About Vista Networking
Group Policy was introduced in Windows 2000 Server and was a great boon to administrator productivity. While Group Policy was enhanced and extended in Windows Server 2003, there were not many improvements to the actual settings that Group Policy could manage from a networking standpoint.
About Vista Networking
By Jonathan Hassell,
ComputerWorld.com
,
Group Policy was introduced in Windows 2000 Server and was a great boon to administrator productivity. While Group Policy was enhanced and extended in Windows Server 2003, there were not many improvements to the actual settings that Group Policy could manage from a networking standpoint.
That has changed in Windows Vista. Now, administrators can use familiar tools to manage everything from LAN settings to network security modes, wireless capabilities and quality of service. And all of this can be done centrally through familiar Group Policy administrative tools, like the Group Policy Management Console.
In this article, I'll take a look at some of the new abilities of Group Policy in Windows Vista -- and some cases in conjunction with Longhorn Server -- to manage network capabilities and communications.
Hot spots
Some of the most desired new capabilities in Group Policy are:
-- Wired LAN settings: You can now, through Group Policy, configure wired connections that are authenticated by 802.1x schemes.
-- Multiple security modes: Wireless clients, each with different security capabilities and the ability to participate in different security methods, can all connect to an access point configured with a single service set identifier (SSID) -- lessening administrative burden and keeping connectivity setups simple.
-- Extensibility and expandability: New Group Policy support for vendor-specific attributes, like different Extensible Authentication Protocol types, mean heterogeneous hardware types are no longer a real problem for achieving a unified security configuration.
-- Control over allowed SSID lists: Again, though Group Policy, you as the administrator can set up a list of wireless access points (more specifically, their associated SSIDs) that Vista clients can access, or a list of SSIDs to which clients are denied from connecting.
QoS
QoS support in Windows Vista and Longhorn Server has been improved, and the two operating systems are destined to work together better than ever in ensuring bandwidth is available for legitimate applications while minimizing the impact of less relevant -- but bandwidth intensive -- applications and traffic.
QoS has been around for a while and is typically supported by a variety of network hardware devices like switches and routers. When used together, Longhorn Server and Windows Vista will allow administrators to use Group Policy to set realistic thresholds and policies that throttle, prioritize or otherwise manage the level of traffic based on the sending application, source or ending IP address, the protocol in use, or the source or ending TCP/IP or UDP port.
Network access protection
What is network access protection (NAP)? Consider this strategy: Viruses and malware are sometimes stopped by protections that are deployed at the desktop level, but by far the easiest and most reliable way to stop an outbreak would be to prevent that malware from ever being able to gain access to the network -- thus making it impossible for the threat to spread.
In
Longhorn Server
(and Windows Vista, which can take part in this feature), Microsoft has created a platform whereby computers are examined against a baseline set by the administrator, through Group Policy. If a machine is unable to meet the criteria and satisfy that baseline, that machine can be quarantined, as it were, protected from access to the network, until the user is able to fix his broken machine.
NAP can be broken down into key components: health policy validation, compliance and access limiting. Validation is the process where the machine, attempting to connect to the network, is examined and checked against certain health criteria that an administrator sets.
Compliance policies can be set so that managed computers that fail the validation process can be automatically updated or fixed via a Systems Management Server or some other management software.
Access limiting can be the enforcement mechanism for NAP, which can also be set through Group Policy. In active mode, computers that fail validations are put into a limited-access area of the network, which typically blocks almost all network access and restricts traffic to a set of specially hardened servers that contain the tools most commonly needed to get machines up to snuff.
The Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security is now more manageable than ever with Group Policy. Besides the advantage of the firewall engine itself being retooled, you have more rules functionality and you can manage and define explicit security requirements such as authentication and encryption very easily.
Settings can be configured on a per-AD computer or user group basis. Profile support has been improved as well on a per-computer basis. There is now a profile for when a machine is connected to a domain, a profile for a private network connection and a profile for a public network connection, such as a wireless hot spot. Policies can be imported and exported easily, making management of multiple computers' firewall configuration consistent and simple.
For more information:
--
Longhorn Server revealed: Group Policy enhancements
--
Best practices for configuring Group Policy objects
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics ranging from networking and security to Windows administration. He is currently an editor at Apress LLC, a publishing company specializing in books for programmers and IT professionals.
Copyright © 2007 IDG. All rights reserved.
Local Articles
Software
Home