Windows systems are being updated and upgraded,Group PolicyOf course, this is no exception. This article describes some new features of group policies in Windows 2008 and Vista. The specific content is as follows.
Since Windows Server, group policy mechanisms are primarily used to manage secure Windows networks. over the past few years, I think there are group policies that need to be extended, because there are many aspects that cannot be controlled by group policies. fortunately, Microsoft also acknowledged the defects related to group policy and has completely modified the Group Policy in Windows2008. in this series of articles, I will discuss some new group policies. if you have used a group policy, you know that many group policy settings are integrated in the operating system. it is difficult to expand group policies. It is difficult for me to give you a definite answer to the number of group policies. because of some patches, updating packages brings about some group policy changes. I can tell you that Windowsserver2003servicepack1 provides about 1700 Group Policy settings. this number has been increased to 2400 sets of policies. In Windowsvista and Windowsserver2008. in this case, I have no time to talk about the settings of each set of policies for you. instead, I will try to talk about more important group policy settings.
Virus protection
In recent years, there have been many security threats, most of which have been email viruses. most Anti-Virus products are designed together with Microsoft outlook. The idea is that the software can be scanned when an email attachment is opened. even so, windows still lacks a unified mechanism to ensure the installation and normal operation of anti-virus software. fortunately, vista and 2008 now contain group policy settings that allow you to join your organization/company's anti-virus policies at the group policy level.
Although I want to show you how to set policies for Windows Vista and Windows server, you can run windowsxpservicepack2. you can find the settings for the relevant anti-virus group policies, in the Group Policy: userConfiguration \ AdministrativeTemplates \ WindowsComponents \ AttachmentManager
When a user opens an attachment to Notify antivirus software
When an email attachment is opened to notify your anti-virus software, the anti-virus software scans the email attachment to check the virus. although this group policy seems simple, although there are only two variables, you must know before using it. first, if your anti-virus software can automatically scan email attachments, this group policy is redundant.
If you set this group policy, but your anti-virus software cannot scan the plug-in for some reason, Windows will prevent the attachment from being opened.
Do not retain region information in file attachments.
A major security concept in IE is region. internet Explorer allows administrators to place classified domain names in different regions and how many sites the administrators trust. in Windows and vista, the status of the region can also be used on the email. when an email contains an attachment, windows searches for and compares the sender's domain in the ie area. this allows you to use domain information to determine whether the attachment is trustworthy.
However, this special group policy setting seems a bit misleading. if you enable the settings, the region information is ignored. if you want to ensure that windows uses region information to protect email attachments, you must disable this policy.
In terms of security, you should know that the sender region is stored as a file attribute, which means that it must be stored in the NTFS format partition space. if the partition is stored in the FAT format, the region information is not retained, and Windows does not report failure.
Hiding mechanism to remove region information
Under normal circumstances, it is quite easy for users to remove relevant attributes from the file. they just need to click the OPEN button to find the Attribute Table of the file. enable this setting if you want to prevent users from detaching data files. this will hide the mechanism, and it is impossible for any user to remove partition information from a file
Default file attachment risk level
The setting of this group policy allows you to assign a default setting, high, medium, or low risk level to the email attachment. I will talk about the risk sector later.
List of high-risk file types
Obviously, some types of files are more likely to carry malicious code. For example, exe files or pif files are more malicious than PDF files. Because of this, windows allows you to access various files.
High, moderate, or low risk
Windows provides independent group policies to set low, medium, and high-risk file types. microsoft chose to do this because it allows stricter security settings, with priority given to low-level security settings and conflicts. for example, a file type is under high and moderate risks. in this case, high-risk policies are higher than medium-risk policies, and file types are considered as high-risk policies. if the file type is considered as high-risk, other settings will prevail.
How to distinguish a file type is a high risk. If a user wants to open a file, the windows window will not only identify the file type, but also identify the high risk in the source of the file from the prohibited area. windows prohibits the user from opening the file. if the file is from the Internet, windows will prompt you to prevent risks before the user opens the file.
