Looking to learn a little more about Microsoft's Active Directory, Group Policy and identity and access management? Danny Kim, CTO at FullArmor Corp. in Boston, developed the first Windows policy management in 1993 to help Wal-Mart Stores Inc. lock down the demo PCs in a Windows 3.1 environment in its retail stores. The technology was subsequently licensed by Microsoft, Compaq, Sony and others. Kim also architected some of the first...
Group Policy management products, which were eventually purchased by NetIQ Corp.
Kim and SearchWinIT.com news director Margie Semilof recently discussed changes IT shops can expect to see with Vista and Vista Service Pack 1.
What are Windows administrators getting in terms of changes to Group Policy with Vista?
Danny Kim: [Microsoft] didn't do much with the infrastructure; they ran out of time. But there are a lot of new settings. XP SP2 has between 1,200 and 1,500 settings. In Vista, there are about 3,000. There has been a soft mandate within Microsoft that all product groups should Group Policy-enable their products. And about 80% of the new settings are security related.
What are some of the most important new additions?
Kim: You can manage a user account to make a user a standard user. You can configure for Windows Defender, the new antispyware technology. The thing I like the most is the device insulation control for IT administrators. Microsoft had determined that the bulk of Windows crashes happened because of third-party drivers. Now you can set policy against storage device drivers or PCI drivers. You can gradually control what users have and limit the amount of potential exposure.
And this includes locking down USB ports?
Kim: Auditors are now asking what customers are doing to cap information loss and potential viruses coming from end points.
Group Policy in Vista has remote device access control. I can create a policy that says whether or not you can put a USB hard drive in your machine. I can set it up so it's only read access. Lots of corporations want people to use USB storage devices but don't want them to take data out. Coupled with the intelligent firewall [in Vista], you can really block Internet access so machines are only used in the context and domain that you like.
Microsoft also made [Network Access Protection] manageable from Group Policy. Of course you need the server portion to make this work.
What's new in terms of infrastructure?
Kim: The company has added network awareness in Group Policy. Before, Group Policy would only refresh when you logged in. People were asking for a more timely mechanism. If I have a security setting that I want to push to the desktop, I don't want to wait for 90 minutes or so for those [settings] to apply. If a client is attached to the network and it detects a network change -- for example, if a user changes his context from networked to wireless -- Group Policy will refresh right away.
But looking out to Vista Service Pack 1, which will be parallel to Longhorn Server, there will be some updates to Group Policy in terms of ease of use. They will release pre-made templates that lock down workstations with security compliance settings. Corporations can make their own templates. Instead of training everyone on how to use Group Policy, they can create a template that everyone can see.