So about that advice…

There’s one thing that I don’t get sometimes about Microsoft’s advice.. for being so Enterprisey… they aren’t.  Take the SRD blog advice…


http://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx


 we have a defense in depth patch that is two fold.. you must deploy it to your systems …but it’s not on WSUS … okay so they heard that feedback and it will be.


…and then you must set a registry key…. but… the advice they give for deploying and fixing when you find an issue is so single user centric….


While the impact of the above change seems to be low, a reader of this blog wrote in that he experienced a compatibility issue with the Outlook 2002 address book. If you experience issues such as this, they can be mitigated by setting a special policy for the affected binaries that overrides the default CWDIllegalInDllSearch. The following steps show how to do this for OUTLOOK.EXE:


  • Log on to your computer as an administrator.
  • Open Registry Editor.
  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE
  • If a key with the application binary name does not exist, then you will have to create one.
  • Right-click OUTLOOK.EXE, point to New, and then click Dword Value.
  • Type CWDIllegalInDllSearch,and then click Modify.
  • In the Value data box, type 2, and then click OK.

The advice should be instead…


  • Ensure you have deployed group policy preferences to all workstations
  • Launch the GPMC
  • Go into the preference section
  • Set up a registry key to push out to all workstations
  • Apply and sit back.

Yes I’ll blog an exact how to do all that… but still.. I’m just sayin’… I think their advice should be like that too.

2 Thoughts on “So about that advice…

  1. Chris Seiter on September 2, 2010 at 9:35 am said:

    GPO with registry settings is how I take care of that pesky “local admin is needed for my app” issue. Much easier than one machine at a time.

  2. Think about what you just said.

    Anytime you push out a “fix” with Group Policy it’s going to be extremely specific to one companies problem. In this case you would have to have the specific Outlook 2002 problem. Then you have to have a filter for only machines that have Outlook 2002. Then you have to have a test to see if the specific key you need in the registry exists. If it doesn’t then you have to create it. Or maybe for your company Outlook 2002 is not the problem but some other program is. Will this fix even work with that program ?

    What I’m getting at is that suggesting the use of Group Policy opens up a whole can of worms because of the custom nature of the problem for each company. That is why Microsoft never suggests using Group Policy.

    If your an IT pro then you already know how to use Group Policy and can make the decision for your company. If you are not an IT pro then you should not be touching Group Policy anyway.

Post Navigation