Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
settings centrally.
1030
CHAPTER 27
Group Policy Management for Network Clients
.
Scripts (Startup/Shutdown)—
The Scripts node allows administrators to add
startup or shutdown scripts to computer objects.
.
Deployed Printers—
This node allows administrators to automatically install and
remove printers on the Windows systems. Using the Group Policy Object Editor on
Windows Server 2008 or Windows Server 2008 R2 systems, this node might not
appear unless the Print Management console is also installed.
.
Security Settings—
This node is a replica of the local security policy, although it
does not sync or pull information from the local security policy. The settings in this
node can be used to define password policies, audit policies, software restrictions,
Services configuration, Registry and file permissions, and much more.
.
Policy-base QoS—
The Policy-base QoS node can be configured to manage, restrict,
and prioritize outbound network traffic between a source Windows system and a
destination host based on an application, source, or destination IP address and/or
source and destination protocols and ports.
Security Settings
The Security Settings node allows a security administrator to configure security levels
assigned to a domain or Local Group Policy Object. This can be performed manually or by
ptg
importing an existing security template.
The Security Settings node of the Group Policy Object can be used to configure several
security-related settings, including file system NTFS permissions and many more settings
contained in the nodes beneath Security Settings as follows:
.
Account Policies—
These computer security settings control password policy,
lockout policy, and Kerberos policy in Windows Server 2008 R2, Windows Server
2008, Windows Server 2003, and Windows 2000 Server domains and local systems.
.
Local Policies—
These security settings control audit policy, user rights assignment,
and security options, including setting the default User Account Control settings for
systems the policy applies to.
.
Event Log—
This setting controls security settings and the size of the event logs for
the application, security, and system event logs.
.
Restricted Groups—
These settings allow the administrator to manage local or
domain group membership from within this policy node. Restricted group settings
can be used to add members to an existing group without removing any existing
members or it can enforce and overwrite membership based on the policy configura-
tion.
.
System Services—
These settings can be used to control the startup mode of a
service and to define the permissions to manage the service configuration or state.
Configuring these settings does not start or stop any services.
Group Policy Feature Set
1031
.
Registry—
This setting is used to configure the security permissions of defined
Registry keys and, if desired, all subkeys and values. This setting is useful in support-
ing legacy applications that require specific Registry key access that is not normally
allowed for standard user accounts.
.
File System—
This setting is used to configure NTFS permissions on specified folders
on NTFS formatted drives. Also, enabling auditing and configuring folder ownership
and propagating these settings to subfolders and files is an option.
.
Wired Network (IEEE 802.3) Policies—
This policy node can be used to configure
additional security on wired network adapters to allow for or require smart card or
computer-based certificate authentication and encryption.
.
Windows Firewall with Advanced Security—
This policy node allows administra-
tors to configure the Windows Firewall on Windows client and Windows server
systems. The configured settings can configure specific inbound or outbound rules
and can define how the firewall is configured based on the firewall profile or
network the system is connected to. The configuration can overwrite the local fire-
wall rules or the group policy and local rules can be merged.
.
Network List Manager Policies—
Windows Firewall on Windows 7, Windows
Vista, Windows Server 2008, and Windows Server 2008 R2 uses firewall profiles
ptg
based on the network. This setting node can be used to define the permissions end
users have regarding the identification and classification of a new network as public
or private to allow for the proper firewall profile to be applied.
.
Wireless Network (IEEE 802.11) Policies—
These policies help in the configura-
tion settings for a wide range of devices that access the network over wireless tech-
27
nologies, including predefining the preferred wireless network, including the service
set identifier (SSID) and the security type for the network. This node includes
Windows Vista and later releases and Windows XP compatible policies.
.
Public Key Policies—
These settings are used to specify that computers automati-
cally submit a certificate request to an enterprise certification authority and install
the issued certificate. Public Key Policies are also created and are used in the distribu-
tion of the certificate trust list. Public Key Policies can establish common trusted root
certification authorities. Encrypting File System settings use this policy node as well.
.
Software Restriction Policies—
These policies enable an administrator to control
the applications that are allowed to run on the Windows system based on the file
properties, including the filename. Additionally, software restrictions can be created
based on certificates or the particular network zone from which the application is
being accessed or executed. For example, a rule can be created to block application
installations from the Internet zone as defined by Microsoft Internet Explorer.
.
Network Access Protection—
This setting can be used to deploy the configuration
of the Network Access Protection client. These policy settings allow an administrator
to require a client health check before granting access to the network.
1032
CHAPTER 27
Group Policy Management for Network Clients
.
Application control policies—
This node enables Group Policy administrators to
create rules that define which security groups or specific users can run executables,
scripts, or Windows Installer files and can also be used to granularly define which
file paths, filenames, and digitally signed publishers of files will be allowed or denied
on the computers these policy settings apply to.
.
IP Security Policies on Active Directory—
IP Security (IPSec) policies can be
applied to the GPO of an Active Directory object to define when and where IPSec
communication is allowed or required.
.
Advanced Audit Policy Configuration—
This node can be used to define more
detailed and granular audit settings for use on Windows Server 2008 R2 and
Windows 7 systems.
Computer Configuration Administrative Templates Node
The Computer Configuration Administrative Templates node contains all of the Registry-
based policy settings that apply to the Windows system. These settings are primarily used to
control, configure, and secure how the Windows system is set up and how it can be used.
This is not the same as the security settings configuration where specific users or groups are
granted rights because the configuration settings available within the administrative
templates apply to the system and all users who access the system. Many settings, however,
ptg
are not applied to users who are members of the local administrators group of a system.
User Configuration Policy Node
The User Configuration node contains settings used to configure and manage the user
desktop environment on a Windows system. Unlike the computer configuration settings
that define system settings and restrict what users can do on a particular system, the user
configuration settings can customize the desktop experience for a user, including setting
Start menu options, hiding or disabling Control Panel applets, redirecting folders to
network shares, restricting write access to removable media, and much more. At the root
of the User Configuration node are three policy nodes named the Software Settings node,
the Windows Settings node, and the Administrative Templates node, but the settings
contained within these nodes are different from the settings included in the Computer
Configuration node, and in a domain group policy, these nodes are located beneath the
User Configuration\Policies\ node.
User Configuration Software Settings Node
The Software Settings node in the User Configuration section of a policy allows adminis-
trators to publish or assign software applications to individual users to which the policy
applies. When a packaged software application is assigned to a user, it can be configured
to be installed automatically at user logon or it can just be available in the Control Panel
Programs applet for installation by the user the same as when it is published. When a
Planning Workgroup and Standalone Local Group Policy Configuration
1033
packaged application is published to a user, it can be installed by that user by accessing
the application in the following section of Control Panel:
.
Windows Server 2008 and Windows Server 2008 R2—
Control Panel, Get
Programs
.
Windows Vista—
Control Panel, Programs, Get Programs and Features
.
Windows 7—
Control Panel, Programs, Get Programs
.
Windows XP—
Control Panel, Add or Remove Programs, Add New Programs
User Configuration Windows Settings Node
The Windows Settings node in the User Configuration section of a policy allows adminis-
trators to configure logon scripts for users, configure folder redirection of user profile
folders, define software restriction policies, automatically install and, if necessary, remove
printers, and configure many Internet Explorer settings and defaults.
User Configuration Administrative Templates Node
User Configuration Administrative Templates are the most commonly configured policy
settings in domain group policy deployments. Settings contained within the User
ptg
Configuration Administrative Templates node can be used to assist administrators with the
automated configuration of a user’s desktop environment. Of course now with domain
group policy preferences, many of these newly available settings will also be highly used
once Group Policy administrators begin to explore and find the best ways to use prefer-
ence settings.
27
Planning Workgroup and Standalone Local Group
Many organizations deploy Windows servers and workstations in workgroup configura-
tions and for these organizations, local group policies can play a vital role in simplifying
Windows system administration. Some of the benefits of leveraging local group policies in
workgroup deployments include, but are not limited to, the following:
.
Standardizing workgroup and image deployments—
Define the base local
computer, Administrators, and Non-Administrators local policies on a machine that
will be used as a template for a desktop or server image to reduce security exposure,
improve standardization, and reduce user error when many systems are deployed.
.
Standardizing User Configuration settings—
The User Configuration section of
the local computer policy can be configured to install specific printers for users,
customize the Start menu and display settings, predefine settings for Windows
1034
CHAPTER 27
Group Policy Management for Network Clients
programs such as Remote Desktop Connection, and much more. For the most part,
however, the settings are standardized to give every user the same experience.
.
Preconfiguring policies for shared or public Windows systems—
Systems that
are made available for public use or are utilized by several different users require
more restrictive configurations to increase the security and reliability of the system.
In these types of deployments, Windows administrators can configure tight security
settings in the local computer policy, very restrictive settings in the non-administra-
tors policy, and less restrictive settings in the administrators policy to allow for
updates and management. Also, audit settings can be enabled to track logon/logoff,
file and folder access, and much more.
.
Preconfiguring security updates and remote administration settings—
Windows systems that are deployed in workgroups can be difficult to remotely sup-
port and administer if the proper configurations are not created prior to
deployment. Using the local computer policy, firewall rules can be created to allow
for remote management, Remote Desktop can be enabled and enforced, and
Windows Update settings can also be configured to enable automated security