Some network configuration settings for
domain member computers and users with domain accounts can be set in
Group Policy. When they are set here, they can automatically update
multiple domain member computers.
These Group Policy settings reside in nodes under
the Computer Configuration node and affect computers with accounts in
the organizational unit (OU), domain, or site object to which the Group
Policy Object (GPO)
is defined. Organizational units are subdivisions of domains and can
contain user and computer accounts and records for shares and printers.
Those settings in nodes under the User Configuration node affect users
whose accounts reside in the OU, domain, or site object to which the GPO
is linked. Computers and users are also affected by GPOs linked to the
parent objects of the object their account resides in.
1. Dependency of Group Policy on DNS
Group Policy settings are downloaded and applied
during computer startup and user logon from the authenticating domain
controller. The following DNS issues can affect whether the correct GPOs
are downloaded and applied:
If a domain controller cannot be located,
no Group Policy can be downloaded. While Group Policy cached from a
previous connection can be used, any changes to Group Policy will not be
available. Domain controller connectivity requires a DNS lookup of the
DC IP address. If site information is incorrectly configured in DNS, it is possible that the wrong Group Policy may be applied. Group
Policy changes are replicated, partly through AD Replication and partly
through the File Replication Service (FRS). Both services are dependent
on locating designated DCs. If DNS is not functioning correctly, then
replication cannot occur or will not be synchronized. (Elements
replicated by AD and by FRS must match.)
As you can imagine, Group Policy is a powerful
administrative tool. While it can and should be used for multiple
administrative functions, it cannot be used for all of them. It does not
have the capability to provide extensive help for all TCP/IP or AD
functions. There are, however, several TCP/IP, DNS, Windows Time
Service, and SNMP configuration settings that can be made using Group
Policy.
2. Managing TCP/IP Configuration Using Group Policy
Management of TCP/IP settings is primarily
accomplished using DHCP to provide dynamic addressing, including
information on the preferred DNS server. However, some configuration can
be done using Group Policy for both users and computers. These settings
are in the Network Connection nodes. Table 1 lists and explains settings for computer, while Table 2
lists and explains those for users. The first column lists the setting,
while the second column explains it. The Computer Configuration,
Administrative Templates, Network, Network Connection node contains
settings useful in managing TCP/IP configuration that are not available
via DHCP. Settings are described in Table 1.
Three of the settings (those that impact Internet Connection Sharing,
Internet Connection Firewall, and the network bridge) are location-aware
(that is, the setting has no meaning if the computer is connected to a
different DNS domain network than the one it was connected to when the
setting was applied).
Table 1. Computer-based TCP/IP configuration via Group Policy| Group policy TCP/IP setting | Explanation |
|---|
| Prohibit use of Internet Connection Sharing on your DNS domain network | If
disabled, an administrator can enable and configure the Internet
Connection Sharing (ICS) feature of an Internet connection (if the ICS
service can run on the computer). ICS lets a Windows computer act as an
Internet gateway for a small network and provides network services such
as DHCP to the private network. Enabling this setting prohibits the
configuration of ICS and also removes the Advanced page of the
Properties pages of a LAN or remote access connection. The Internet
Connection Sharing page is removed from the New Connection wizard and
the Network Setup wizard is disabled. | | Prohibit use of Internet Connection Firewall on your DNS domain network | If
enabled, prevents the use of the Internet Connection Firewall on the
DNS domain network. Enabling this setting also removes the Advanced page
of the Properties pages of a LAN or remote access connection. The
Internet Connection Firewall page is removed from the New Connection
wizard and the Network Setup wizard is disabled. If disabled, ICF is
disabled when a LAN connection or VPN connection is created, but users
can use the Advanced tab in the connection properties to enable it. | | Prohibit installation and configuration of Network Bridge on your DNS domain network | If enabled, the user cannot install or configure a network bridge on a computer with two or more networks. A network bridge
is a layer 2 MAC bridge that allows the connection of two or more
network segments. If the setting is disabled (or not configured), users
can create and modify a network bridge. If a network bridge is created
before this setting is enabled, the existing network bridge is not
affected. (Creating a network bridge is disabled by default and requires
administrator privileges to create or configure.) | | IEEE 802.1x Certificate Authority for Machine Authentication | 802.1x
authentication can be configured to require client (machine)
certificates. If this is the case, a certificate must be acquired and
installed on each client that will use the service. This setting enables
