Computer Configuration Settings Microsoft Office Communicator Policy Settings

Computer Configuration Settings Microsoft Office Communicator Policy Settings Microsoft Office Communicator Feature Policies Prevent users from running Microsoft Office Communicator Prevent video calls Prevent computer-to-computer audio calls Enable conferencing Enable computer-to-phone calls Prevent file transfer Prevent users from saving instant messages Prevent collaboration features Specify instrumentation Prevent Ink in instant messages Permit hyperlinks in instant messages Disable Calendar presence Enable phone control Disable presence note Disable call presence Allow remote assistance Help menu Tab URL Disable Live Meeting integration Block IMs from federated contacts Set maximum allowed number of contacts Launch Microsoft Office Communicator Tour Require logon credentials Allow additional server DNS names Specify encryption for computer-to-computer audio and video calls Configure SIP security mode Enable UPNP Allow storage of user passwords 92 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Implementing a Group Policy Template for Testing This

b. Enter the SIP URI for the sign-in. If you have the SRV records already created, then no further configuration is needed. If you do not have the SRV records already created, enter the server s fully qualified domain name (FQDN) and the method with which you desire to connect, either TCP or TLS. TCP should be fine for these tests. Please note that Live Communications Server does not support a UDP connection for SIP messaging. 8. From within Windows Messenger, select Tools.Options. On the Options window that appears, select the Accounts tab. Validate that both .NET Passport Account and Exchange Account are visible. 9. In the Active Directory Users and Computers Group Policy editor, right-click the RTCClientTest OU and select Properties. 10. Select the Group Policy tab and click the New button. 11. Name the new Group Policy object RTC Client Test Policy and press Enter. 12. Select the RTC Client Test Policy and select Properties. When the RTC Client Test Policy Properties dialog box comes up, select the Security tab. 13. Select the Authenticated Users group and uncheck Apply Group Policy. Do not add a Deny, as a Deny is explicit. 14. Click the Add button, search for the RTCClient Policy Test Group, and click OK. This should add the group to the list of group or usernames within the policy s Properties box. 15. Ensure that read permissions are set to Allow. Select the Allow checkbox for Apply Group Policy. 16. Validate that no other groups or users have Apply Group Policy and then click Apply and OK. 17. Select the RTCClient Test Policy and click the Edit button. This will launch the Group Policy Object Editor. 18. Right-click on the Administrative Templates folder under either Computer Configuration or User Configuration and select Add/Remove Templates. 19. On the Add/Remove Templates dialog box you will see several current policy templates. Select all of those templates and then select Remove (this is being performed because we are only interested in the rtcclient.adm policy template). While a domain Admin, or other privileged account, should not be enabled for Live Communications for the same security reasons it should not be e-mail-enabled, it is possible that a policy may need to be applied, and an explicit Deny would prevent this. Performing this now is a best practice for preventing a policy from being configured and accidentally applied to a client or set of clients, such as Authenticated Users. 90 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Implementing a Group Policy Template for Testing This

20. Select the Add button. This will bring up the Policy Templates dialog box. Select the rtcclient .adm template and click the Open button. Select the Close button on the Add/Remove Templates dialog. 21. Click the + box on the Administrative Templates folder, which is subordinate of User Configuration, and select the Windows Messenger Feature Policies folder. 22. Double-click Prevent Connection to .NET Messaging Service. Optionally, this can be rightclicked and then Properties selected. This will bring up the Properties dialog box. Select Enabled and click Apply and OK. 23. Double-click Prevent Connection to Exchange Messaging Service. Optionally, this can be rightclicked and then Properties selected. This will bring up the Properties dialog box. Select Enabled and click Apply and OK 24. Close the Group Policy Object Editor. Note that there are no Save or Save As options, as the changes are automatically saved. 25. Close the RTCClient Test Properties dialog box by clicking OK. 26. Log the test user off of the test workstation and then back on to the test workstation. 27. Launch Windows Messenger and select Tools.Options. Click the Accounts tab. Both the .NET Messenger Account and the Exchange Account options should be gone. Communicator.adm Administrative Template This section describes the configuration options available through the communicator.adm template, which ships on the Microsoft Office Communicator CD. One thing you may notice is how many additional features the communicator.adm template contains compared to the rtcclient.adm template. Administrators will also notice that the communicator.adm template contains many of the same setting options as the rtcclient.adm template. The communicator.adm template for Microsoft Office Communicator is located in the Support directory on the Microsoft Office Communicator CD. Generally, this directory is D:Support or :Support. The Computer Configuration Settings modify policy registry keys and registry values in the following path: HKEY_Local_Machine SoftwarePoliciesMicrosoftCommunicator Likewise, the User Configuration Settings modify policy registry keys and registry values in the following path: HKEY_Current_User SoftwarePoliciesMicrosoftCommunicator The following two tables list the settings available in Computer Configuration as well as the settings available in the User Configuration. The communicator.adm template settings, as listed in these tables, apply to the English language version of Microsoft Office Communicator 2005. The first table lists the settings available in the Computer Configuration portion of the Administrative template. 91 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Implementing a Group Policy Template for Testing This

Implementing a Group Policy Template for Testing This section covers the steps to create a Group Policy object and utilize the rtcclient.adm template. This brief implementation will apply to a test policy created in a test OU, using the default tools available through Active Directory Users and Computers. However, the Group Policy Management Console is acknowledged and can be leveraged as well. When implementing the rtcclient.adm template for the domain, you should create an additional policy for managing Windows Messenger clients at the domain level, rather than make changes to the default domain policy, even if it is in a test environment. If at all possible, avoid modifying the default domain policy. The following steps assume that the account creating the policy has the appropriate rights to do so within the Active Directory test environment. Implementation of any Group Policy should include testing, management communication, help desk communication, and communication with the end-user community. This section covers creating a test policy within your own test environment only. In this test, we are going to implement a policy to prevent a test user from having access to the .NET Messenger and Exchange Messaging features of Windows Messenger: 1. On a system with the LCS 2005 administration tools installed, check the %windir%inf directory to ensure that rtcclient.adm is located in it. 2. Open Active Directory Users and Computers either by selecting Start.Run and typing or by selecting Start.Programs.Administrative Tools.Active Directory Users and Computers. 3. Create an organizational unit named RTCClientTest by right-clicking your domain in Active Directory Users and Computers and selecting New.Organizational Unit. 4. In that OU, create a test user account and a group named RTCClient Policy Test Group, using the default of a global security group. 5. Once the group is created, add the test user to the RTCClient Policy Test Group. 6. If the test user account has an e-mail address, right-click on the user and select Enable Users for Live Communications. Otherwise, open the Properties page for the user, select the Live Communications tab, select the checkbox Enable Live Communications for This User, and provide a SIP URI and a server or pool name for the user. 7. Log into the test workstation with the test user account and configure Windows Messenger so that the test user can log on to the LCS server. This validates that the client can connect to the LCS server: a. In order to configure Windows Messenger, you would select Tools.Options on the Windows Messenger sign-in page, and select the Account tab. This system could be a domain controller with the tools, an administrative workstation, or even an LCS 2005 Standard Edition server or LCS 2005 Enterprise Edition front-end server. 89 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. Prevent computer-to-phone audio calls: This policy, when

. Specify transport and server: This policy setting, when enabled, allows the administrator to specify the transport that the Windows Messenger client will use either TCP, TLS, or UDP. LCS 2005 allows only the TCP or TLS protocols to be used for instant messages and presence registration. This policy setting, when enabled, also allows the administrator to specify the DNS name or IP address of the server. While it does say DNS name or IP address of the server, when using LCS the Windows Messenger application should always be configured to point to the DNS name of the Enterprise pool if LCS is connecting to LCS 2005 with SP1 Enterprise Edition. If the Windows Messenger application is connecting to LCS 2005 with SP1 Standard Edition, the DNS name should be that of the Standard Edition server, be it a Proxy or Access Proxy. This policy is particularly useful when configuring Group Policy settings via Active Directory sites in a large enterprise deployment where multiple LCS 2005 Standard Edition servers and Enterprise pools may be available. When this policy is set to Disabled or Not Configured, there are two options. The first is to use the default Automatic Configuration, which relies upon the DNS SRV records to provide connection information. The second is to allow users, or their desktop administrator, to manually configure Windows Messenger. Understanding the RTC Client API Policies The RTC Client API Policies are available for configuration only in the Computer Configuration portion of the Administrative Templates section of the GPO. The three policies in this section enable the system administrator to control advanced features related to ports and bandwidth, such as audio and video communication, certificate revocation checking, and ports used by the audio, video, and SIP features. . Limit bandwidth for audio and video calls: This policy setting, when enabled, allows the administrator to limit the maximum amount of bandwidth that will be used by Windows Messenger for audio and video calls. The maximum bandwidth will not extend the amount of bandwidth that Windows Messenger uses beyond what is necessary. When set to Disabled or Not Configured, Windows Messenger will utilize the maximum amount of bandwidth that is necessary to pass traffic for peer-to-peer audio and video calls. . Specify dynamic port ranges: This policy setting, when enabled, enables the administrator to set the Minimum SIP dynamic port and Maximum SIP dynamic port as well as the Minimum RTP dynamic port and the Maximum RTP dynamic port. Maximum limits the maximum amount of bandwidth that will be utilized by Windows Messenger for audio and video calls. The maximum bandwidth will not extend the amount of bandwidth that Windows Messenger utilizes beyond what is necessary. When set to Disabled or Not Configured, Windows Messenger will utilize the maximum amount of bandwidth that is necessary to pass traffic for peer-to-peer audio and video calls. Based upon past experience, this is generally less than 100K, but may peak to 300K on occasion. . Enable Certificate Revocation List Checking: This policy setting, when enabled, enables the administrator to make the client check for the CRL. Administrators can enable three settings: Enabled (default), Disabled, and Strictly Enforced. When the CRL checking is Enabled, the client attempts to obtain the certificate revocation list and check the CRL against the server certificate. If the policy is Enabled, but CRL checking is disabled, it has the same effect as setting the policy to Disabled or Not Configured. The client does not check for CRL revocation. Lastly, if the policy is Enabled and set to Strictly Enforced, then the client must obtain the CRL and must verify that the server certificate is valid before establishing a TLS connection. 88 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. Prevent computer-to-phone audio calls: This policy, when

. Require logon credentials: This setting, when enabled, will require the Windows Messenger user to provide a username and password, instead of Windows Messenger utilizing the existing Kerberos ticket, or authenticating the user via NTLM. If this policy setting is left Not Configured, or it is set to Disabled, Windows Messenger will authenticate based upon the credentials for the user currently logged in. These settings can be particularly useful when a shared account, such as a help-desk account, is being used. While sharing an account is generally a bad idea, it still happens on some shared PCs. . Allow additional server DNS names: This policy setting is used when Windows Messenger is set to automatic and utilizes the _sip._tls.company.com SRV record to connect to a Live Communications Server with a DNS name that is not standard. For example, if your user s SIP URIs end in @Company.com, then the SRV record must resolve _sip._tls.company.com to either LCSservername.company.com or server.sip.company.com. If the LCS server is in a resource domain, the server would be LCSservername.resource .company.com. Enabling this registry key allows the Windows Messenger client to acknowledge that the LCS Server or LCS Enterprise Pool may be in a different domain. Disabling this setting, or leaving it as Not Configured, does prevent the Windows Messenger client from connecting to servers where the FQDN is not standard. It also prevents a possible man-in-themiddle attack. . Specify encryption for computer-to-computer audio and video calls: This policy setting, when enabled, has three additional options: Support Encryption (default), Require Encryption, and Don t Support Encrypt. If the policy setting is enabled and Support Encryption (default) is selected, the Windows Messenger client will support both encrypted and nonencrypted audio and video data streams. If Require Encryption is selected, only encrypted audio and video data streams are allowed. Other, nonencrypted streams are disallowed and automatically declined by Windows Messenger. If this policy setting is Disabled or set to Not Configured, Windows Messenger sends and receives audio and video data whether or not it is encrypted. This is the default functionality of Windows Messenger. . Require SIP high-security mode: This policy setting, when enabled, requires Windows Messenger clients to send and receive SIP messages via Transport Layer Security, or TLS, and authenticate using Kerberos or NTLM authentication protocols. Neither the TCP nor the UDP protocol guarantee secure Instant Messaging traffic for SIP-based clients. This setting also requires that messages pass from a client to a server and back to a client. Client-to-client SIP communication is not allowed when this setting is enabled, and SIP IM traffic is not allowed to pass through a Universal Plug-and-Play NAT translation device. When this setting is disabled or left set to Not Configured, Windows Messenger can be configured to communicate via TLS, TCP, or UDP. Please note that Live Communications Server does not support SIP over UDP. . Allow storage of user passwords: This policy setting, when enabled, allows Windows Messenger to store passwords at the request of the user. If this policy setting is set to Disabled, Windows Messenger is not allowed to store a password. If the policy is set to Not Configured and the user account logs on to an Active Directory domain, Windows Messenger will not store the user s password. If the user does not log on to a domain but is configured to log on to the workstation, Windows Messenger is allowed to store the password. 87 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. Prevent computer-to-phone audio calls: This policy, when

