Settings Breakdown for Windows Server 2008 and Windows Vista : Policies (part 5) - Security Settings - Public Key Policies, Software Restriction Policies

10/10/2013 4:01:22 AM
2.3.9 Wireless Network (IEEE 802.11) Policies (Computer Configuration Only)

This node provides the ability to configure wireless networks for desktops running Windows XP or Windows Vista that are joined to the domain. The options for configuring the wireless network for Windows XP is somewhat limited compared to those for Windows Vista. The policy for Windows XP is shown in Figure 12.

Figure 12. This figure shows the Wireless Network policy for a desktop running Windows XP.

The policy available to configure desktops running Windows Vista provides additional setting and configuration options beyond those for desktops running Windows XP. The policy for Windows Vista is shown in Figure 13. Some of the additional configurations available for Windows Vista include:

  • Prevent connections to certain types of networks, such as ad-hoc and infrastructure

  • View denied wireless networks

  • Create all user profiles

  • Permissions for wireless networks (allow or deny)

Figure 13. This figure shows the Wireless Network policy for a desktop running Windows Vista.

2.3.10 Public Key Policies

The policies included under this node are designed to configure, control, and manage the public key infrastructure for your company. The settings include control over EFS, certificate requests, certificate trust lists, and certificate authorities. Two of the policies are located under the root node, and the rest are located under one of the following subnodes:

  • Encrypting File System

  • Automatic Certificate Request Settings

  • Trusted Root Certification Authorities

  • Enterprise Trust

  • Intermediate Certification Authorities

  • Trusted Publishers

  • Untrusted Certificates

  • Trusted People

2.3.11 Software Restriction Policies

This node provides you with the ability to control which applications can run on a desktop that is affected by the GPO where the policies are configured. These policies do not allow or prevent the software from existing on the desktop; rather, if the software is present, the policies determine whether it is allowed to run. This node and its subnodes contain numerous options for configuration that allow you to control the software that runs on any desktop in the domain. The majority of the settings fall under the following two subnodes, although a few policies are located under the main node:

  • Security Levels The security levels control what level of privilege and which permissions will be adhered to within the software restriction policy. The following three levels can be configured:

    • Disallowed: software will not run, regardless of the user permissions and privilege.

    • Basic User: allows applications to execute for users who do not have Administrative privileges, but the application will still access resources as a normal user.

    • Unrestricted: the permissions to run the software are determined by the access rights of the user account.

  • Additional Rules The additional rules control whether the software is allowed to run. These rules allow you to be very specific to an application, such as the hash rule, whereas other rules are more generic, such as the path rule. Figure 14 illustrates a path rule policy. Four rules can be configured:

    • Certificate rule

    • Hash rule

    • Network zone rule

    • Path rule

Figure 14. The Software Restriction policy provides the ability to control applications through Path rules.

2.3.12 Network Access Protection (Computer Configuration Only)

These policy settings control the environment of Network Access Protection (NAP) for target computers. The settings that fall under this node in a GPO control which service will quarantine the clients, the NAP interface details, and which servers will be used for obtaining health certificates.

  • Enforcement Clients These policies determine which service or technology will enforce NAP and quarantining of the client. The options include:

    • DHCP Quarantine Enforcement Client

    • Remote Access Quarantine Enforcement Client

    • IPsec Relying Party

    • TS Gateway Quarantine Enforcement Client

    • EAP Quarantine Enforcement Client

  • User Interface Settings This policy simply configures the details that the client will see in the NAP interface.

  • Health Registration Settings These settings control the hash algorithms and health registration authority servers that clients will use to obtain their health certificates. Two subnodes contain policy settings, which must be configured to complete the health registration settings:

    • Request Policy

    • Trusted Server Groups

2.3.13 IP Security Policies on Active Directory (Computer Configuration Only)

IPsec is a protocol that can help increase security of data that is communicated from computer to computer. In most cases, IPsec is used to protect data communicated over a network that is not secure. IPsec has many configurations, all of which can be customized. Three policies are preconfigured and ready to use, if you do not want to customize your own IPsec policy:

  • Client (Respond Only) This policy is intended to be used for computers that will respond to computers requesting the use of IPsec for data communication. This is ideal for environments in which IPsec is not used on all servers; but when it is used on some servers, this policy allows the client to respond appropriately to the IPsec request.

