Device Restrictions
Controlling what users do with your valuable
business data is equally as important as
controlling which code they execute. Protecting
your data involves not only good data
security where the data is stored, but also
being able to control whether your users can
physically take the data off their machines.
In this era of $20 multigigabyte USB thumb
drives, an awful lot of corporate data can
just “walk away” without your knowing it.
Enter Group Policy–based device restrictions.
These device restrictions were made available
in Server 2008 and Vista systems under Computer
(or User Configuration)\Administrative Templates\System\Removable Storage
Access. You can deny read or write access
(or both) for any class of removable storage,
including USB thumb drives, writeable CDs
and DVDs, and removable hard drives, as Web Figure 3 shows.
Previously, if you were in a pre-Vista
desktop environment, you were out of luck
unless you bought third-party device restriction
products. However, with the introduction
of Group Policy Preferences, device
restrictions are now extended to Windows
Server 2003 and XP. You can enable or disable
the use of specific device classes by
their unique ID under Computer (User)
Configuration\Preferences\Control Panel
Settings\Devices. Although this feature
doesn’t provide the same level of granularity
as the Vista device restrictions policy we
discussed earlier to control the ability to
read but not write to a given device type,
you can at least create a set of policies that
restrict, for example, all removable storage
devices, as shown in Web Figure 4.
IE Security
Of all the areas I’ve discussed, perhaps the
most challenging to configure via Group
Policy is IE. The reason for this is that there
are at least three different ways you can configure
IE using Group Policy. The first way to
configure IE is by using the IE Maintenance
policy (under User Configuration\Windows
Settings\IE Maintenance Policy). The second
way is by using the Administrative
Template policy (under Computer—or User—
Configuration\Administrative Templates\Windows Components\Internet
Explorer). The third way you can
configure IE is by using Group Policy
Preferences’ features (under User
Configuration\Preferences\Control
Panel Settings\Internet Settings).
Each of these three areas has
its strengths and weaknesses when
configuring IE. For example, if you
want to configure settings such as
IE’s proxy or home page, you can
use the IE Maintenance policy or
Group Policy Preferences to do
so. Of the two, I recommend using
Group Policy Preferences if you
can because the IE Maintenance
policy has a long of history of not
being very reliable in terms of
delivering policy settings to clients.
Of course, in most cases, Group Policy
Preferences are just that—preferences. They
don’t prevent users from making changes
to, for example, proxy settings, as the IE
Maintenance policy does. For that reason, if
you use Group Policy Preferences to control
something like proxy settings, you’ll need
to use the Administrative Template policy
to disable the page within IE that lets the
user access those settings. The goal behind
IE security policy is to ensure that users
who are browsing websites aren’t allowed
to access or download malicious content.
By using features such as IE proxy enforcement,
you guarantee that users get to the
Internet through your point of control—the
proxy server. By locking down elements of IE
within Administrative Template policy, you
ensure that the user can’t change IE’s configuration
to get around your restrictions.
If the security configuration task you
need to perform is setting IE zone security
(which lets you centrally control which
websites should be considered safe) or
assigning website addresses to popup
blocker lists or security zones, you can use
all three methods to control these settings.
Each method has a different behavior
and supports a different set of options.
For example, you can use the policies
under Computer (or User) Configuration Administrative Templates\Windows
Components\Internet Explorer\Internet
Control Panel\Security Page to configure
security for each IE zone (e.g., Trusted,
Intranet, Internet), as well as a site-tozone
assignment list that lets you specify which websites should be added to each
security zone for your users. If you use this
method, users will be unable to add to or
change these settings in IE—they will be
totally locked out. However, if you use the
IE Maintenance policy, you can configure
zone security and site-to-zone assignment,
but users will still be able to add websites
to a given zone. Finally, if you use Group
Policy Preferences, you’ll be able to configure
zone security but won’t be able to
assign websites to zones. However, Group
Policy Preferences gives you full access to
all the settings on the Advanced tab under
IE’s Properties (shown in Figure 3), which
the other two methods don’t.
Resources that Can Help You Get
Started
Although there are often multiple methods
for configuring the same set of items, there
are few desktop security tasks that you can’t
accomplish using Group Policy. For help
getting started securing your desktops,
I recommend checking out the security
guides that Microsoft has made available
for Vista and XP. You can download them
from download.microsoft.com by searching
on the term “Security Guide.” These
guides include best practices for desktop
security configuration, as well as security
templates and spreadsheets of settings that
define secure configurations. In addition,
Microsoft provides the GPO Accelerator
(www.microsoft.com/downloads/details.aspx?FamilyID=a46f1dbe-760c-4807-a82f-4f02ae3c97b0), which offers prebuilt GPOs
that you can import into your environment
and use to implement the best practices
specified in the security guides. Although
these prebuilt GPOs might not be exactly
what you need in your environment, they
can give you a starting point to work from
as you implement and test secure configurations
within your network.