Working with Access and Connectivity Policies in Vista

Access and connectivity policies control network connections, dial-up connections, and Remote Assistance configurations. These policies affect a system's connectivity to the network as well as remote access to the system.

Configuring Network Policies

Many network policies are available. Network policies that control Internet Connection Sharing, Internet Connection Firewall, Windows Firewall, and Network Bridge are configured at the computer level. Network policies that control local area network (LAN) connections, Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, and remote access are configured at the user level. The primary policies that you'll want to use are summarized in Table 1. You'll find Network policies under Computer Configuration\Administrative Templates\Network\Network Connections and User Configuration\Administrative Templates\Network\Network Connections.

Table 1: Network Policies

Policy Type	Policy Name	Description
Computer	Prohibit Installation And Configuration Of Network Bridge On Your DNS Domain Network	Determines whether users can install and configure network bridges. This policy only applies to the domain in which it is assigned.
Computer	Prohibit Use Of Internet Connection Firewall On Your DNS Domain Network	Determines whether users can enable the Internet Connection Firewall. This policy only applies to the domain in which it is assigned.
Computer	Prohibit Use Of Internet Connection Sharing On Your DNS Domain Network	Determines whether administrators can enable and configure connection sharing. This policy only applies to the domain in which it is assigned.
User	Ability To Change Properties Of An All User Remote Access Connection	Determines whether users can view and modify the properties of remote access connections available to all users of the computer.
User	Ability To Delete All User Remote Access Connections	Determines whether users can delete remote access connections available to all users of the computer.
User	Ability To Enable/Disable A LAN Connection	Determines whether users can enable or disable LAN connections.
User	Prohibit Access To Properties Of A LAN Connection	Determines whether users can change the properties of LAN connections.
User	Prohibit Access To Properties Of Components Of A Remote Access Connection	Determines whether users can access and change properties of remote access connections.
User	Prohibit Deletion Of Remote Access Connections	Determines whether users can delete remote access connections.
User	Prohibit TCP/IP Advanced Configuration	Determines whether users can access advanced TCP/IP settings.

As shown in the table, network policies for computers are designed to restrict actions on the organization's network. When you enforce these restrictions, users are prohibited from using features such as Internet Connection Sharing in the applicable domain. This is designed to protect the security of corporate networks, but it doesn't prevent users with laptops, for example, from taking their computers home and using these features on their own networks. To enable or disable these restrictions, follow these steps:

1. Access Group Policy for the resource you want to work with. Next, access the Network Connections node by expanding Computer Configuration\Administrative Templates\Network\Network Connections.

2. Double-click the policy that you want to configure. On the Setting tab, select Enabled or Disabled as appropriate. Click OK.

User policies for network connections usually prevent access to certain configuration features, such as the advanced TCP/IP property settings. To configure these policies, follow these steps:

1. Access Group Policy for the resource you want to work with. Next, access User Configuration\Administrative Templates\Network\Network Connections.

2. Double-click the policy that you want to configure. On the Setting tab, select Enabled or Disabled as appropriate. Click OK.

Configuring Remote Assistance Policies

Remote Assistance policies can be used to prevent or permit use of remote assistance on computers. Typically, when you set Remote Assistance policies, you'll want to prevent unsolicited offers for remote assistance while allowing requested offers. You can also force a specific expiration time limit for invitations through policy rather than setting this through the System Properties dialog box of each computer. To improve security, you can use strong invitation encryption. This enhancement, however, limits who can answer Remote Assistance invitations to only those running Windows Vista or later releases of Windows.

To configure policy in this manner, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.

2. Double-click Solicited Remote Assistance. On the Setting tab, select Enabled. When enabled, this policy allows authorized users to respond to remote assistance invitations.

3. You can now specify the level of access for assistants. The Permit Remote Control Of This Computer selection list has two options:

   Allow Helpers To Remotely Control This Computer Permits viewing and remote control of the computer.

   Allow Helpers To Only View This Computer Permits only viewing; assistants cannot take control to make changes.

4. Next, as shown in Figure 1, use the Maximum Ticket Time (Value) and Maximum Ticket Time (Units) fields to set the maximum time limit for remote assistance invitations. The default maximum time limit is one hour. Click OK.

Figure 1: Set a time expiration limit for Remote Assistance invitations.

Real World

The method for sending e-mail invitations is set to Mailto by default. This is a browser-based mail submission technique in which the invitation recipient connects through an Internet link. You can also select Simple MAPI to use Messaging Application Programming Interface (MAPI) for sending the e-mail invitation. When you do this, the invitation is sent as an attachment to the invitation e-mail message. As long as computers can establish a connection with each other over port 80 and you're using a standard e-mail program, such as Microsoft Outlook or Outlook Express, you'll probably want to use Mailto.

5. Double-click Offer Remote Assistance. In the Offer Remote Assistance Properties dialog box, select Disabled. Disabling this policy prevents unsolicited assistance offers. Click OK.

6. If you want to use strong invitation encryption and limit connections so they can only come from computers running Windows Vista or later releases of Windows, double-click Allow Only Vista Or Later Connections. In the Allow Only Vista Or Later Connections dialog box, select Enabled. Click OK.

To prevent remote assistance and remote control, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.

2. Double-click Solicited Remote Assistance. On the Setting tab, select Disabled and then click Previous Setting or Next Setting as appropriate.

3. In the Offer Remote Assistance dialog box, select Disabled and then click OK.