7. Control Windows Update and Automatic Updates
Generally speaking, XP's Windows Update and Automatic Updates are great features. In a corporate environment, though, there are good reasons to control their availability and behavior. You can disable Automatic Updates and remove user access to Windows Update through Group Policy. Of course, you'll likely only do this if you have a centralized update distribution mechanism such as Software Update Services (SUS) or its soon-to-be-released successor Windows Update Services (WUS). Both SUS and WUS are controllable through Group Policy but might require an updated version of the Wuau.adm administrative template. The settings for the built-in update tools are user-specific. SUS and WUS settings are computer-based.
The Settings:
User Configuration\ Administrative Templates\ System\ Windows Automatic Updates
User Configuration\ Administrative Templates\ System\ Windows Update
Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update
8. Folder Redirection
Folder Redirection lets you redirect the path of special folders such as My Documents, Desktop, and Application Data to a network location. Storing these folders and their contents on a file server affords them the superior protection that server class hardware inherently provides and also makes the data available to users from multiple workstations. A separate but complementary technology is XP's Offline Files, which automatically makes files available offline when you redirect them from a special folder. For more information about implementing Folder Redirection, see "Using IntelliMirror to Manage User Data and Settings" (July 2003, InstantDoc ID 39193).
The Settings:
User Configuration\ Windows Settings\ Folder Redirection
User Configuration\ Network\ Offline Files
9. Standardize and Secure IE
IE is one of the most frequently used tools on many users' systems; unfortunately, it's also one of the most misused. In addition, IE presents an oft-exploited avenue for malware and other threats to security and privacy. Although there is no bulletproof solution to these risks when IE is so widely used, there are Group Policy settings to shore up security and better control how IE is used. IE subkeys under User Configuration and Computer Configuration in GPE let you customize settings and set restrictions on a per-user or per-computer basis (the majority of settings are beneath User Configuration). Customizations you can make include but aren't limited to:
- Changing the appearance of the browser interface
- Setting custom URLs for favorites, search page, and home page
- Configuring default program for handling tasks such as email and newsgroup activities
- Controlling security zones and content rating settings
- Configuring connection settings for LAN and dial-up
You can also restrict user access to certain IE settings, menu items, and configuration pages to enforce consistency and bolster security. Take a minute to read the Explain tab for the settings you configure to avoid confusion about what will happen when you enable or disable a setting. XP SP2 dramatically expands the IE security options that Group Policy can control. The new features include MIME sniffing safety, zone elevation protection, ActiveX installation restrictions, file download restrictions, and Add-on management.
The Settings:
Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer
User Configuration\ Administrative Templates\ Windows Components\ Internet Explorer
10. Software Installation Policy for Automated Application Deployments
Software installation and maintenance are part of Microsoft's IntelliMirror functionality, and you can control both with Group Policy. You can configure settings within GPE to assign or publish an application to users or computers. Software installation and maintenance functionality works with programs that use Windows Installer technology (i.e., .msi files). Of course, Microsoft applications such as Office use Windows Installer technology for their installation process, which means you can assign Office to a user or computer population and have it installed automatically. You can create custom installations using msi transforms and use security group filtering to target specific groups of users to which the custom installation will be applied. And in case you're wondering, you can also use software installation and maintenance functionality to deploy XP SP2. You can assign XP SP2's Update.msi only to machines; assigning to users isn't supported. For more information, see the Microsoft article "Best Practices for Using Update.msi to deploy Service Packs," http://www.support.microsoft.com/?kbid=278503.
The Settings:
User Configuration\ Software Installation
Computer Configuration\ Software Installation
Good Policy
Now you know that some policies are simple and others, such as Folder Redirection, require preparation and testing to implement. The best way to approach policy creation is from the perspective of solving a particular problem or providing a particular service. Determine the appropriate settings to accomplish the task at hand. Read the description under the Explain tab when viewing the properties for a setting within GPE to make sure you fully understand a setting's impact and behavior before you turn it on. And finally, make sure you fully test both the result of the settings in your GPO as well as your scope targeting method before putting a policy into production.