  • Secure Server (Require Security) This policy is designed to force a server to use IPsec for all communication.

  • Server (Request Security) This policy is designed to be flexible with the use of IPsec. In essence, the policy will try to use IPsec with all communications, but when communicating with a downlevel client that does not support IPsec, it will not cause the communication to fail.

2.3.14 Folder Redirection (User Configuration Only)

When a computer and user are working within the context of a domain instead of a workgroup, it is ideal to centralize the data that users utilize for security, roaming users, and disaster recovery reasons. To accommodate this environment, the folder redirection policies allow you to control which user folders store data locally on the user’s hard drive and which user folders are redirected to a network share, so that the data can be controlled by the IT staff. The folders that can be redirected using this policy include:

  • AppData (Roaming)

  • Desktop

  • Start Menu

  • Documents

  • Pictures

  • Music

  • Videos

  • Favorites

  • Contacts

  • Downloads

  • Links

  • Searches

  • Saved Games

2.3.15 Policy-Based QoS

Quality of Service (QoS) is a suite of technologies that manage network traffic to optimize the bandwidth, cost, and overall network constraints. With QoS policies, you can manage and optimize network traffic when network conditions change and become congested to ensure that applications function optimally.

2.3.16 Internet Explorer Maintenance (User Configuration Only)

The policies located under this node and its subnodes are designed to configure, control, and secure many aspects of Microsoft Internet Explorer. In some cases, you will use the settings that are set on the computer that is performing the editing of the GPO to configure the policies; in other cases, you can make manual entries to the policy settings. The result is a suite of Internet Explorer settings stored in the GPO that is deployed to all users who fall under SOM of the GPO. The subnodes of policy settings that fall under this node include the following:

  • Browser User Interface This node of policies is designed to configure the interface to Internet Explorer. Three policies fall under this subnode:

    • Browser Title

    • Custom Logo and Animated Bitmaps

    • Browser Toolbar Customizations

  • Connection Many settings are associated with Internet Explorer when a unique or specific connection must be made to access the Internet. The settings in this node can help you make the appropriate configurations to ensure connectivity. Four policies fall under this node:

    • Connection Settings

    • Automatic Browser Configuration

    • Proxy Settings

    • User Agent String

  • URLs You can help users in your environment to be more productive and efficient by providing them with URLs to locations that are important to them. Two types of URLs can be configured under this policy node:

    • Favorites and Links

    • Important URLs

  • Security You can use this policy to establish the security zones, content ratings, and Authenticode settings for Internet Explorer. These settings can be ignored by the GPO processing or imported from the computer performing the editing of the GPO.

  • Programs You can configure Internet Explorer to use specific programs to control the HTML editor, E-mail, Newsgroups, Internet calls, Calendar, and Contact list. This policy can be configured by importing the local Internet Explorer settings from the editing computer.

  •  Windows 8 : Managing Application Virtualization and Run Levels (part 2) - Setting Run Levels, Optimizing Virtualization and Installation Prompting for Elevation
  •  Windows 8 : Managing Application Virtualization and Run Levels (part 1) - Application Access Tokens and Location Virtualization, Application Integrity and Run Levels
  •  Windows 8 : Installing and Maintaining Applications - Managing Desktop Apps
  •  Windows Server 2003 : Managing Software Deployment with Group Policy (part 2) - Software Deployment Approaches, Distributing Windows Installer Packages
  •  Windows Server 2003 : Managing Software Deployment with Group Policy (part 1) - Software Installation Extension
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 3) - Folder Redirection Best Practices
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 2) - Policy Removal Considerations, Folder Redirection and Offline Files
  •  Windows Server 2003 : Managing Special Folders with Group Policy (part 1) - Folder Redirection, Setting Up Folder Redirection
  •  Windows 7 : Computer Management (part 2) - Shared Folders,Services
  •  Windows 7 : Computer Management (part 1) - Task Scheduler, Event Viewer
    Top 10
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
    Java Tutorials : Nested For Loop (part 1)
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS