Configuring Local Security and Policy Settings

One of the most powerful ways to control the configuration of a Windows Vista system is via the configuration of what are known as policy settings. In general terms, the Windows Vista policy settings enable you to delve beyond the standard configuration options in areas like Control Panel for the purpose of implementing more advanced or restrictive settings. Some of these configurable settings enable you to control the ways in which Windows Vista communicates, whereas others impose limitations on the actions that all users can perform. Ultimately, the Windows Vista policy settings offer more power to administrators looking for greater flexibility and control over who uses their system, and how.

The capability to configure policy settings through a graphical interface is available on Windows Vista Business, Enterprise, and Ultimate systems only, accomplished by using the Local Security Policy and Local Computer Policy MMC snap-ins. In the following sections you learn more about configuring both Local Security Policy and Local Computer Policy settings.

Local Security Policy

Windows Vista enables you to configure a variety of security-related settings via the Local Security Policy MMC. This tool is designed to give you more control over advanced options and settings that aren't typically accessible through the Windows Vista standard graphical tools. Although the majority of users generally don't need to delve into these settings in order to ensure a secure system, they do offer Windows Vista administrators who want a higher level of control over their system a way to exercise it. The Local Security Policy MMC interface is shown in Figure 4-7.

Figure 4-7: The Local Security Policy MMC.

The broad categories of settings that you can configure using the Local Security Policy tool include:

• Account Policies. As you learned in Chapter 3, Account Policies enable you to control and configure settings related to user password requirements and account lockout settings. Settings in the Account Policies section are among the more commonly configured on a Windows Vista system.

• Local Policies. Configurable Local Policies on a Windows Vista system include settings related to auditing, user rights assignments, and security options. Auditing settings give administrators greater control over the types of events that are recorded in the Windows Vista Security log. User rights assignments allow an administrator to assign advanced capabilities to users and groups, such as the right to back up files and folders. Security options enable you to control things like the status of the Guest account, how users can interact with removable media, and the ways in which a Windows Vista system allows network communications to occur.

• Windows Firewall with Advanced Security. This section of the Local Security Policy MMC provides access to advanced Windows Firewall settings, including configurable logging options and inbound/outbound traffic restrictions.

• Public Key Policies. The Public Key Policies section of the Local Security Policy MMC enables you to configure settings related to the Windows Vista Professional native file encryption feature, the Encrypting File System (EFS). You'll learn more about configuring EFS-related settings in Chapter 14.

• Software Restriction Policies. The Software Restriction Policies section of the Local Security Policy MMC is designed to enable administrators to define more (or less) restrictive settings that relate to who can use installed software programs on the Windows Vista, and to what extent.

• IPSec Policies. IPSec is an encrypted communication protocol that protects communications on a TCP/IP network. The IPSec Policies section enables an administrator to define secure communications rules and parameters that should be used when Windows Vista tries to exchange data with other IPSec-aware operating systems.

Follow these steps to review local security policy settings:

1. Click Start → Control Panel → Administrative Tools → Local Security Policy.

2. When the User Account Control dialog box appears, click Continue.

3. In the Local Security Policy MMC window, expand the local policy categories to view their contents.

4. To view the configurable options for a policy setting, double-click a policy setting to open its Properties window, as shown in Figure 4-8.

Figure 4-8: Reviewing the Properties of a Local Security Policy setting.

Local Computer Policy

If you've ever used a Windows computer in a larger corporate environment, then you may already be familiar with the idea behind computer policies. From a user's perspective, computer policies are usually a set of restrictions that stop them from changing the configuration of their PC. For example, in some companies, users cannot change their wallpaper picture or settings, whereas in others they cannot save files or folders to their desktop. In effect, bigger companies use computer policy restrictions to maintain a consistent Windows desktop environment. Although sometimes frustrating for users, implementing computer policy settings typically leads to a more stable desktop environment, which in turn leads to lower user training and support costs.

As you might imagine, implementing computer policy settings on a network with a thousand (or many more) Windows Vista systems running is a daunting task if you had to configure each PC individually. For this reason, networks that you configure into what is known as a Windows domain can use capabilities included with Windows 2000 Server or Windows Server 2003 to centrally configure policy settings once, and then have them apply to all client systems in the domain, including systems running Windows Vista. When you configure in this way, you deploy computer policy settings using what is known as Group Policy.

In effect, the settings that you can configure via the Local Computer Policy MMC on a Windows Vista system are the same ones that you can deploy via Group Policy on a larger Windows network. The only real difference is that deploying settings to Windows Vista clients via Group Policy requires a network running at least one Windows Server 2003 (or Windows 2000 Server) computer running the Microsoft Active Directory service. For cases where a network doesn't include such a server, the Local Computer Policy tool allows you to configure these same policy settings on a Windows Vista Business, Enterprise, or Ultimate edition system, albeit one computer at a time.

Although there's no denying that Local Computer Policy is a powerful Windows Vista feature, you should always be selective about the settings you choose to enable, especially on a home computer. Implement settings that are too restrictive, and users may not be able to perform the basic actions that they need or want to, which often leads to frustration or even a sense that your Windows Vista system doesn't function correctly. If you do opt to enable any Local Computer Policy settings, try to do so in a way that attempts to strike a balance between usability and reasonable restrictions - your goal should always be to ensure a consistent and well-functioning Windows Vista system, not one that is so restrictive that it is almost unusable.

Examples of common User and Computer settings that you can configure using the Local Computer Policy MMC snap-in include user desktop settings (hiding or displaying certain elements); Control Panel settings (allow access to Control Panel or blocking it completely); System settings (allowing users to make certain types of configuration changes); Windows Component settings; and more. If you can think of a useful computer-or user-related configuration setting, chances are that there's a Local Computer Policy setting that can make it happen.

There are literally hundreds of different Local Computer Policy settings that you can configure to control how users interact with a Windows Vista system - far too many to cover here. The best way to gather more information about Local Computer Policy settings is to browse through the Local Computer Policy MMC interface and review configurable options. If you want to know more about what a particular setting does, right-click it and click Properties. The Explain tab in the properties of an object provides a detailed overview of the setting and the impact that implementing it has on users of your Windows Vista system, as shown in Figure 4-9.

Figure 4-9: Reviewing the Explain tab in the Properties of a Local Computer Policy setting.

Almost all of the Windows Vista configurable Local Computer Policy settings support three different configuration options. These include:

• Not Configured. This is the default option for most Local Computer Policy settings - when set to this value the policy setting is ignored.

• Enabled. When set to Enabled, the function outlined in a Local Computer Policy setting is enforced. If you're ever in doubt about what enabling a given setting actually does, always consult the Explain tab for details.

• Disabled. Results vary when a Local Computer Policy setting is configured to the Disabled setting. Always consult the Explain tab in the properties of a Local Computer Policy setting prior to disabling it - it's always important to determine exactly what the repercussions of making this change are.

In addition to the three basic setting outlined in the previous list, many Local Computer Policy settings allow you to configure additional advanced options, which vary from setting to setting.

Follow these steps to review and configure group policy settings on a Windows Vista Business, Enterprise, or Ultimate system:

1. Click Start. In the Search text box, type mmc and press Enter. When the User Account Control dialog box appears, click Continue. An empty MMC window opens.

2. Click File → Add/Remove Snap-in.

3. At the Add Or Remove Snap-ins window, select Group Policy Object Editor (as shown in Figure 4-10) and click Add.

   
   Figure 4-10: Adding the Group Policy snap-in to manage Local Computer Policy settings.

4. When the Select Group Policy Object window appears, click Finish. Click OK to close the Add Or Remove Snap-ins window.

5. Expand Local Computer Policy → User Configuration → Administrative Templates → Desktop. Click the Standard tab. A list of user desktop-related configurable policy settings appears, as shown in Figure 4-11. In this case, the State of all settings is Not Configured.

   
   Figure 4-11: Reviewing user desktop configuration settings.

6. Double-click a setting such as Desktop Wallpaper to open its Properties window, as shown in Figure 4-12.

   
   Figure 4-12: Reviewing the Properties of a Local Computer Policy setting.

7. If you want to enable the setting (which in this case would force a particular desktop wall-paper image to appear on all users' screens, click Enable to enter a path to the image file, and then click OK. If you later decide that you want to undo this action, change the state of the setting back to Not Configured.

8. If you did enable the Remove Recycle Bin icon from Desktop setting, close the Local Security Policy MMC and return to your desktop. The Recycle Bin icon should no longer be visible on the desktop.