the distribution of information on the Certification Authority that is
used to sign the certificates issued to clients. |
Table 2. User TCP/IP Group Policy settings| Group policy TCP/IP setting | Explanation |
|---|
| Ability to rename LAN connections or remote access connections available to all users | If
enabled, all users can rename connections. If disabled (and the policy
Enable Network Connection settings for Administrators is also enabled),
users and Administrators cannot rename connections. | | Prohibit access to properties of components of a LAN connection | If
enabled (and the policy Enable Network Connection settings for
Administrators is also enabled), then the network Properties button is
disabled for administrators. (By default, it is disabled for users.) | | Prohibit TCP/IP advanced configuration | If
enabled (and the policy Enable Network Connection settings for
Administrators is also enabled), then users cannot open the Advanced
TCP/IP Settings Property pages and modify IP settings such as DNS and
WINS server information. | | Prohibit access to the Advanced Settings item on the Advanced menu | If
enabled (and the policy Enable Network Connection settings for
Administrators is enabled), then Administrators cannot access this menu
to configure and view bindings and the order in which computers access
connections, network providers, and print providers. (Users cannot
access this page by default.) | | Prohibit adding and removing component for a LAN or remote access connection | If
enabled (and the policy Enable Network Connection settings for
Administrators is enabled), then Administrators cannot install or
uninstall network components. (Users cannot access this page by
default.) | | Prohibit access to properties of a LAN connection | If
enabled (and the policy Enable Network Connection settings for
Administrators is enabled), then Administrators and users cannot access
LAN connection properties. | | Prohibit Enabling/Disabling components of a LAN connection | If
enabled (and the policy Enable Network Connection settings for
Administrators is enabled), then Administrators cannot enable or disable
LAN connection components. (Users cannot access this page by default.) | | Ability to Enable/Disable a LAN connection | If enabled, then users can enable/disable LAN connections. | | Prohibit access to the New Connection wizard | If
enabled, the Make New Connection icon does not appear in the Start
menu. If the policy Enable Network Connection settings for
Administrators has also been enabled, users and administrators cannot
start the New Connection wizard. | | Ability to rename LAN connections | If enabled, nonadministrators can rename a LAN connection. | | Prohibit viewing of status for an active connection | If
enabled, the connection status taskbar icon and Status dialog box are
not available to users, including administrators. (If you disable the
setting Enable Network Connection settings for Administrators, this
setting does not apply to administrators.) | | Enable Windows 2000 Network Connection setting for Administrators | Windows
2000 included a number of settings that prevented administrators from
performing some actions. Windows XP, while it lists these settings, does
not honor them unless this setting is enabled. For an example, see the
previous setting. |
Table 2
lists and describes TCP/IP configuration-related settings in the User
Configuration → Administrative Templates → Network → Network Connections
node.
In addition to TCP/IP configuration, Group Policy also contains useful settings that can impact the client DNS service.
3. Managing DNS Client Configuration Using Group Policy
The Computer Configuration → Administrative
Templates → Network → DNS Client node contains settings you can use to
manage the DNS client service. Settings are described in Table 3. Note that settings applying to dynamic DNS registration do not apply if the client is not configured for dynamic registration.
Table 3. DNS client settings| Group policy DNS setting | Explanation |
|---|
| Primary DNS Suffix | Specifies
the primary DNS suffix. If configured, this setting prevents users and
administrators from changing the setting on client computers covered by
the GPO. By default, computers use the local primary DNS suffix, usually
the DNS name of AD domain in which is a member. However, administrators
can change this. If this Group Policy setting is configured, any local
setting is ignored. | | Dynamic Update | Enables
or disables the dynamic update of DNS information. If enabled, settings
for specific network connections can be configured individually. If
disabled, computers cannot dynamically register DNS settings. | | DNS Suffix Search List | Settings
here will determine any DNS suffixes that should be attached to an
unqualified, single-label name before submitting a DNS query. Multiple
DNS suffixes can be entered here. The DNS client will attempt a query
using the first suffix in the list. If that fails, the DNS client will
attempt a new query using the next suffix on the list, and so on, until
it obtains a successful response or until it runs out of suffixes to
try. If this setting is not configured, the primary DNS suffix
configured for the client will be attached to any unqualified
single-label names before submitting a DNS query. | | Primary DNS Suffix Devolution | Single-label DNS names are names that do not include suffixes such as .com, .org, or .net.
