if my clients are using NTLM for authentication instead of Kerberos against specific Windows servers, applications, or services?

Jan De Clercq — Fri, 27 Jan 2012 16:14:18 GMT

By Jan De Clercq
These new Group Policy settings can help you audit, analyze, and restrict NTLM authentication use in your Windows environment.