What's new in Vista Group Policy?

Vista offers 800 new Group Policy settings, some that pertain to added features and others that enhance control over features carried over from Windows XP. Deb Shinder offers a detailed look at some of Vista's more interesting Group Policy additions: access to removable media, power management, and User Account Control policies.

This article is also available as a PDF download and a photo gallery.

Group Policy is a powerful tool for customizing, controlling, and securing Windows operating systems. Replacing the System Policies feature in Windows NT, it was introduced in Windows 2000 as part of the IntelliMirror technologies, and with each subsequent version of NT-based operating systems, its scope and capabilities have been expanded.

Group Policies can be applied at the local computer level or to Organizational Units, domains, or sites in an Active Directory environment. Group Policy was supported by Windows XP Professional, but not XP Home Edition. Likewise, Group Policy is supported by Vista Business, Enterprise, and Ultimate editions, but not Home Basic and Home Premium editions.

Group Policy in Vista adds hundreds of settings, giving administrators more control than ever over users and computers. Some of these settings pertain to Vista's new features, and others add more control over features that were carried over from XP. In this article, we'll discuss what you can do with some of the more interesting new Group Policy settings in Vista. You can download a spreadsheet containing all of the Group Policy settings for computer and user configuration that are included in the administrative template files that ship with Vista from the Microsoft Web site. Note that administrative template files in Vista use a new XML-based file format (.ADMX).

Control removable media

Removable devices such as USB thumb drives, flash memory card readers, and external USB hard disks, as well as CD and DVD writers and even the venerable floppy disk drive, are extremely convenient for transferring data between two computers (for example, your home and office machines). Unfortunately, they can also pose a big security problem for companies: Users can easily download data that shouldn't leave the company networks to a removable device and take it with them or they can upload data from a device and unknowingly introduce viruses or malware to the company computer.

In the past, some companies went so far as to physically destroy USB ports by filling them with epoxy or some other substance. A less drastic measure was to disconnect the USB ports inside the computer and remove optical drives capable of burning discs. You could buy third-party software to allow you to enable or disable access to USB devices, CD/DVD writers, etc. Or you could create a custom .ADM file to block usage of these devices in XP.

Vista makes it much easier. Here's what you do to apply a policy controlling access to removable media to the local Vista computer:

  1. Click Start | Control Panel | Administrative Tools.
  2. Select Local Security Policy.
  3. In the Local Security Policy console's left pane, under Computer Configuration, expand Administrative Templates and click System.
  4. Scroll down in the right pane and double click Removable Storage Access, shown in Figure A.

Figure A

You can control access to removable storage through Vista's Group Policy.

You can select from a number of choices, depending on what type of removable storage you want to control. For example, you can deny access to all removable storage classes by double-clicking the right pane item All Removable Storage Classes: Deny All Access.

  1. In the properties box, select the Enabled option, as shown in Figure B.

Figure B

Enable the policy to deny access to all removable storage devices.
  1. Click Apply or OK.

The policy to deny all access to all removable storage classes takes precedence over any policy settings that may have been set on individual storage classes. The storage classes you can set individually are:

  • CD and DVD
  • Floppy drives
  • Removable disks
  • Tape drives
  • WPD devices (cell phones, portable media players, auxiliary display, and CE-based devices, such as Pocket PCs)

You can set policies to deny read access and write access separately, so you can allow users to read data from a device but not save data to it.

Control power management settings

Businesses have asked for a way to control the power management settings within Windows for quite some time. There are third-party products available that will let administrators centrally control these settings, but that entails extra cost and installation of software. In Vista, companies can establish policies governing power management to save money on the cost of electricity.

The Power Management node in Vista Group Policy, located in the same Administrative Templates folder as the Removable Storage Access node discussed above, contains several subfolders for apply policies to different aspects of power management, as shown in Figure C.

Figure C

Vista gives administrators control over different aspects of power management.

