Windows 7 : Managing Security

9/20/2011 3:48:01 PM

Windows 7 offers a wide variety of security options. If the Windows 7 computer is a part of a domain, then you can apply security through a Group Policy Object using the Group Policy Management Console, If the Windows 7 computer is not a part of a domain, then you use Local Group Policy Objects to manage local security.

You can use policies to help manage user accounts. Account policies control the logon environment for the computer, such as password and logon restrictions. Local policies specify what users can do once they log on and include auditing, user rights, and security options. You can also manage critical security features through the Windows Security Center.

We will continue with NTFS security and shared permissions and how they work independently and together.

1. Managing Security Configurations

The tools you use to manage Windows 7 computer security configurations depend on whether the Windows 7 computer is a part of a Windows 2000, Windows 2003, or Windows 2008 domain environment.

If the Windows 7 client is not a part of a domain, then you apply security settings through Local Group Policy Objects (LGPOs). LGPOs are sets of security configuration settings that are applied to users and computers. LGPOs are created and stored on the Windows 7 computer.

If your Windows 7 computer is a part of a domain, which uses the services of Active Directory, then you typically manage and configure security through Group Policy objects (GPOs). Active Directory is the database that contains all of your domain user and group accounts along with all other domain objects.

Group Policy objects are policies that can be placed on either users or computers in the domain. The Group Policy Management Console (GPMC) is a Microsoft Management Console (MMC) snap-in that is used to configure and manage GPOs for users and computers via Active Directory.

Windows 7 computers that are part of a domain still have LGPOs, and you can use LGPOs in conjunction with the Active Directory group policies (GPOs).


Usage of Group Policy Objects for domains is covered in greater detail in MCTS: Windows Server 2008 Active Directory Configuration, by William Panek and James Chellis (Sybex, 2008).

The settings you can apply through the Group Policy utility within Active Directory are more comprehensive than the settings you can apply through LGPOs.

Table 1 lists some of the options that can be set for GPOs within Active Directory and which of those options can be applied through LGPOs.

Table 1. Group Policy and LGPO setting options
Group Policy SettingAvailable for LGPO?
Software installationNo
Remote Installation ServicesYes
Security settingsYes
Policy-based QOSYes
Administrative templatesYes
Folder redirectionNo
Internet Explorer configurationYes

Now that we have looked at LGPOs, let's take a look at some of the tools available for creating and managing them.

2. Using the Group Policy Result Tool

When a user logs on to a computer or domain, a resulting set of policies to be applied is generated based on the LGPOs, site GPOs, domain GPOs, and OU GPOs. The overlapping nature of group policies can make it difficult to determine what group policies will actually be applied to a computer or user.

To help determine what policies will actually be applied, Windows 7 includes a tool called the Group Policy Result Tool, also known as the Resultant Set of Policy (RSoP). You can access this tool through the GPResult command-line utility. The gpresult command displays the resulting set of policies that were enforced on the computer and the specified user during the logon process.

The gpresult command will display the Resultant Set of Policy (RSoP) for the computer and user who is currently logged in. Several options can be used with this command. Table 2 shows the different switches that can be used for the gpresult command.

Table 2. Gpresult switches
/FForces gpresult to override the file name specified in the /X or /H command.
/HSaves the report in an HTML format.
/PSpecifies the password for a given user context.
/RDisplays RSoP summary data.
/SSpecifies the remote system to connect to.
/USpecifies the user context under which the command should be executed.
/VSpecifies that verbose information should be displayed.
/XSaves the report in XML format.
/ZSpecifies that the super verbose information should be displayed.
/?Shows all the gpresult command switches.
/scopeSpecifies whether the user or the computer settings need to be displayed.
/UserSpecifies the username for which the RSoP data is to be displayed.

  •  Windows 7 : Creating and Managing Groups
  •  Windows 7 : Managing User Properties
  •  Windows 7 : Working with User Accounts (part 2)
  •  Windows 7 : Working with User Accounts (part 1)
  •  Windows Server : Designing a Software Update Infrastructure (part 2)
  •  Windows Server : Designing a Software Update Infrastructure (part 1)
  •  Securing Windows Server 2008 in the Branch Office
  •  Windows 7 : Configuring Network Connectivity - Configuring DirectAccess
  •  Windows 7 : Configuring Network Connectivity - Understanding BranchCache
  •  Windows 7 : Configuring Remote Management
  •  Configuring Windows 7 on a Network
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 2)
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 1)
  •  Windows Server : Planning Application Virtualization
  •  Windows 7 : Understanding TCP/IP (part 2)
  •  Windows 7 : Understanding TCP/IP (part 1) - Basics of IP Addressing and Configuration
  •  Windows Server 2008 : Planning Operating System Virtualization (part 2) - Planning for Server Consolidation
  •  Windows Server 2008 : Planning Operating System Virtualization (part 1)
  •  Windows Server 2003 : Troubleshooting Group Policy
  •  Windows Server 2003 : Working with Resultant Set of Policy (part 2)
    Top 10
    Building Android Apps: Create an Android Virtual Device
    Fujifilm X-S1(Part 1)
    IIS 7.0 : Securing Configuration - Restricting Access to Configuration
    IIS 7.0 : Configuring IIS Logging
    Huge Screen Supertest (Part 9) - Samsung 8 Series S27A850D
    The other side of A Galaxy
    The giant of Cambridgeshire (Part 3) - Architecture development & A semiconductor IP supplier
    Windows Server 2008 R2 and Windows 7 : Overview of Branchcache & Planning to Deploy Branchcache
    Windows 7 : Working with Multiple Local Group Policy Objects
    Leveraging and Optimizing Search in SharePoint 2010 : Customizing the FAST Search User Interface
    Most View
    Developing an SEO-Friendly Website: Content Delivery and Search Spider Control (part 2)
    Build Up Your Dream House with PC (Part 4)
    Useful apps for iPad (Part 1) : Bento for iPad & Numbers 1.5 for iPad
    Getting the Most Out of the Microsoft Outlook Client : Using Outlook 2007 (part 1)
    Mobile Application Security : SymbianOS Security - Interprocess Communication
    JavaScript Patterns : Conventions
    Oracle Coherence 3.5 : Accessing the data grid (part 5) - Using the Coherence API - Loader design, Implementing CsvSource
    Integrating Office Communications Server 2007 in an Exchange Server 2010 Environment : Installing and Using the Communicator 2007 Client
    How To Fit Motherboard Waterblocks
    Windows 7 : Detecting and Resolving Computer Problems (part 3) - Resolving Problems with System Services
    Exchange Server 2010 : Administering Mailbox Content - Monitor and Restrict Communication (part 1) - Perform Basic Message Policy Configuration
    Buying Guide: CPU Cooling Equipment (Part 3) - NZXT HAVIK 140,Phanteks PH-TC140PE_BL, Swiftech H20-X20 Edge HD
    SharePoint 2010 : SQL Server Database Mirroring for SharePoint Farms
    Our predictions for future tech (Part 2)
    Windows Server 2008 : The Migration Planning Phase - Documenting the Process for Migration
    Oracle Coherence 3.5 : Accessing the data grid (part 1) - Coherence console
    Securing Wireless Networks in Windows Vista
    IIS 7.0 : Managing Configuration - Delegating Configuration (part 1)
    Exchange Server 2007 : Enable Antispam Configuration
    Network Configuration & Troubleshooting (Part 1)