New information has been added to this article since publication.
Refer to the Editor's Update below.
Secure Your Desktops With The New Group Policy Settings In SP2
At a Glance:
- Windows XP SP2 firewall
- Securing access to the Internet
- Internet Explorer policy settings
- Setting file-level risk settings
Group Policy Admini- stration
The Group Policy mechanism built into Windows has always been the most effective and efficient way to immediately gain more control over your user, client, and server population. Once you deploy Windows XP Service Pack 2 (SP2), your control will get better. Let's examine some of the goodies that you'll be able to explore once the latest service pack is installed on your Windows® XP clients.
There are over six hundred new policy settings available for machines loaded with Windows XP SP2. Space prevents me from examining each one individually, but I will describe some of the categories of new features as well as some of the most useful policy settings so that you can get to work and put them to use right away.
[Editor's Update - 5/16/2005:The Group Policy snap-in for the Microsoft Management Console allows you to edit Group Policy Objects. To access this snap-in in Windows XP, go to Start | Run, and enter gpedit.msc. You can also find gpedit.msc in the %windir%\system32 directory.]
Controlling the Windows XP SP2 Firewall
Perhaps the biggest news for Windows XP SP2 is the built-in Windows Firewall. For the record, there was always a firewall built into Windows XP, but with Windows XP SP2, the firewall is turned on by default and is much more controllable via Group Policy. Before the release of Windows XP SP2, the firewall was turned off by default. The policies used to control the Windows Firewall can be found in two locations: Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile, and Administrative Templates | Network | Network Connections | Windows Firewall | Standard Profile. Inside each node, you'll find a number of new additions that will allow you to achieve fine-grained control. Take a look at Figure 1 to see all the new controls located within the Domain Profile node.
Figure 1 Windows XP SP2 Firewall Settings
But what is the difference between the Domain Profile node and the Standard Profile node? The Domain Profile settings take effect when users are inside your home network, that is, when they're actively logged in by a Domain Controller. The Standard Profile is useful for when users are out of the office, perhaps in a hotel or on another public network where they cannot reach your company's Domain Controllers for authentication. In these situations, you might choose to handle firewall settings differently. For instance, your corporate policy might dictate that certain ports need to be opened on each desktop for a specific application or for administrative management, but that users should have an even tighter level of security when they are on the road.
Once a Windows XP SP2 computer receives the policy settings for both the Domain Profile and Standard Profile, that computer is ready to travel both in and out of the office. You can be sure that machine is employing your company's firewall security policy both in the office and on the road.
If you're interested in getting some more information about how a computer determines if it is supposed to use "Domain Profile" or "Standard Profile" policy settings, be sure to read "Determination Behavior for Network-Related Group Policy Settings
" on the Microsoft®
TechNet Web site.
Securing Computer Access to the Internet
There are two areas containing Group Policy settings for securing Internet access, that will be of particular interest when you want even tighter control on outbound Internet communications. For instance, administrators in academic environments might want to restrict a specific set of computers from connecting to the Internet. Or, a corporate administrator might want to increase protection when it comes to their users downloading (and potentially executing) specific file types.
To locate these areas, first go to Administrative Templates | System | Internet Communication Management where you'll locate the Restrict Internet Communication policy setting. This setting can be used to disable Internet communications for specified machines. Additionally, if you go to Administrative Templates | System | Internet Communication Management and select Internet Communication settings, as seen in Figure 2, you'll find some additional lockdown options when Internet communication is involved. Most of the policy settings in this section are self-explanatory, but they are valuable additions for protecting both corporate and academic networks from adding unnecessary software or potentially misusing the computing resources.
Figure 2 Internet Communication Settings
Next, go to User Configuration | Administrative Templates | Windows Components | Attachment Manager. You'll find multiple settings on how to process various file types when users attempt to open those files, as shown in Figure 3. As the name of the node suggests, the process that's being managed under the hood is called the "Attachment Manager." The Attachment Manager has some preassigned degrees of risk associated with file types. For instance, .bat, .vbs, and .reg would all be considered "High Risk." Files considered "Low Risk" are those with the .log and .txt extensions. To specify how Windows XP SP2 should handle file types of varying risk, you can use the policy setting named Default Risk Level for file attachments. You can also modify which file types should be considered high, moderate, and low risk using policy settings contained within the same node. If your anti-virus tool can register itself with Windows XP SP2, you can likely use the new "Notify antivirus programs when opening attachments" policy setting, which can tell the antivirus program to take additional action.
Figure 3 Attachment Manager
To find out more information on the Windows XP SP2 Attachment Manager, read Knowledge Base article 883260, "Description of how the Attachment Manager works in Windows XP Service Pack 2
Securing Browser Settings
It's no secret that Microsoft Internet Explorer in Windows XP SP2 has enhanced functionality to protect the home, corporate, and academic user. For instance, Internet Explorer now comes with a pop-up blocker, better control for handling ActiveX® add-ins, and other safety features.
Figure 4 Additional Internet Explorer Policy Settings
Internet Explorer users now have a whopping 619 possible policy settings at their disposal. You'll find most of these settings at Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page. Figure 4 shows settings for the Internet Zone. You can also change settings for other zones: Intranet, Trusted Sites, Restricted Sites, Local Machine, and Locked-Down Local Machine. You can easily configure what the behavior should be for the new Internet Explorer features when you're within each zone. For instance, you might want to allow ActiveX downloads while in your intranet zone, but block the download of ActiveX controls when you're visiting a restricted site.
Locating the New Policy Settings
You can locate the new policy settings using the built-in filtering available while editing any GPO. Simply open the Group Policy Object editor, and go to User Configuration | Administrative Templates or Computer Configuration | Administrative Templates and select Filtering on the View menu. Once the Filtering dialog appears, as shown in Figure 5, select Filter by Requirements Information. Next, select which requirements you are interested in, such as "At least Microsoft Windows XP Professional with SP2." Once performed, you can easily see which policy settings are new for this operating system.
Figure 5 Filtering Policy Settings
Because the text within the Group Policy Object editor is not searchable, I would suggest you download the Excel spreadsheet entitled "Group Policy Settings Reference for .adm Files Included with Windows XP Professional Service Pack 2
Figure 6 The Group Policy Settings Reference Spreadsheet
As you can see in Figure 6, this spreadsheet contains all policy settings and is easily configured to display only the new ones. Indeed, this spreadsheet contains worksheets which show just the new settings for regular, registry-based policy settings known as administrative (ADM) templates, as well as security settings (non-registry settings). All policy settings are searchable as well, making this a handy resource if you're looking for a specific policy setting but can't locate it in the Group Policy Object editor.
There are tons of new policy settings to help you control Windows XP SP2, so get out there and make your world even more secure! As with anything new, though, be sure to perform thorough tests on a test lab or small segment of users before rolling out into full production.
Jeremy Moskowitz (www.moskowitz-inc.com) is an MCSE and a Microsoft MVP in Group Policy. Jeremy is the author of Group Policy, Profiles and IntelliMirror (Sybex, 2004) . He runs www.GPanswers.com, a site for group policy information.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited