Windows Server 2008 R2 Unleashed (201 page)

settings centrally.

1030

CHAPTER 27

Group Policy Management for Network Clients

.
Scripts (Startup/Shutdown)—
The Scripts node allows administrators to add

startup or shutdown scripts to computer objects.

.
Deployed Printers—
This node allows administrators to automatically install and

remove printers on the Windows systems. Using the Group Policy Object Editor on

Windows Server 2008 or Windows Server 2008 R2 systems, this node might not

appear unless the Print Management console is also installed.

.
Security Settings—
This node is a replica of the local security policy, although it

does not sync or pull information from the local security policy. The settings in this

node can be used to define password policies, audit policies, software restrictions,

Services configuration, Registry and file permissions, and much more.

.
Policy-base QoS—
The Policy-base QoS node can be configured to manage, restrict,

and prioritize outbound network traffic between a source Windows system and a

destination host based on an application, source, or destination IP address and/or

source and destination protocols and ports.

Security Settings

The Security Settings node allows a security administrator to configure security levels

assigned to a domain or Local Group Policy Object. This can be performed manually or by

ptg

importing an existing security template.

The Security Settings node of the Group Policy Object can be used to configure several

security-related settings, including file system NTFS permissions and many more settings

contained in the nodes beneath Security Settings as follows:

.
Account Policies—
These computer security settings control password policy,

lockout policy, and Kerberos policy in Windows Server 2008 R2, Windows Server

2008, Windows Server 2003, and Windows 2000 Server domains and local systems.

.
Local Policies—
These security settings control audit policy, user rights assignment,

and security options, including setting the default User Account Control settings for

systems the policy applies to.

.
Event Log—
This setting controls security settings and the size of the event logs for

the application, security, and system event logs.

.
Restricted Groups—
These settings allow the administrator to manage local or

domain group membership from within this policy node. Restricted group settings

can be used to add members to an existing group without removing any existing

members or it can enforce and overwrite membership based on the policy configura-

tion.

.
System Services—
These settings can be used to control the startup mode of a

service and to define the permissions to manage the service configuration or state.

Configuring these settings does not start or stop any services.

Group Policy Feature Set

1031

.
Registry—
This setting is used to configure the security permissions of defined

Registry keys and, if desired, all subkeys and values. This setting is useful in support-

ing legacy applications that require specific Registry key access that is not normally

allowed for standard user accounts.

.
File System—
This setting is used to configure NTFS permissions on specified folders

on NTFS formatted drives. Also, enabling auditing and configuring folder ownership

and propagating these settings to subfolders and files is an option.

.
Wired Network (IEEE 802.3) Policies—
This policy node can be used to configure

additional security on wired network adapters to allow for or require smart card or

computer-based certificate authentication and encryption.

.
Windows Firewall with Advanced Security—
This policy node allows administra-

tors to configure the Windows Firewall on Windows client and Windows server

systems. The configured settings can configure specific inbound or outbound rules

and can define how the firewall is configured based on the firewall profile or

network the system is connected to. The configuration can overwrite the local fire-

wall rules or the group policy and local rules can be merged.

.
Network List Manager Policies—
Windows Firewall on Windows 7, Windows

Vista, Windows Server 2008, and Windows Server 2008 R2 uses firewall profiles

ptg

based on the network. This setting node can be used to define the permissions end

users have regarding the identification and classification of a new network as public

or private to allow for the proper firewall profile to be applied.

.
Wireless Network (IEEE 802.11) Policies—
These policies help in the configura-

tion settings for a wide range of devices that access the network over wireless tech-

27

nologies, including predefining the preferred wireless network, including the service

set identifier (SSID) and the security type for the network. This node includes

Windows Vista and later releases and Windows XP compatible policies.

.
Public Key Policies—
These settings are used to specify that computers automati-

cally submit a certificate request to an enterprise certification authority and install

the issued certificate. Public Key Policies are also created and are used in the distribu-

tion of the certificate trust list. Public Key Policies can establish common trusted root

certification authorities. Encrypting File System settings use this policy node as well.

.
Software Restriction Policies—
These policies enable an administrator to control

the applications that are allowed to run on the Windows system based on the file

properties, including the filename. Additionally, software restrictions can be created

based on certificates or the particular network zone from which the application is

being accessed or executed. For example, a rule can be created to block application

installations from the Internet zone as defined by Microsoft Internet Explorer.

.
Network Access Protection—
This setting can be used to deploy the configuration

of the Network Access Protection client. These policy settings allow an administrator

to require a client health check before granting access to the network.

1032

CHAPTER 27

Group Policy Management for Network Clients

.
Application control policies—
This node enables Group Policy administrators to

create rules that define which security groups or specific users can run executables,

scripts, or Windows Installer files and can also be used to granularly define which

file paths, filenames, and digitally signed publishers of files will be allowed or denied

on the computers these policy settings apply to.