. Prevent computer-to-phone audio calls: This policy, when enabled, prevents Windows Messenger from receiving or initiating computer-to-phone audio calls. This setting overrides the Allow computer-to-phone audio calls policy configuration. The comments in the rtcclient.adm template specifically note that this feature is outdated and that using it should be avoided. . Allow computer-to-phone calls: This policy setting, when enabled, allows Windows Messenger to initiate and receive computer-to-phone calls. When left to the default of Not Configured, or set to Disabled, Windows Messenger cannot initiate or receive computer-to-phone audio calls. . Prevent file transfer: This policy setting, when enabled, prevents Windows Messenger from being used to transfer files. If this policy setting is left Not Configured, or is set to Disabled, Windows Messenger can be used to send and receive files. . Prevent collaboration features: This policy setting, when enabled, prevents Windows Messenger from being used to whiteboard and share applications, including the desktop of another machine. If this policy setting is left Not Configured, or it is set to Disabled, Windows Messenger can be used to whiteboard and share applications. . Prevent NetMeeting: This policy setting, when enabled or left Not Configured, prevents Windows Messenger from being used to start the NetMeeting application. As noted in the rtcclient.adm template file, this is the default behavior. If this policy setting is disabled, then Windows Messenger is allowed to start the NetMeeting application. . Specify instrumentation: This policy setting, when enabled, prevents Windows Messenger users from disabling instrumentation, or the capability to record the user s actions. If this setting is Disabled, then the user can t enable instrumentation and instrumentation is left disabled. If this policy is Not Configured, then the user can choose to either enable or disable the instrumentation setting. . Prevent automatic update from .NET Messaging Service: This policy setting, when enabled, prevents Windows Messenger from downloading and updating to a new version of Windows Messenger, which is provided by the .NET Messaging Service. This will not replace Windows Messenger with .NET Messenger. If left Disabled or Not Configured, Windows Messenger will automatically download and update to a new version presented by the .NET Messaging Service. . Prevent Ink in instant messages: This setting, when enabled, prevents users from sending or receiving IM messages that contain Ink. Ink is the term for the handwritten text received from someone who is using Windows Messenger. This is generally found by users who have a Tablet PC. A Tablet PC is not required for someone to receive instant messages containing Ink. If this policy setting is left Not Configured, or it is set to Disabled, Windows Messenger can be used to receive and send messages containing Ink. Understanding the SIP Communications Service Policies The SIP Communications Service Policies, much like the Windows Messenger Feature Policies are available for configuration in the Administrative Templates section of the policy, both in the User Configuration and Computer Configuration hierarchy of the policy object. These policies enable system administrators to control items related to the SIP configuration of Windows Messenger. Remember that settings configured under Computer Configuration take precedence over those in User Configuration: 86 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

