Welcome to Derek Melber's Section

Derek Melber (MCSE, MVP, CISM) is an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, Security, and desktop management.

Derek is President and CTO of BrainCore.Net. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is one of only a few in the industry that has a deep knowledge of Group Policy, Group Policy Preferences (AKA PolicyMaker), and Advanced Group Policy Management (AGPM).

As one of the authors of the only book current written by MS Press on Group Policy (The Group Policy Guide), Derek has proven his ability to author books. Derek is also sole author of the next book that Microsoft is writing on Group Policy, The Group Policy Resource Kit.

Derek is a contributing editor for WindowSecurity.com, RIAG Journal, IT Audit newsletter, and various other publications. You will most likely see Derek at one of the many conferences that he speaks at including TechMentor, Windows Connections, MISTI, or the IIA.

Derek has taken his years of experience to develop the only Web site dedicated to Windows Auditing and Security, www.auditingwindows.com. The Web site links to Derek’s book series on Auditing Windows Security, his publications, and online training. The Web site keeps up on the pulse of Windows security, providing documents, applications, and other resources to the auditing community.

You will see when you meet Derek that he leverages his understanding of communication to explain the most complex and technical subjects in an exciting, energetic, understandable, and highly effective style. You can reach Derek at derekm@braincore.net.

Derek Melber's Latest Contributions

Top 10 Security Settings to make directly after Installing Active Directory: Date - May 07, 2008; Section - Articles / Windows OS Security; The initial settings that you should make to get Active Directory secure for your network before you dive into setting up the entire structure.
Controlling Encrypting File System (EFS) using Group Policy: Date - Apr 23, 2008; Section - Articles / Authentication, Access Control & Encryption; Using Group Policy to control where EFS can be used.
Using WEVTUTIL to Manage Event Logs: Date - Mar 13, 2008; Section - Articles / Windows OS Security; In addition to the new subscription option that Event Viewer now possesses, there is a new command line utility, WEVTUTIL, which allows you to control nearly every aspect of the Event Viewer logs.
Security Baselining with AGPM Templates: Date - Mar 05, 2008; Section - Articles / Windows OS Security; How to use Advanced Group Policy Management to create security baselines.
Scripting and Automating Custom Group Policy Delegation: Date - Feb 06, 2008; Section - Articles / Windows OS Security; How to alter one or all GPOs using Microsoft GPMC scripts.
ADM Template Repository: Date - Jan 16, 2008; Section - Articles / Windows OS Security; Control over registry using an administrative template repository solution.
Windows Administrative Delegation Techniques: Date - Nov 28, 2007; Section - Articles / Windows OS Security; Now that Group Policy is becoming more important, it also has delegation options. Understanding where to establish these delegations, as well as how to delegate certain tasks can help you establish a more secure and efficient network.
Controlling Resource Permissions: Date - Oct 31, 2007; Section - Articles / Windows OS Security; Controlling permissions on network resources.
Prepare for MPACK: Date - Oct 10, 2007; Section - Articles / Viruses, trojans and other malware; Insight into a new high tech attack that is running around the Internet also known as MPACK.
PowerShell Security: Date - Sep 13, 2007; Section - Articles / Windows OS Security; The built-in PowerShell security features as well as some additional security you can configure once in PowerShell.
Unique Group Policy Security Settings: Date - Aug 29, 2007; Section - Articles / Windows OS Security; Enforcing Group Policy Security Settings (including some in-depth Registry “hacks”), and some of the most common scenarios where security settings do not behave as they appear.
Reducing the Attack Surface of the Administrator Account: Date - Aug 09, 2007; Section - Articles / Windows OS Security; Limiting what the 'administrator' accounts can do in networks.
Securing DNS for Windows (Part 2): Date - Jul 05, 2007; Section - Articles / Misc Network Security; How the DNS database is secured.
Securing DNS for Windows (Part 1): Date - Jun 13, 2007; Section - Articles / Misc Network Security; Regardless of the attack on your DNS infrastructure, you need to take precautions to thwart off these attacks before it is too late.
Using Advanced Group Policy Management to Protect your GPOs: Date - May 23, 2007; Section - Articles / Windows 2003 Security; The new Advanced Group Policy Management (AGPM) tool from Microsoft.
Longhorn Poised to Provide Multiple Domain Passwords: Date - Apr 05, 2007; Section - Articles / Windows OS Security; Longhorn Domain Passwords and its capabilities in this area.
Controlling Block (GPO) Inheritance via Delegation: Date - Mar 20, 2007; Section - Articles / Windows OS Security; How to control Block Inheritance via delegation.
Controlling Privileges of the Administrator Accounts: Date - Jan 30, 2007; Section - Articles / Authentication, Access Control & Encryption; A look at what Administrator accounts are capable of doing and accessing.
Protecting Your Laptop: Date - Jan 16, 2007; Section - Articles / Misc Network Security; Steps to take to protect your laptop.
Controlling your Server Service Security using Group Policy: Date - Nov 22, 2006; Section - Articles / Windows OS Security; A look at the appropriate measures to take to secure the key aspects of your services.
