Updated Group Policy Features
Many features in Group Policy were also updated in Windows Vista. Some of these are quite significant from a security perspective, and others are simply nice additions to the toolset.
Group Policy Management Console v. 2.0
If you have not used the Group Policy Management Console (GPMC), you need to start-soon. It hugely simplifies management of GPOs in a complex environment. For one thing, it lets you see all the GPOs in the environment without having to hunt through tens or hundreds of OUs, sites, and domains.
Microsoft originally made the GPMC available as a download. In Windows Vista, they actually included it with all editions of the operating system that can join a domain. It does not have an icon, but if you click the Window button and type gpmc.msc in the search dialog box you will find it. The GPMC is shown in Figure 1.
Note that only the version of gpmc.msc included in Windows Vista (and, naturally, Windows codename Longhorn, when it ships) supports the new ADMX templates and the central store. This is the major addition to GPMC in version 2.0.
Internet Explorer Management Without IEAK
Previous versions of Windows did support fairly extensive management of Internet Explorer but only by using the Internet Explorer Administration Kit (IEAK). The IEAK was always a separate download and allowed administrators to do everything from pre-configuring the proxy servers to replacing the little icon used to signify that the browser is retrieving a page.
In Windows Vista, as shown in Figure 2, a relatively complete set of management features for Internet Explorer is included in Group Policy.
Many of the settings for Internet Explorer are available both under Computer Configuration and User Configuration, meaning they can be set for the entire computer, or just for a user. Computer settings in Internet Explorer overrule user settings. In other words, if you disable the popup blocker under Computer Configuration, but enable it for particular users under User Configuration, it will remain disabled. This precedence does not necessarily apply to other settings. It is quite possible that a setting made under User Configuration overrules or modifies a setting made under Computer Configuration. It is up to each application to interpret these settings as they see fit. Some make the decision that computer configuration is more important; others opt for the approach that users modify the function specified for the computer. If you are using Administrative Templates settings for security purposes, it is imperative that you verify that the settings you make have the intended effect.
Group Policy Application Factored from Winlogon
Prior to Windows, Vista Group Policy was applied within the Winlogon process. Winlogon is responsible for a lot of things, including getting users logged on and ensuring that the user's desktop gets loaded. Group Policy is now handled through its own service, the Group Policy Client.
The Group Policy Client service has a very restrictive ACL associated with it to prevent administrators from accidentally disabling it. A malicious user with physical access to the computer, or an administrative account, can of course both stop the service and delete it. The ACL on the service cannot protect against administrative attacks, but it is worth noting how Microsoft has started making it a bit harder for administrators to destroy their systems. It took one of the us almost 5 minutes to stop the Group Policy application by deleting the Group Policy Client from a test computer. Of course, we needed local administrative access to perform this. Standard Users cannot stop Group Policy application.
Group Policy Logging Moved to System Event Log
Since Group Policy application was moved to its own service, all we once knew about troubleshooting Group Policy isn't applicable. We no longer need to use the userenv.log file to troubleshoot Group Policy. Group Policy events now go into the Windows event logs. The system event log now will contain the administrative events that were in the application event log in prior versions of Windows.
Operational events, such as those that were previously found in the userenv.log file, are now in the Group Policy operational log, as shown in Figure 3.
In general, it is a good thing that Group Policy is finally a first-class service. The really big benefit, from a security perspective, however, is the event logging. Now that the events are in the event logs they can be managed centrally much more easily. This means that you can audit Group Policy application and failures, and fulfill regulatory requirements with respect to configuration much more easily.
Moving all of the Group Policy information to the event logs means we need to change how we troubleshoot Group Policy problems though. There are lots of new events to learn, and to search. Microsoft has published a relatively comprehensive white paper on how to troubleshoot Group Policy using the event logs.
|