The rtcclient.adm template settings, listed in the following

Understanding the Windows Messenger Feature Policies The Windows Messenger Feature Policies are available for configuration in the Administrative Templates section of the policy, both in the User Configuration and Computer Configuration hierarchy of the policy object. The settings in this policy enable system administrators to control how Windows Messenger acts within their environment. Remember that settings configured under Computer Configuration take precedence over those in the User Configuration: . Prevent users from running Windows Messenger: With this policy enabled, users will not be able to launch or run Windows Messenger. When disabled, or not configured, users will be able to launch or run Windows Messenger. . Prevent initial, automatic start of Windows Messenger: This policy, when enabled, prevents Windows Messenger from launching when the user logs into the workstation. When disabled, or not configured, this setting is not used, and the user preferences for Run Windows Messenger when Windows starts, within Windows Messenger, take precedence. . Prevent connection to .NET Messaging Service: This policy, when enabled, removes the capability of a workstation (Computer Configuration), user, or group of users (User Configuration) to configure Windows Messenger to connect directly to the .NET Messaging Service. This also removes the Accounts tab option for .Net Passport Account. When left to the default of Not Configured, or set to Disabled, users and workstations to which this policy applies will be able to utilize the .NET Messenger service. This applies to Windows Messenger, but does not control access via .Net Messenger or thirdparty applications, such as Trillian. This does not prevent users or workstations from using Public IM Connectivity if it has been configured for your organization. . Prevent connection to SIP Communications Service: This policy, when enabled, removes the capability of a workstation (Computer Configuration), user, or group of users (User Configuration) to configure Windows Messenger to connect to a SIP server. This also removes the Accounts tab option for SIP Communications Service Account. Because Live Communications Server is a SIP server, one of the few scenarios in which this policy feature would be used is when your organization has programmed an application to provide presence and Instant Messaging access separate from the Windows Messenger application. When left to the default of Not Configured, or set to Disabled, users and workstations to which this policy applies will be able to utilize the SIP Communications Service. . Prevent connection to Exchange Messaging Service Properties: This policy, when enabled, removes the capability of a workstation (Computer Configuration), user, or group of users (User Configuration) to configure Windows Messenger to connect to an Exchange Messaging Service server. This also removes the Accounts tab option for Exchange Account. When left to the default of Not Configured, or set to Disabled, users and workstations to which this policy applies will be able to configure Windows Messenger to utilize an Exchange Messaging Service server. This feature is based on the Rendezvous Protocol, or RVP, which was introduced with Exchange 2000. . Prevent video calls: This policy, when enabled, prevents Windows Messenger from starting or receiving computer-to-computer video calls. When left to the default of Not Configured, or set to Disabled, Windows Messenger can receive and initiate computer-to-computer video calls. . Prevent computer-to-computer audio calls: This policy, when enabled, prevents Windows Messenger from starting or receiving computer-to-computer audio calls. When left to the default of Not Configured, or set to Disabled, Windows Messenger can receive and initiate computer-to-computer audio calls. 85 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

The rtcclient.adm template settings, listed in the following

User Configuration Settings Windows Messenger Feature Policies Prevent users from running Windows Messenger Prevent initial, automatic start of Windows Messenger Prevent connection to .NET Messaging Service Prevent connection to SIP Communications Service Prevent connection to Exchange Messaging Service Properties Prevent video calls Prevent computer-to-computer audio calls Prevent computer-to-phone audio calls Allow computer-to-phone calls Prevent file transfer Prevent collaboration features Prevent NetMeeting Specify instrumentation Prevent automatic update from .NET Messaging Service Prevent Ink in instant messages SIP Communications Service Policies Require logon credentials Allow additional server DNS names Specify encryption for collaboration features Specify encryption for computer-to-computer audio and video calls Require SIP high-security mode Allow storage of user passwords Specify transport and server One thing that you might notice is that the Computer Configuration Settings and the User Configuration Settings for the rtcclient.adm administrative template are nearly identical to each other. The Computer Configuration Settings have an additional feature for RTC Client API Policies. Although these settings can be applied in the Computer Configuration as well as the User Configuration, unless otherwise specified, the policy set in the Computer Configuration takes precedence over the User Configuration. Because they are so similar, both will be reviewed as a single policy item. Again, if a Computer Configuration policy is applied, then it takes precedence over the User Configuration. The next section contains information about each of the policy settings. As a default, the template implements all settings as Not Configured. 84 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

The rtcclient.adm template settings, listed in the following

The rtcclient.adm template settings, listed in the following table, apply to the English language Windows Messenger 5.0 and 5.1 client versions: Computer Configuration Settings Windows Messenger Feature Policies Prevent users from running Windows Messenger Prevent initial, automatic start of Windows Messenger Prevent connection to .NET Messaging Service Prevent connection to SIP Communications Service Prevent connection to Exchange Messaging Service Properties Prevent video calls Prevent computer-to-computer audio calls Prevent computer-to-phone audio calls Allow computer-to-phone calls Prevent file transfer Prevent collaboration features Prevent NetMeeting Specify instrumentation Prevent automatic update from .NET Messaging Service Prevent Ink in instant messages SIP Communications Service Policies Require logon credentials Allow additional server DNS names Specify encryption for computer-to-computer audio and video calls Require SIP high-security mode Allow storage of user passwords Specify transport and server RTC Client API Policies Limit bandwidth for audio and video calls Specify dynamic port ranges Enable Certificate Revocation List Checking Table continued on following page 83 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services