Hello,I have been reading the Windows Server 2008 Security Guide (version 3.0 - February 2008|Updated Frebruary 2009) and i am trying to determine the applicable security setting for our new computer system. All our servers will be Server 2008 and the majority of our client machines are XP laptops. On page 4 of the security Guide in the paragraph about Guide Scope it states that "client computers in the SSLF environment can only run Windows Vista SP1". However on page 14 of the same document it states that in the SSLF environment that servers can "manage client computers that can run either Windows Vista SP1 or windows XP SP3 or later"Can anyone tell me which statement is correct ? i do not want to apply a set of security configurations to the server system which then prevent all the staff from interacting easily with the server system.Can anyone also tell me the main functional differences between the EC and SSLF arrangements, which didn't really clarify much(i finally found appendix A to the security guide - which doesn't seem to be released by microsoft anymore). I assume the SSLF environment does not stop you being able to use exchange / terminal servers / AD authentication, or will they not work as expected?When i apply the EC/SSLF baseline to to the server system do i also have to apply the same security configuration to the client laptops?what is the password to open the zip files in the Security Management Toolkitdownload, it is not mentioned anywhere that there is a password!thanks in advancedc

Hi, First of all, I cannot find ""manage client computers that can run either Windows Vista SP1 or windows XP SP3 or later" in the documents. Besides, I suggest we ignore this document and download the following tool to test. Security Compliance Management Toolkit Series http://www.microsoft.com/downloads/details.aspx?familyid=5534BEE1-3CAD-4BF0-B92B-A8E545573A3E&displaylang=en Download a proper version of Security Compliance Management Toolkit and unzip it. Refer to the documents in this folder. Install GPOAccelerator and try to create Lab GPOs. Open GPMC, you can find all new GPOs. Refer to the "Chapter 3: Using the GPOAccelerator with Windows Vista" of "How To Use the GPOAccelerator.docx " and other chapters. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,The Windows 2008 Security GuideI refer to (v3.0) is contained in the download that you specify (both the 'ALL' and 'WS 2008' specific zip file), which also requests a password to unzip some ofthe files, as i mentioned in my previous post. The lineI quote from is in Chapter 1, on Page 14 of the security guide on the third line of the first paragraph in the Section 'Specialised Security - Limited functionality'Are you saying that Vista SP1 is the only system which can be used with the SSLF baseline? i do not have a lab environment up and running yet i am considering the baselines to test before i even get that far.dc

Hi, No. Windows XP Professional SP3 Support SSLF. From Windows Server 2008 Security Guide.docx in Security Compliance Management Toolkit _ Windows Server 2008 folder, we can find: "The Specialized Security Limited Functionality (SSLF) environment referred to in this chapter consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista Service Pack 1 (SP1) or Windows XP Professional SP3 or later, and member servers running Windows Server 2008." From Windows XP Security Guide.docx in Security Compliance Management Toolkit _ Windows XP folder, we can find: "The Specialized Security Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows XP Professional SP3. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations." Just create a test OU and link GPO created by GPOAccelerator to this test OU to get familar with it. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, thanks for your quick replyi'll test it out when i get the system setup properlyBut how come it says on page 4 of the same document in the Overview chapter in the section 'Guide Scope', 2nd paragraph - 4th line, that clients can only be Vista SP1??Someone also told me that using the GPOAccelerator changes the administrator password when you apply the SSLF environment, but then doesn't tell you what it it is when it's done it....thanksdc

DC, The GPOAccelerator is no longer available. It has been replaced with Microsoft Security Compliance Manager and the Local Policy Tool, see http://social.technet.microsoft.com/wiki/contents/articles/what-happened-to-the-gpo-accelerator.aspx for more details. You can download SCM at http://technet.microsoft.com/en-us/library/cc677002.aspx. If you have more questions feel free to contact me directly our our team's address, secwish@microsoft.com. Additionally, neither the GPOAccelerator nor LPT change the admin password, I don't believe its possible to change an account password using group policy. Where did you hear this?Kurt Dillard http://www.kurtdillard.com