Hardening Servers with Security Templates: Date - Oct 05, 2006; Section - Articles / Misc Network Security; This article shows why you need to harden servers with tools like the Windows Security Templates.
Implementing Active Directory Delegation of Administration: Date - Sep 13, 2006; Section - Articles / Authentication, Access Control & Encryption; In this article I will go into the details you need to know on how to implement delegation of administration, as well as some design ideas to get you started.
Top 5 Security Settings to Audit: Date - Aug 29, 2006; Section - Articles / Misc Network Security; In this article we will investigate 5 of the more important security settings that need to be audited to protect your computers at the highest level.
Understanding User Account Control in Vista: Date - Aug 23, 2006; Section - Articles / Authentication, Access Control & Encryption; In this article I will explain what User Account Control (UAC) is and what it is not.
Understanding EFS: Date - Jul 27, 2006; Section - Articles / Authentication, Access Control & Encryption; In this article we will take a look at the new and improved EFS.
Group Policy Changes in Vista: Date - Jun 14, 2006; Section - Articles / Windows OS Security; In this article we will look at the new Group Policy features in Vista.
How to Nest Users and Groups for Permissions: Date - May 18, 2006; Section - Articles / Authentication, Access Control & Encryption; In this article I will show you how to nest users and groups for permissions.
Understanding Windows NTFS Permissions: Date - May 03, 2006; Section - Articles / Authentication, Access Control & Encryption; In this article I will explain the NTFS methods and features that are available with Windows 2000, Windows XP and Windows 2003 Server.
Deploying Auditing Settings and Reporting What is Configured: Date - Mar 15, 2006; Section - Articles / Authentication, Access Control & Encryption; Within Windows you might want to track who is performing specific tasks. This might be to meet a regulatory compliance, or to just track when users perform tasks on desktops and servers. The benefits of deploying auditing settings to all computers include better control of the environment, audit trails for security reasons, and tracking of events for forensics. The big question boils down to how should these settings be deployed correctly, efficiently, and with assurance that the settings will be persistent? The answer is simple and efficient: Group Policy. Here, we will look at the settings that need to be deployed, the methods to deploy them, and options to verify that the settings are still in place.
Anonymous Connections: Date - Dec 27, 2005; Section - Articles / Authentication, Access Control & Encryption; Is your network safe from intruders? With all of the different methods that intruders use to weasel their way into your network and servers, you can’t be sure. Hackers will use trojan horses, backdoors, compromised user accounts, and the front door. That is right, the front door! Ok, maybe a side door, but unless your Windows environment is protected, an intruder can use a door to your house that was put there when you made the installation. This “door” in a Windows operating system is the anonymous connection.
Windows & Active Directory Auditing: Date - Nov 22, 2005; Section - Articles / Authentication, Access Control & Encryption; If you are like most administrators, you want to know who is logging on, to which computer, and accessing resources on your servers. For your Windows computers and Active Directory environment, you have options to help you determine what you want to know.
Backing up and Restoring GPOs using the GPMC: Date - Nov 03, 2005; Section - Articles / Authentication, Access Control & Encryption; Without the Group Policy Management Console (GPMC) administration of Group Policy takes patience, imagination, and thorough understanding of the property sheets within the Active Directory Users and Computers. The GPMC solves these problems by providing a very intuitive interface for managing all aspects of Group Policy. This article will discuss the finer points of how the backup and restore options work within the GPMC.
Delegating Group Policy Privilege using the GPMC: Date - Oct 27, 2005; Section - Articles / Authentication, Access Control & Encryption; If you have an Active Directory domain or enterprise, you are all too familiar with Group Policy. Group Policy is the preferred way to ensure standardized and secure domain controllers, servers, and clients. With standards becoming so highly regarded to reduce the TCO of clients, Group Policy control is essential. This article describes "who" can perform "which" tasks with Group Policy and the proper way to configure them within the GPMC.
Changing Passwords for Key User Accounts: Date - Oct 13, 2005; Section - Articles / Authentication, Access Control & Encryption; I must warn all readers that this article is direct and aimed to make you feel a bit uncomfortable. The goal is to expose a few vulnerabilities in your network, so that they can be fixed. However, my experience and research has proven that most companies fall into the same bucket when it comes to these vulnerabilities.
Windows Vista and Principle of Least Privilege: Date - Sep 22, 2005; Section - Articles / Authentication, Access Control & Encryption; It is not surprising that Microsoft is getting on the bandwagon for implementing the Principle of Least Privilege for their next operating system named Windows Vista. This article will investigate some of the current issues with least privilege and investigate the reality of what Microsoft is proposing with Windows Vista.