The Power Management settings you apply via Group Policy will override settings made by users in the Control Panel's Power applet.

Button settings

The Button Settings folder contains the following policy options:

  • Select the Power Button action when the computer is plugged in
  • Select the Sleep Button action when the computer is plugged in
  • Select the Start Menu Power Button action when the computer is plugged in
  • Select the Lid Switch action on portables when the computer is plugged in
  • Select the Power Button action when the computer is on battery power
  • Select the Sleep Button action when the computer is on battery power
  • Select the Start Menu Power Button action when the computer is on battery power
  • Select the Lid Switch action on portables when the computer is on battery power

The possible actions you can assign to each of the buttons are:

  • Take no action
  • Sleep
  • Hibernate
  • Shut down

Double-click the button item you want to configure and select the Enabled option. Then, select the action from the drop-down list as shown in Figure D.

Figure D

You can configure a desired action for the physical power and sleep buttons, the Start menu power button, and the lid switch.

Hard disk settings

The Hard Disk Settings folder contains only two policies:

  • Turn off the hard disk when the computer is plugged in
  • Turn off the hard disk when the computer is on battery power

You can use them to control the length of time the computer must be inactive before Window turns off the hard disk. You must provide the time value in seconds, from 1 to 999,999.

Notification settings

The Notification Settings folder allows you to configure the following policies:

  • Critical battery notification action
  • Low battery notification action
  • Critical battery notification level
  • Turn off low battery user notification
  • Low battery notification level

Using these policies, you can set the levels at which notifications will be triggered (low and critical levels). When a level policy is enabled, you specify the value as a percentage of remaining battery capacity (for example, 10 if you want notification when the battery has 10% of its full capacity remaining). This setting is shown in Figure E.

Figure E

You can set the level at which you'll receive notification that the battery is low or critical.

The notification action policies allow you to specify what the computer should do when it reaches the low or critical level set in the level policies. When you enable these policies, you can select from the following actions:

  • Take no action
  • Sleep
  • Hibernate
  • Shut down

The Turn Off Low Battery User Notification policy does just what it sounds like: When it's enabled, there will be no notification to the user displayed when the battery reaches the low or critical level.

Sleep settings

The Sleep Settings folder contains 12 policy items. There are two policies for each action, one that governs when the computer is plugged in and one that governs when it's on battery power. They are:

  • Turn on applications to prevent sleep transition: If you enable this policy, an application or service can prevent the system from going into hybrid sleep, standby, or hibernate.

  • Specify the system hibernate timeout: If you enable this policy, you can set the period of inactivity before Windows will put the system into hibernation. The value is entered in seconds, from 1 to 999,999.

  • Require a password when a computer wakes: If you enable this policy or if it's left not configured, the user will be prompted for a password when the system resumes from sleep; thus, the default is to require a password. You can disable the policy if you don't want to prompt for a password.

  • Specify the system sleep timeout: As with the hibernate timeout policy, the value is entered in seconds.

  • Turn off hybrid sleep: If you enable this policy, the system won't create a hiberfile when the system goes to sleep (into Standby).

  • Allow standby states (S1-S3) when sleeping: If you enable this policy, Windows can use standby states when the computer sleeps. If the policy is disabled, the computer can only hibernate (go into Hybrid Sleep).

In earlier versions of Windows, Standby saves work to memory and puts the computer into a power-saving state, whereas Hibernate saves work to the hard disk. Vista has combined Standby and Hibernate into one state: Hybrid Sleep. In this state, work is saved to the hard disk and the previous work session is resumed when the computer wakes.

However, you can enable the traditional standby states via the Group Policy. The standard ACPI standby states are:

  • S0: The system is on and ready to work.

  • S1: The CPU is powered down; RAM is idle but refreshed. The system can be resumed by using the keyboard, mouse, etc.

  • S2 (not usually implemented): All devices are powered down like S3 but with faster RAM refresh.