.
IP Security Policies on Active Directory—
IP Security (IPSec) policies can be

applied to the GPO of an Active Directory object to define when and where IPSec

communication is allowed or required.

.
Advanced Audit Policy Configuration—
This node can be used to define more

detailed and granular audit settings for use on Windows Server 2008 R2 and

Windows 7 systems.

Computer Configuration Administrative Templates Node

The Computer Configuration Administrative Templates node contains all of the Registry-

based policy settings that apply to the Windows system. These settings are primarily used to

control, configure, and secure how the Windows system is set up and how it can be used.

This is not the same as the security settings configuration where specific users or groups are

granted rights because the configuration settings available within the administrative

templates apply to the system and all users who access the system. Many settings, however,

ptg

are not applied to users who are members of the local administrators group of a system.

User Configuration Policy Node

The User Configuration node contains settings used to configure and manage the user

desktop environment on a Windows system. Unlike the computer configuration settings

that define system settings and restrict what users can do on a particular system, the user

configuration settings can customize the desktop experience for a user, including setting

Start menu options, hiding or disabling Control Panel applets, redirecting folders to

network shares, restricting write access to removable media, and much more. At the root

of the User Configuration node are three policy nodes named the Software Settings node,

the Windows Settings node, and the Administrative Templates node, but the settings

contained within these nodes are different from the settings included in the Computer

Configuration node, and in a domain group policy, these nodes are located beneath the

User Configuration\Policies\ node.

User Configuration Software Settings Node

The Software Settings node in the User Configuration section of a policy allows adminis-

trators to publish or assign software applications to individual users to which the policy

applies. When a packaged software application is assigned to a user, it can be configured

to be installed automatically at user logon or it can just be available in the Control Panel

Programs applet for installation by the user the same as when it is published. When a

Planning Workgroup and Standalone Local Group Policy Configuration

1033

packaged application is published to a user, it can be installed by that user by accessing

the application in the following section of Control Panel:

.
Windows Server 2008 and Windows Server 2008 R2—
Control Panel, Get

Programs

.
Windows Vista—
Control Panel, Programs, Get Programs and Features

.
Windows 7—
Control Panel, Programs, Get Programs

.
Windows XP—
Control Panel, Add or Remove Programs, Add New Programs

User Configuration Windows Settings Node

The Windows Settings node in the User Configuration section of a policy allows adminis-

trators to configure logon scripts for users, configure folder redirection of user profile

folders, define software restriction policies, automatically install and, if necessary, remove

printers, and configure many Internet Explorer settings and defaults.

User Configuration Administrative Templates Node

User Configuration Administrative Templates are the most commonly configured policy

settings in domain group policy deployments. Settings contained within the User

ptg

Configuration Administrative Templates node can be used to assist administrators with the

automated configuration of a user’s desktop environment. Of course now with domain

group policy preferences, many of these newly available settings will also be highly used

once Group Policy administrators begin to explore and find the best ways to use prefer-

ence settings.

27

Planning Workgroup and Standalone Local Group

Policy Configuration

Many organizations deploy Windows servers and workstations in workgroup configura-

tions and for these organizations, local group policies can play a vital role in simplifying

Windows system administration. Some of the benefits of leveraging local group policies in

workgroup deployments include, but are not limited to, the following:

.
Standardizing workgroup and image deployments—
Define the base local

computer, Administrators, and Non-Administrators local policies on a machine that

will be used as a template for a desktop or server image to reduce security exposure,

improve standardization, and reduce user error when many systems are deployed.

.
Standardizing User Configuration settings—
The User Configuration section of

the local computer policy can be configured to install specific printers for users,

customize the Start menu and display settings, predefine settings for Windows

1034

CHAPTER 27

Group Policy Management for Network Clients

programs such as Remote Desktop Connection, and much more. For the most part,

however, the settings are standardized to give every user the same experience.

.
Preconfiguring policies for shared or public Windows systems—
Systems that

are made available for public use or are utilized by several different users require

more restrictive configurations to increase the security and reliability of the system.

In these types of deployments, Windows administrators can configure tight security

settings in the local computer policy, very restrictive settings in the non-administra-

tors policy, and less restrictive settings in the administrators policy to allow for

updates and management. Also, audit settings can be enabled to track logon/logoff,

file and folder access, and much more.

.
Preconfiguring security updates and remote administration settings—

Windows systems that are deployed in workgroups can be difficult to remotely sup-

port and administer if the proper configurations are not created prior to

deployment. Using the local computer policy, firewall rules can be created to allow

for remote management, Remote Desktop can be enabled and enforced, and

Windows Update settings can also be configured to enable automated security