If you would like to read the other articles in this series please go to:
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 2
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 3
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 4
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 5
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 6
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 7
Ever since the creation of Windows 2000 Server, the primary mechanism for managing security on a Windows network has been group policies. For several years though, I have felt that group policies needed to be extended because there are many aspects of the Windows operating system that simply cannot be controlled by group policies. Fortunately, the developers at Microsoft have acknowledged these group policy related shortcomings, and have completely overhauled group policies in Windows Vista and Windows Server 2008. In this article series, I will discuss some of the new group policy capabilities.
If you have ever worked with group policies in the past, you know that there are a lot of group policy settings built into Windows. It is difficult to give you an exact count of how many group policy settings actually exist because new group policy settings are often introduced with service packs and even with some application related downloads. I can tell you though that Windows Server 2003 Service Pack 1 offers approximately 1700 group policy settings. This number has been increased to around 2400 in Windows Vista and Windows Server 2008. That being the case, I simply do not have the space to talk about every single group policy setting that is available to you. Instead, I will try to talk about the more important group policy settings.
Protection Against Viruses
One of the most prolific threats to security in recent years has been e-mail viruses. Most antivirus products are designed to integrate themselves into Microsoft Outlook, the idea being that the software can scan e-mail attachments as they are opened. Even so, the Windows operating system has always lacked a centralized mechanism for making sure that antivirus software is installed and working properly. Fortunately, Windows Vista and Windows Server 2008 now contain group policy settings that allow you to enforce your organization’s antivirus policies at group policy level.
Although the group policy settings that I am about to show you are specific to Windows Vista and Windows Server 2008, they can be used to regulate computers running Windows XP Service Pack 2 as well. You can find the antivirus related group policy related settings in the group policy tree at: User Configuration\Administrative Templates\Windows Components\Attachment Manager.
Notify Antivirus Programs When Opening Attachments
This group policy setting is used to notify your antivirus software when an e-mail attachment is opened, so that the e-mail attachments can be scanned for viruses. Although this group policy setting sounds simple enough, there are two caveats that you need to be aware of prior to enabling it. First, if your antivirus software is designed to automatically scan e-mail attachments anyway, then enabling this group policy setting is redundant.
The other caveat that you need to be aware of is that if this group policy setting is enabled, and your antivirus software for some reason fails to scan an attachment, then Windows will block the attachment from being opened.
Do Not Preserve Zone Information in File Attachments
One of the main security concepts in Internet Explorer is that of zones. Internet Explorer allows administrators to classify Web domains into various zones based on how much the administrator trusts the websites. In Windows Vista and Windows Server 2008, this concept of zones can be carried over to e-mail. When an e-mail message contains an attachment, Windows can look at the sender’s domain and compare it to Internet Explorer’s zone list. It can then use this zone information to help determine how trustworthy the attachment is.
This particular group policy setting is a little misleading though. If you enable the policy setting, then zone information will be completely ignored. If you want to make sure that Windows uses zone information in conjunction with e-mail attachments, you must disable this policy setting.
One important aspect of zone related security that you need to be aware of is that the sender’s zone is stored as a file attribute. This means that the NTFS file system is a must. If a system is formatted using FAT or FAT-32, zone information will not be retained, and Windows will not report the failure.
Hide Mechanisms to Remove Zone Information
Under normal circumstances it is fairly easy for a user to remove zone related attributes from files. To do so they must simply click the Unblock button found on the file’s properties sheet. If you want to prevent users from stripping zone information from files, just enable this policy setting. Doing so will hide any mechanism that a user could potentially use to remove zone information from a file.
Default Risk Level for File Attachments
This group policy setting allows you to automatically assign either a high, medium, or low risk level to e-mail attachments. I will talk a lot more about risk levels in the sections below.
Inclusion List for High Risk File Types
Obviously, some file types are much more likely to carry malicious code than others. For example, a .EXE file or a .PIF file is much more likely to be malicious than a .PDF file. Because of this, Windows allows you to flag various file types as being high, medium, or low risk.
Windows provides separate group policy settings for the lists of low, medium, and high risk file types. The reason why Microsoft chose to do things this way is because it allows tighter security settings to take precedence over lower level security settings in the event of a conflict. Suppose for example that a particular file type is listed both as high risk and as medium risk. In such a situation, the high risk policy would take precedence over the medium risk policy, and the file type would be treated as high risk regardless of what the other policy settings might dictate.
So what does it really mean to classify a file type as being high risk? When a user attempts to open a file, Windows looks not just at the file type, but also at the zone from which the file originated. If the file originated from the restricted zone and is classified as high risk, then Windows prevents the user from opening the file. If the file originated from the Internet zone, Windows will display a warning message to the user prior to opening the file.
Inclusion List for Low File Types
Note:
This is not a typo, Windows omits the word RISK in this policy setting name
Defining a file type as being low risk works very similarly to defining a file type as being high risk, but with a couple of differences. The first difference is that Windows already treats certain file types as high risk by default. If you set one of these file types as being low risk, then your setting will take precedence over Window’s built in settings, and the file will be treated as low risk. Of course if you have manually added a file type to the high risk list and then add it to the low risk list, the file will be treated as high risk because the high risk list takes precedence over the low risk list. In case you are wondering, users are allowed to open low risk files regardless of zone.
Inclusion List for Moderate Risk File Types
Defining a file type as being of a medium risk works exactly the same as defining a file as being low risk, but with one exception. If the file originated from the Restricted or the Internet zone, then Windows will display a warning prior to allowing the user to open the file.
Conclusion
In this article I have explained that Windows Vista and Windows Server 2008 contain many more group policy settings than Windows Server 2003 or Windows XP. I then went on to discuss some of the more useful antivirus related group policy settings. In Part 2 I will continue the discussion by talking about some more about new group policy settings.
If you would like to read the other articles in this series please go to:
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 2
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 3
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 4
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 5
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 6
- Group Policy Extensions in Windows Vista and Windows Server 2008, Part 7