Controlling Windows Services and Service Accounts: Date - Sep 08, 2005; Section - Articles / Windows OS Security; When you install any Windows computer it will immediately be running multiple services. These services provide core operating system and tool functionality to the computer. In addition to these core services, you might also be running more services due to installed applications. There are a slew of Microsoft products, as well as other third party products, that install services on your computer. Examples includes Exchange, SQL, SMS, backup programs, and enterprise management applications. Since many attackers can exploit services that are running, you will want to protect the services that must run and disable all services that are not required. We will talk about the management of services to protect your computers.
Pushing Out Security Settings that are Configured in the Registry: Date - Sep 01, 2005; Section - Articles / Misc Network Security; Each passing day proves that security of the corporate infrastructure and the computers that live in them is extremely important. There are spyware applications, virus checkers, Group Policy extensions, network scanners and more that are installed to check, verify and protect our computers. In the long run, even the most sophisticated protection mechanism can’t protect a computer that is not configured properly to protect itself. For these computers you typically need to manually configure Registry settings that will increase the baseline security of that computer. This article will discuss how to most efficiently configure Registry settings to help improve security on all computers on the network.
Implementing Principle of Least Privilege: Date - Aug 18, 2005; Section - Articles / Authentication, Access Control & Encryption; The Principle of Least Privilege is not a new concept, but the push to implement it on production networks has never been so important. This article will go over some of the most common configurations that you can make to implement these principles and reduce the possibility of an attack from a typical end user.
Auditing user accounts: Date - Aug 04, 2005; Section - Articles / Authentication, Access Control & Encryption; With Sarbanes Oxley, HIPAA, GLM, and the other auditing compliance programs getting so much attention, all aspects of the network environment are under a microscope. For any operating system environment this includes the auditing of the user accounts and their related properties. Considering that many attacks are accessed through a user account that has one or more incorrect and insecure settings, it makes sense to focus on user account properties during the audit. Within a Windows Active Directory environment there are the standard user properties that must be audited, plus a few that may not fall into too many other network environments. This article will discuss the key user account properties that need to be audited, as well as the tools that can help complete the task.
Securing Windows Member Servers: Date - Jul 28, 2005; Section - Articles / Windows 2003 Security; Every company has member servers at some capacity or another. Some companies have just a few, where others might have thousands. These member servers are the work horses of your network, providing the core production services for the company. From running the intranet, providing print services, SQL databases, e-mail services, file storage, and application support. With member servers providing all of these essential functions, it goes hand-in-hand with the fact that you need to protect these servers. This article will discuss some of key security configurations that can be made to help protect your member servers.
Share Permissions: Date - Jun 30, 2005; Section - Articles / Authentication, Access Control & Encryption; All production Windows networks need to have resources (folders, files, documents, spreadsheets, etc) made available from servers so users on the network can access them. The way this is done is through the use of shared folders configured on the servers which house the resources. The concept of shared folders has not changed over the generations of Windows operating systems and versions, but the protection of the resources has slightly changed. Whether you are new to the concept of shared folders or an expert, this article will take an in-depth look at the pitfalls and suggested methods on how to protect the resources that are shared from servers to users on the network.
Using Dual Accounts for Administrators: Date - May 19, 2005; Section - Articles / Authentication, Access Control & Encryption; With security on the minds of everyone, including all administrators and executives, every precaution needs to be taken to protect the network devices, servers, clients, Active Directory, and network resources. Historically and even recently administrators and others that have elevated privileges to essential resources have been able to use a single user account for all of their activities, whether the activity is one that a common end user would perform or one that only an administrator can perform. It is time to consider the exposure that this situation creates and take action to protect all resources that are exposed by this activity.
Built-in Groups vs. Delegation: Date - May 10, 2005; Section - Articles / Authentication, Access Control & Encryption; The administration of users, groups, computer accounts, resetting passwords, and group policy objects are some of the most important tasks that need to be done on a typical Active Directory network. When these tasks are assigned, there are two options within Active Directory to provide this access: Built-in groups and Delegation of Administration.
Security Concerns for Migrations and Upgrades to Windows Active Directory: Date - Apr 19, 2005; Section - Articles / Windows 2003 Security; Most organizations are either at Windows Active Directory or they are contemplating that move now. If you fall in the latter category, you have some decisions to make. You need to decide how you will get from where you are now, possibly a Windows NT domain(s), to Windows 2000 or Server 2003 Active Directory domain(s).
Using Saved Queries: Date - Mar 24, 2005; Section - Articles / Windows 2003 Security; Do you ever wonder why Microsoft has not built in more reporting tools to their operating systems? Have you ever wanted to email Microsoft and suggest that they at least allow some form of reporting on the security related details of user, group, and computer accounts? With the significant advancements that Microsoft has made with Active Directory over the past 5 years, you would think that they would have developed some form of reporting mechanism within Windows 2000 and Windows Server 2003 for user, group, and computer security related information. Well, they finally did!
Protecting the Administrator Account: Date - Feb 15, 2005; Section - Articles / Windows OS Security; The Administrator user account is by far the number one target for someone trying to gain illegal access to your network and resources. You must protect this account above all other accounts to ensure that you are not left vulnerable to the tools, tricks, and exposure that this account accommodates. There are some basic and advanced options that you can configure within Windows Active Directory to protect this valued account.
Security Configuration Wizard in Windows Server 2003 Service Pack 1: Date - Jan 20, 2005; Section - Articles / Windows 2003 Security; Microsoft has developed an almost ideal tool to help you configure security on computers in your organization. The tool is the Security Configuration Wizard, which is available in Windows Server 2003 service pack 1. The tool can help you configure services, network security, auditing, registry settings, and more. The wizard accomplishes these goals by producing security policies, which can be used in conjunction with security templates and specific server roles
Enforcing GPO Security Settings: Date - Dec 16, 2004; Section - Articles / Misc Network Security; Do you currently use Group Policy to help configure key security settings on domain controllers, servers, and clients within your Active Directory domain? Do you feel confident that these settings can’t be changed once the GPO deploys them? What if I were to tell you that these settings can easily be overwritten? You might be more at risk than you think!
Using Restricted Groups: Date - Nov 25, 2004; Section - Articles / Windows OS Security; If you are a medium or large sized organization, you might have thousands of clients and hundreds of servers that you need to manage. Manually trying to manage all of the local groups on all of these computers is difficult, and almost impossible. Have no fear, Group Policy Objects (GPOs) are here! GPOs provide a mechanism that allows you to control the membership in local groups, and even domain groups, on any computer in the Active Directory enterprise. The specific configuration that you use for this task is the Restricted Groups GPO setting.
Customizing Windows Security Templates: Date - Nov 11, 2004; Section - Articles / Misc Network Security; Are there security settings that you wish were in a Group Policy Object, but are not? How much time, effort, and administration time could you save if you had these security settings deployed through a Group Policy Object? I am going to unlock the ability for you to customize the security settings that are deployed by Group Policy Objects.
Protect Against Weak Authentication Protocols and Passwords: Date - Oct 28, 2004; Section - Articles / Authentication, Access Control & Encryption; Did you know that your Windows computers store and send weak password hashes which are very easy to crack? Even if you run legacy operating systems, there are methods that you can implement that will protect against these weak authentication protocols and password hashes being generated.
Understanding Windows Security Templates: Date - Oct 06, 2004; Section - Articles / Misc Network Security; A security template contains hundreds of possible settings that can control a single or multiple computers. The security templates can control areas such as user rights, permissions, and password policies. Security templates can be deployed centrally using Group Policy objects (GPOs). Finally, security templates can be customized to include almost any security setting on a target computer.
Baselining with Security Templates: Date - Sep 30, 2004; Section - Articles / Misc Network Security; When it comes to network and computer security, it is always best to have your decisions made before you install a computer or network device. In conjunction with this philosophy, it is also ideal to have a benchmark or baseline of what the security initially was on computers and network devices in case you need to troubleshoot an issue or audit the security settings. In this article we will review how to use security templates to establish security baselines on every computer in the organization. Not only will we establish the security baseline, we will keep it persistently affecting the computers.
Top 10 Security Modifications in Windows XP Service Pack 2: Date - Aug 24, 2004; Section - Articles / Windows OS Security; Windows XP Professional and Home will soon be introduced to Service Pack 2, which is really nothing more than security updates and new security features. Here are the top 10 security features and modifications that you can expect after the installation.