New security policies. Vista and Server 2008
adds quite a few new security policy capabilities
to the mix. Several are highlighted here:
• Wired and Wireless Policy—New for Vista
and Server 2008 is the support for setting
wired network security policy. Wired policy
applies to Ethernet network links and lets
you enforce 802.1x usage on those links
for machines on your network. Wireless
policy updates the policy supported in XP
and provides new support for enhanced
encryption schemes, such as Wi-Fi Protected
Access 2 (WPA2), as well as the ability
to explicitly deny or allow access to certain
Service Set Identifiers (SSIDs). (Note that
some of these capabilities are available only
to Vista and Server 2008 systems.) Find the
Wired and Wireless Policy in Group Policy
under Computer Configuration\Windows
Settings\Security Settings.
• Windows Firewall with Advanced Security—
This new area within Group Policy is
actually a redesign of two previously supported
policy areas—IPsec and Windows
Firewall. The new UI makes it simpler for
you to define Windows Firewall exceptions
as well as implement IPsec filtering on your
network. Older IPsec and Windows Firewall
policy settings are still available for backward
compatibility, but you should use this
new Group Policy area to control network
security on your Vista and Server 2008
devices. Find this capability in Group Policy
under Computer Configuration\Windows
Settings\Security Settings.
• Network Access Protection (NAP)—This
policy area supports the new NAP features
in Server 2008 and lets you use Group
Policy to configure client NAP behavior on
your network. Find this capability in Group
Policy under Computer Configuration Windows Settings\Security Settings.
Device restrictions. Device restriction support,
and the ability to manage it via Group
Policy, is probably one of the more compelling
features for deploying Vista. The Device
Restrictions policy in GPE lets you control
access to any number of removable storage
devices. Not only can you control which
devices can be used, but you can also specify
whether a user can read or write from a removable
device. Figure 4 shows the options that
are available for this policy area. You can set
this policy either per-computer
or per-user and you can
find it under Computer (or
User) Configuration\Admin
istrative Templates\System Removable Storage Access.
GPMC Changes
in Server 2008
There are a number of new
GPMC changes coming in
Server 2008. You’ll be able to
search through Administrative
Template settings within
GPOs for, among other criteria,
all enabled or disabled policies with a
certain keyword in the policy, for Explain Text,
for the Supported OS tag, or for whether the
policy is managed or is a “preference.” You can
also use search filters to filter the view of settings
that appear in GPE.
The ability to create per-GPO and per-setting
comments is also new. Those comments
are stored with the GPO and provide a way for
you to let others know what a particular GPO
or setting is used for.
Now you’ll have the ability to provide new
Starter GPOs. Starter GPOs are really collections
of Administrative Template settings that
you can apply to live GPOs. Starter GPOs let
you create, for example, a group of Administrative
Template settings for desktop lockdown
that you can re-use whenever you create a
new desktop lockdown GPO. Note that Starter
GPOs support only Administrative Template
policy but provide a quasi-offline capability
for defining GPO settings that aren’t immediately
live. You can also include Starter GPOs
in Resultant Set of Policy (RSoP) modeling
calculations so that you can see the impact that
applying a Starter GPO to an existing live GPO
has on your users and computers.
Microsoft added a very important set of new
policy capabilities called Group Policy preferences
in time for the release of Server 2008.
Group Policy preferences is the name given
to the former DesktopStandard PolicyMaker
Standard Edition and PolicyMaker Share Manager
products that Microsoft acquired in 2006.
These new Group Policy extensions supply
the missing link for providing coverage of
almost every desktop and server configuration
scenario imaginable. Group Policy preferences
supports clients from XP forward and adds
new Group Policy features such as support
for mapped drives (without having to write
scripts), distribution of shortcuts, power management,
device restrictions, and local user
and group management, to name just a few.
Time to Upgrade?
Overall, Vista and Server 2008 add some truly
compelling features to the manageability and
capability of Group Policy as the configuration
management technology for Windows. Finally,
you can map printers, manage power settings,
and control removable storage access natively
in Windows. These are all features that used to
require third-party products to manage. The
catch, of course, is that you need to upgrade
your clients to Vista to take advantage of some
of these desktop features. Even so, Group Policy
still doesn’t provide all of the features you
need. For example, you still need to purchase
a product like Microsoft’s Advanced Group
Policy Management in order to get change
management for your Group Policy environment,
and Group Policy still has no built-in
enterprise reporting capability.
That said, if you are looking for justification
to upgrade, the cost savings and risk mitigation
that the many new features provide might be
enough. In any case, these new features show
that Microsoft is committed to making Group
Policy an important part of your Windows
management toolset.