If DNS queries for a single-label name using the primary DNS suffix
configured for the client do not work, the DNS client tries any
configured connection-specific DNS suffix. If this fails, the client
devolves (or removes the left-most label of the Primary DNS suffix),
attaches this to the single-label name, and tries a new query. The
process continues as long as there are labels that can be removed and
still create a valid DNS suffix. If this setting is enabled, devolution
can be used. If this setting is disabled, devolution cannot be used. If
not configured, computers use their local settings. | | Register PTR Records | If
set to "Do not register," computers will never attempt PTR resource
records registration. If set to Register, computers attempt PTR resource
record registration even if the registration of an A record fails. (By
default, PTR registration is only attempted if A record registration is
successful.) If set to "Register only if A record registration
succeeds," then PTR registration will only be attempted if A record
registration succeeds. | | Registration Refresh interval | Periodic
reregistration is attempted by Windows XP and Windows 2000 computers
configured to perform dynamic registration. If this setting is enabled,
the refresh interval can be set for all affected computers. | | Replace address in conflicts | If
enabled, DNS clients attempt to replace conflicting A resource records
(that is, overwrite existing records or records containing conflicting
IP addresses) during dynamic update. This setting is useful in DNS zones
that do not support secure dynamic updates. It can prevent a rogue
computer from overwriting a legitimate IP address. | | DNS Servers | Defines
the DNS servers used by the DNS client for name queries. This list will
supersede any locally configured or DHCP-configured DNS servers. | | Connection Specific DNS Suffix | Defines the connection-specific DNS suffix. This setting will supersede any locally configured or DHCP-configured DNS servers. | | Register DNS records with connection specific DNS suffix | If
enabled, the client can register its A and PTR records with a
concatenation of its name and a connection-specific DNS suffix, as well
as a concatenation of its name and is primary DNS suffix. If the setting
is not configured (or not disabled), the client only registers its A
and PTR records with a concatenation of its name and its Primary DNS
suffix. | | TTL Set in the A and PTR Records | The value for the Time-to-Live field in dynamically registered A and PTR resource records. | | Update security level | If
"Unsecure followed by secure" is set, clients will attempt secure
dynamic updates only if nonsecure updates are refused. If Only Unsecure
is set, clients send only nonsecure dynamic updates.If Only Secure is
set, clients only send secure dynamic updates. | | Update Top Level Domain Zones | If
enabled, computers send dynamic updates to any zone that is
authoritative for the resource record, except the root zone. If
disabled, computers do not send dynamic updates to any zone that is not
authoritative for its resource records. |
4. Managing the Windows Time Service Using Group Policy
Settings for time service clients can be set in the Computer
Configuration → Administrative Templates → Network, Windows Time Service
node. Settings are described in Table 4.
Table 4. Windows time service Group Policy settings| Group policy time service setting | Explanation |
|---|
| Global Configuration Settings | A
number of configuration settings such as update interval and polling
intervals that can be used to tweak the operation of the Time Service
client. | | Enable Windows NTP Client | If
disabled, the Windows NTP client will not be used. Disable this setting
if you choose to use another time service. If enabled or not
configured, the Windows NTP client is used for time synchronization. | | Configure Windows NTP Client | Determines
whether the client uses an external timeserver or the Windows domain
hierarchy. If enabled, the NTP server must be entered, as well as
various settings that control the NTP client's operation (and even
logging). | | Enable Windows NTP Server | Enabling this setting allows the computer to respond to NTP requests. |
5. Managing SNMP Using Group Policy
SNMP is not integrated with AD nor required for
the operation of AD.
Nevertheless, your organization may implement SNMP on the network and
utilize it in the management of Windows computers that belong to an AD
domain. Therefore, for completeness, the Group Policy settings that
impact SNMP are listed here. The Computer Configuration → Administrative
Templates → Network → SNMP node contains settings useful in managing
SNMP. Settings are described in Table 5.
Table 5. SNMP Group Policy settings| Group policy SNMP setting | Explanation |
|---|
| Communities | A
list of communities defined to SNMP service. If enabled, SNMP only
accepts request from management systems for these communities. | | Permitted Managers | A list of permitted hosts that can submit a query to SNMP agent. | | Traps for public community | A list of hosts that receive trap messages for the community sent by the SNMP service. |
You've seen how Group Policy settings can be used
to manage DNS, TCP/IP, the Windows Time Service, and SNMP, but what
about other network services? There are no Group Policy-based
configuration policies for network infrastructure servers such as WINS
servers, Routing and Remote Access Service (RRAS) servers, or Internet
Authentication Service (IAS) servers. However, there are important Group
Policy-based settings that impact these network services
6. Managing WINS, RRAS, and IAS Servers Using Group Policy
WINS , Routing and Remote Access (RRAS) service , and Internet Authentication service (IAS)
are important Windows services. While there are no Administrative
Templates settings for them, the System Services node of Computer
Configuration, Windows Settings, Security Settings allows basic
configuration of the services themselves. This node also allows service
configuration for other services as well.
Two types of settings are available: startup and security. Startup settings
determine whether the service is disabled or enabled. If enabled, these
settings determine if it automatically starts at boot or must be
manually started. Security settings can determine who can change the startup settings.
These settings can be used in two ways:
Enabling and starting a service that is
not necessary is counterproductive for security and performance reasons.
The converse is also true. If the service is disabled in Group Policy,
affected computers that may be designated as network infrastructure
servers will not be able to start these services and fulfill their
network role. In an AD domain, care should always be taken to ensure
that Group Policy is correctly configured to enable or disable
appropriate services. Disabling unnecessary services can also prevent
their use, should they be installed where they are not authorized. Rogue
infrastructure servers can be prevented from running even if installed. Using
security settings can help to reduce and manage the number of
administrators who can change the service startup settings. It is always
a good practice to limit this authority to avoid accidental denials of
service and wasted resources. This also helps to limit the risk of a
successful attack based on some vulnerability in the service. If the
service shouldn't be started and fewer people can start it, then there
is less chance of it being incorrectly or accidentally started and thus
less risk that any vulnerability can be exploited.
|
