New Security Policies
The biggest new addition in the area of Group Policy–based security policy is the Application Control Policies, or AppLocker. These policies are found under \Computer Configuration\Windows Settings\Security Settings\Application Control Policies. Essentially, this is a significant upgrade to the old Software Restriction Policies (SRPs—which are still supported in Server 2008 R2 and Windows 7) that let you control which applications can execute on your Windows systems. Specifically, AppLocker lets you create application whitelists and blacklists to explicitly allow or deny a particular application or set of applications to execute based on a set of criteria you specify.
A major difference between what’s available in AppLocker and SRPs is that you now have more flexible rules for defining applications. As Figure 5 shows, for example, you can create rules by software publisher, application name, and version information held within the file.
You can also create rules for controlling script execution, which wasn’t explicitly supported in earlier Windows versions. Also, for each type of rule you create, you can enforce the rule or just work in audit mode. In audit mode, whenever a rule is hit by an application, the result is logged to the client rather than blocking or allowing that application. That way, you can run a rule in test mode before making it live, to ensure it doesn’t catch any unsuspecting applications. The only downside to AppLocker is that it works only on Server 2008 R2 and Windows 7 clients, so you can’t leverage it in earlier versions of Windows.
Advanced Audit Policy
Another security-related feature that you'll find in Server 2008 R2 and Windows 7 is a much more granular auditing infrastructure. If you look under \Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration, you'll see 10 different auditing categories that you can now tweak to control exactly which types of events generate security audits on Server 2008 R2 or Windows 7 systems. This new granularity, of course, is exposed only in these newest OS versions, but the fact that it's manageable via Group Policy is a good thing.
Network List Policies
The last new security policy I'll discuss gives you the ability to control network lists. By default, when Server 2008 R2, Windows 7, or Vista systems find new networks, whether public wireless networks or corporate LANs, a user is prompted to indicate the type of network it is (e.g., public, domain, home). But by using Network List Policies in Group Policy, you can now preconfigure how particular networks behave and which zone they should be shunted into when a user finds them.
You can also control the icons and the names of the networks that appear to the user. The only downside to using this policy area for preconfiguring wireless access points is that you need to know the name of the WAP ahead of time to configure all the various options. But this policy area is still a welcome addition for controlling users who frequently roam between networks.
Name Resolution Policy
The last new policy area, although not strictly a security policy (it’s found under \Computer Configuration\Windows Settings\Name Resolution Policy in GPE), lets you control DNS Security Extensions (DNSSEC) and Microsoft DirectAccess DNS configurations on a per-DNS domain name basis. For example, you can configure which features of DNSSEC are used for a given client talking to its DNS server, or which DNS and proxy servers a client connecting to your network via DirectAccess will use. Although not used by all shops, this feature is handy to have in Group Policy if you're rolling out DirectAccess to your mobile users.
Evolutionary, Not Revolutionary
The Group Policy improvements in Server 2008 R2 and Windows 7 are very much evolutionary rather than revolutionary. With the possible exception of adding some PowerShell automation support for Group Policy management, this is a very ho-hum release for Group Policy fans. Sadly, we'll have to wait a while longer to see the big architectural or functional improvements that users of this more than 10-year-old technology have been looking for.
But if you're planning to roll out Windows 7, there are enough new features to make your life easier when you’re configuring clients. I encourage anyone who hasn't started using PowerShell to dive in and check out what you can do with Group Policy and this new scripting technology.