  • S3: All fans, hard drives, and other devices are powered down and work is saved to RAM. Keyboard/mouse may or may not be able to resume the system, depending on the controller.

  • S4: All hardware is off and work is saved to disk. This is the same as Hibernate.

Video and display settings

Four policies are included in the Video And Display Settings folder (actually two settings with separate policies for when the computer is plugged in and when it's on battery power). These are:

  • Turn off adaptive display timeout: This setting controls how long the computer must be inactive before the computer's display is turned off. Windows will automatically adjust the setting based on what users do with their input devices.

  • Turn off the display: If you enable this policy, you provide a value (in seconds) to specify how long the computer should be inactive before the display is turned off.

User Account Control settings

One of the most prominent security improvements in Vista is User Account Control (UAC). There are nine policies in the Security Options folder that you can use to change the behaviors of this feature. To change the settings, under the Computer Configuration node in the left pane of the Group Policy Object Editor, expand Windows Settings, then Security Settings, and then Local Policies. Click Security Options, as shown in Figure F.

Figure F

You can control many aspects of UAC behavior through Group Policy.

Here are the UAC-related policies you can configure in Vista:

  • Admin Approval Mode for the built-in Administrator account: If you enable this policy, the built-in Administrator account will log on in Admin Approval Mode, which means you'll be prompted to consent before elevation of privileges occurs. By default, this policy is disabled so that the built-in Administrator account (unlike other administrative accounts in Vista) logs on in XP-compatible mode; all applications can run by default with full administrative privileges. Enabling this policy increases security.

  • Behavior of the elevation prompt for administrators in Admin Approval Mode: By default, all administrators (except the built-in Administrator account) are prompted for consent before an elevation of privileges occurs. If you enable this policy, you can choose to increase security by requiring that administrators enter their credentials to elevate privileges or you can lower security by allowing elevation without prompting for credentials or consent. The choices are shown in Figure G.

Figure G

You can increase or decrease the security level regarding behavior of the elevation prompt for administrators.
  • Behavior of the elevation prompt for standard users: By default, those logged on with standard user accounts are prompted to enter administrative credentials to elevate privileges. If you enable this policy, you can choose to increase security by returning an access denied message when a standard user tries to perform an operation that requires elevated privileges.

  • Detect application installations and prompt for elevation: If you enable this policy, application installation packages that require elevation of privileges will be detected through a heuristic algorithm, and the configured elevation prompt will be triggered.

  • Only elevate executables that are signed and validated: This policy allows you to increase security by enforcing PKI signature checks on interactive applications that request elevation of privileges. By default, PKI certificate chain validation is not enforced.

  • Only elevate UIAccess applications that are installed in secure locations: If you enable this policy, UIAccess applications will not launch unless they're stored in a secure location. Secure locations include the Program Files directory and the Windows\System32\r-_\Program Files (x86) directory. This policy is enabled by default, but you can disable it if you want UIAccess applications stored in other locations to be able to run.

  • Run all users, including administrators, as standard users: This policy is enabled by default and is the heart of Vista's UAC protection. If you disable this policy, all UAC policies will be disabled and security is decreased. You must reboot for a change in this policy to take effect.

  • Switch to secure desktop when prompting for elevation: This policy is enabled by default; when elevation is requested, the desktop locks down and no applications can interact with it. You can disable this policy to cause elevation requests to display on the normal interactive desktop, but this reduces security.

And the list goes on...

We've looked at only a few of the 800 new Group Policy settings that are available in Vista. There are also new settings to control Vista's Advanced Security firewall, to assign printers based on location, to customize DVD video disc authoring, to enable centralized management of network traffic for Quality of Service (QoS), to manage Network Access Protection (NAP), to manage access to shell applications, and to configure new Terminal Services/Remote Desktop security features. In addition, new policies are available for Internet Explorer 7.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks

Free Newsletters, In your Inbox