New Feature 2 of windows 2000 and vista system group policies

Following the new features of windows System Group Policy in the previous articleILater, this article continues to introduce the new features of windows 2000 and vista system group policies. The specific content is as follows.

Audit backup and recovery

The interesting group policy setting is audit: permission setting for audit using data backup and recovery. If you choose to set it (the Default policy setting), then review the backup and recovery operations.

This is an interesting policy setting because it has both advantages and disadvantages. this policy is fine because it allows you to verify that the owner's backup system is actually performed according to the company's policy.

It also allows you to view any recovery operations. the disadvantage is that this policy makes every backup generate a large number of logs, which means that your backup data may be filled with a large number of Audit Backup and Restore audit logs. of course, writing such a log entry uses a small amount of disk and cpu resources. if you write thousands of logs, the performance may be seriously affected.

Removable device

Many companies are not allowed to use mobile devices at all. for example, an External Optical Drive. this allows users to bring unauthorized data out of the company or copy or delete sensitive data. mobile devices are often discouraged. based on this, Microsoft adds a group policy for removable devices: Allow formatting and pop-up of Removable device policies. as its name suggests, this policy can be used to prevent users from formatting or popping up removable devices.

Printer Driver

In windows, if you want to print a printer to a network, they usually do not need a printer driver or download the driver on the network. when a user uses UNC to connect to the printer, it is a shared printer. The printer host checks the user's workstation to see if it has a suitable driver. if the driver does not exist, the printer host sends a copy of the printer to drive the machine to the client.

In most cases, this is probably a desirable behavior, because it allows users to print to different printers each time, without looking for technical staff, you can do it yourself. in a high security environment, although, it may be considered as a high risk, allowing the user to print to the printer that has not been specified for them. one way to prevent users from printing to a printer that is not authorized to print to them is to Prevent Users From Installing the printer driver.

You Can Prevent Users From Installing the printer driver by setting policies that prevent users from installing the printer driver. The wks are installed by default and the server is not installed.

If you are planning to implement this strategy in the company, you must remember a few things. first, this policy does not prevent users from adding local printers. It only prevents users from installing drivers for network printers. another thing to remember is that this policy will not prevent users from printing a network printer that has a driver on the user's machine. finally, this setting does not work for the administrator.

Security is the primary concern of ms. When developing windowsserver2008 and vista, it is not surprising that some new group policy settings involve many security features. First, I start with this article. This article talks about a new security group policy setting UserAccountProtection-UAC.

If you are not familiar with UAC, UAC is a security feature that reduces excessive user privileges to protect windows. In Windows XP, users often need local administrators to complete their tasks.

During the development of vista, Microsoft took a long time to focus on the permissions actually required by standard users without having to grant local administrator permissions. For example, a common user in vista can install a printer, enter the WEP password, configure a VPN connection, and install application updates without the local administrator privilege.

UserAccountProtection is not only used to grant additional permissions to users, but also to protect themselves for local administrators. Even if a local administrator logs on to windows, windows considers him a common user. If you want to perform some operations that require the local administrator privilege, windows will prompt you whether to temporarily escalate the privilege to perform this operation.

The administrator can also log on as a common user. If a common user wants to execute ODPS that requires administrator permissions and does not need to use the RunAs command, vista will automatically prompt the user to enter a credential to execute this operation.

Let's talk about the background of UAC. Now let's take a look at the UAC Group Policy settings. Like most of the Group Policy settings I discussed in this series, they only work on 2008 and vista. Therefore, these policies are only executed as local group policies because they are 2008 public and 2008 domain-controlled in your network environment.

For UAC group policies, set them in ComputerConfiguration | WindowsSettings | SecuritySettings | LocalPolicies | SecurityOptions:

First, set the UAC Group Policy: Administrator Approval Mode and built-in Administrator settings. This setting is enabled by default, and the Administrator is considered a common user. Any operation on windows that requires administrator privileges will prompt you whether to execute the operation. If this setting is disabled, vista is the same as XP. The administrator can complete all the operations without a prompt.

The next setting is UAC: the Administrator's promotion prompt in administrator Approval mode. As you already know, vista is set in this way, and management operations cannot be performed without unified management. This option allows you to control the Administrator's prompt actions. For more information, see. We recommend that you do not upgrade the SDK.

Just like wvista can restrict the administrator from being unable to perform an operation. It can limit the ability of a common user. You can control whether UAC can be upgraded when a common user operates an operation that requires permission escalation: standard user reminder. For more information, see

Although vista requires elevation of permissions to perform related operations, some operations can be set without elevation of permissions. An example is to install software. This setting is used to detect application behavior and prompt for improvement.

Software Installation does not prompt upgrading, but it seems a bit difficult, but some cases are more appropriate. In a management environment, some software is used for distribution through group policies, Sms, and so on. In this environment, you do not need to buy a desktop to prompt for improvement. So you can disable this.

In the previous article, I talked about how UAC group policies work. Although vista and 2008 provide hundreds of new group policies over xp and 2003, UAC is the most important group policy. Because UAC can help users resist the threat of malware. Next we will talk about the UAC settings in the Group Policy.

UAC: only executable files that are signed and verified are upgraded.

If you really want to think about it, the reason for putting UAC first is to prevent unauthorized code from running on the network workstation. But how to determine whether the code is authorized is a problem.

Generally, to determine whether the code is secure depends on whether the code has a digital signature. Most of the software does not have digital signatures to prove that the code is issued by the issuer, not modified by others. The digital signature also proves that the Code has not been changed because it is a signature.

Because some code signatures do not necessarily mean that the code is trustworthy. Whether or not we trust the digital signature is still a problem. When you decide to trust the digital signature, the publisher of the digital signature will be added to the windows trust.

This is UAC: only executable files that are signed and verified are upgraded. When you enable it, this group policy is set for pki signatures to focus on any applications that need to enhance permissions. If his digital signature is already allowed, the Elevation of Privilege is allowed. Otherwise, the request is rejected.

Note that, in the ms document, this policy only applies to interactive applications and does not work for services and scripts, if the document is correct.

We hope that the new features of group policies in windows systems introduced in this series will be helpful to readers. The knowledge of more groups of policies remains to be explored and learned by readers.