List of low-risk file types
Determining whether the file type is a low-risk type is similar to a high-risk type. but there is a difference. first of all, the difference is that Microsoft has taken some types of files as high-risk by default. if you set the file type as a low risk, you will overwrite the built-in settings of windows, and the file will be considered as a low risk. of course, if you have manually added a file type to the high-risk list and then added it to the low-risk list, this file will be considered as a high-risk list, because the high-risk list is better than the low-risk list. if you are curious, you can open a low-risk archive regardless of the region.
List of moderate risk file types
Determining whether the file type is moderate-risk or high-risk is similar. The only difference is that if the file is from a prohibited area or the internet, windows only displays a warning before the user opens the file.
In the first part of this series of articles, I have explained that Windows Vista and Windows server provide hundreds of group policy settings over Windows Server and Windows XP. in this article, I would like to continue to discuss how group policy settings are used to control user accounts and hardware devices.
The group policy settings I will discuss are located in Computer Configuration/Window setting/security setting/Local Policy/security options. as you can see in Figure 1, there are too many group policy settings for security options. therefore, I will only discuss the settings of the most useful or interesting policy.
Administrator Account Status
In the past, a major security weakness in windows operating systems has always existed on a local administrator account. windows Vista does have a local administrator account. Account: the Administrator Account Status setting can be used to disable administrator users. by default, the Administrator account is activated, but it is easy to disable it. before you disable it, you need to know about the consequences. if you disable the Administrator account, you cannot enable it again unless the password of the local administrator account meets the minimum password length and complexity requirements. unless you have another administrator account to reset its password.
It doesn't matter if you find that you are locked by a machine and no other Administrator account can reset the password. in security mode, the local administrator account is always enabled. therefore, you can start the machine to safe mode, log in with a local administrator, and then reset the password. at this time, you should be able to re-enable the local administrator account.
Restrict empty passwords
Generally, you cannot have an empty password in any organization. you can only set policies for logging on to the console to prevent the risk of empty passwords. this is the default setting of this policy. it allows users without a password to log on only locally, rather than using remote desktop to log on.
Rename Adminsitrator
For more than a decade, Microsoft has been telling us that renaming Adminsitrator is for security reasons. the problem is that every workstation has its own Administrator account and must be renamed manually. vista and Server 2008 provide a group policy setting that can be used to automatically rename the dminsitrator account. group Policy: Rename Adminsitrator to use this policy. All you need to do is enter a new name named Administrator account, and the changes will be applied to all machines through the Group Policy.
Audit backup and recovery
The interesting group policy setting is audit: permission setting for audit using data backup and recovery. If you choose to set it (the Default policy setting), then review the backup and recovery operations.
This is an interesting policy setting because it has both advantages and disadvantages. this policy is fine because it allows you to verify that the owner's backup system is actually performed according to the company's policy.
It also allows you to view any recovery operations. the disadvantage is that this policy makes every backup generate a large number of logs, which means that your backup data may be filled with a large number of Audit Backup and Restore audit logs. of course, writing such a log entry uses a small amount of disk and cpu resources. if you write thousands of logs, the performance may be seriously affected.
Removable device
Many companies are not allowed to use mobile devices at all. for example, an External Optical Drive. this allows users to bring unauthorized data out of the company or copy or delete sensitive data. mobile devices are often discouraged. based on this, Microsoft adds a group policy for removable devices: Allow formatting and pop-up of Removable device policies. as its name suggests, this policy can be used to prevent users from formatting or popping up removable devices.
Printer Driver
In windows, if you want to print a printer to a network, they usually do not need a printer driver or download the driver on the network. when a user uses UNC to connect to the printer, it is a shared printer. The printer host checks the user's workstation to see if it has a suitable driver. if the driver does not exist, the printer host sends a copy of the printer to drive the machine to the client.
In most cases, this is probably a desirable behavior, because it allows users to print to different printers each time, without looking for technical staff, you can do it yourself. in a high security environment, although, it may be considered as a high risk, allowing the user to print to the printer that has not been specified for them. one way to prevent users from printing to a printer that is not authorized to print to them is to Prevent Users From Installing the printer driver.
You Can Prevent Users From Installing the printer driver by setting policies that prevent users from installing the printer driver. The wks are installed by default and the server is not installed.
If you are planning to implement this strategy in the company, you must remember a few things. first, this policy does not prevent users from adding local printers. It only prevents users from installing drivers for network printers. another thing to remember is that this policy will not prevent users from printing a network printer that has a driver on the user's machine. finally, this setting does not work for the administrator.
Security is the primary concern of ms. When developing windowsserver2008 and vista, it is not surprising that some new group policy settings involve many security features. First, I start with this article. This article talks about a new security group policy setting UserAccountProtection-UAC.
If you are not familiar with UAC, UAC is a security feature that reduces excessive user privileges to protect windows. In Windows XP, users often need local administrators to complete their tasks.
During the development of vista, Microsoft took a long time to focus on the permissions actually required by standard users without having to grant local administrator permissions. For example, a common user in vista can install a printer, enter the WEP password, configure a VPN connection, and install application updates without the local administrator privilege.
UserAccountProtection is not only used to grant additional permissions to users, but also to protect themselves for local administrators. Even if a local administrator logs on to windows, windows considers him a common user. If you want to perform some operations that require the local administrator privilege, windows will prompt you whether to temporarily escalate the privilege to perform this operation.
The administrator can also log on as a common user. If a common user wants to execute ODPS that requires administrator permissions and does not need to use the RunAs command, vista will automatically prompt the user to enter a credential to execute this operation.
Let's talk about the background of UAC. Now let's take a look at the UAC Group Policy settings. Like most of the Group Policy settings I discussed in this series, they only work on 2008 and vista. Therefore, these policies are only executed as local group policies because they are 2008 public and 2008 domain-controlled in your network environment.
For UAC group policies, set them in ComputerConfiguration | WindowsSettings | SecuritySettings | LocalPolicies | SecurityOptions:
First, set the UAC Group Policy: Administrator Approval Mode and built-in Administrator settings. This setting is enabled by default, and the Administrator is considered a common user. Any operation on windows that requires administrator privileges will prompt you whether to execute the operation. If this setting is disabled, vista is the same as XP. The administrator can complete all the operations without a prompt.
The next setting is UAC: the Administrator's promotion prompt in administrator Approval mode. As you already know, vista is set in this way, and management operations cannot be performed without unified management. This option allows you to control the Administrator's prompt actions. For more information, see. We recommend that you do not upgrade the SDK.
Just like wvista can restrict the administrator from being unable to perform an operation. It can limit the ability of a common user. You can control whether UAC can be upgraded when a common user operates an operation that requires permission escalation: standard user reminder. For more information, see
Although vista requires elevation of permissions to perform related operations, some operations can be set without elevation of permissions. An example is to install software. This setting is used to detect application behavior and prompt for improvement.
Software Installation does not prompt upgrading, but it seems a bit difficult, but some cases are more appropriate. In a management environment, some software is used for distribution through group policies, Sms, and so on. In this environment, you do not need to buy a desktop to prompt for improvement. So you can disable this.
In the previous article, I talked about how UAC group policies work. Although vista and 2008 provide hundreds of new group policies over xp and 2003, UAC is the most important group policy. Because UAC can help users resist the threat of malware. Next we will talk about the UAC settings in the Group Policy.
UAC: only executable files that are signed and verified are upgraded.
If you really want to think about it, the reason for putting UAC first is to prevent unauthorized code from running on the network workstation. But how to determine whether the code is authorized is a problem.
Generally, to determine whether the code is secure depends on whether the code has a digital signature. Most of the software does not have digital signatures to prove that the code is issued by the issuer, not modified by others. The digital signature also proves that the Code has not been changed because it is a signature.
Because some code signatures do not necessarily mean that the code is trustworthy. Whether or not we trust the digital signature is still a problem. When you decide to trust the digital signature, the publisher of the digital signature will be added to the windows trust.
This is UAC: only executable files that are signed and verified are upgraded. When you enable it, this group policy is set for pki signatures to focus on any applications that need to enhance permissions. If his digital signature is already allowed, the Elevation of Privilege is allowed. Otherwise, the request is rejected.
Note that, in the ms document, this policy only applies to interactive applications and does not work for services and scripts, if the document is correct.
To learn more about the new features of windows system group policies, click New Feature 2 of windows 2000 and vista system group policies.