Security Settings node of the Group Policy Object in Windows Server 2008



The Security Settings node of the Group Policy Object (GPO) can be used to configure several security-related settings, including file system NTFS permissions and many more settings contained in the nodes beneath Security Settings as follows:

1) Account Policies: These computer security settings control password policy, lockout policy, and Kerberos policy in Windows Server 2008, Windows Server 2003, and Windows Server 2000 domains.

2) Local Policies: These security settings control audit policy, user rights assignment, and security options, including setting the default User Account Control settings for systems the policy applies to.

3) Event Log: This setting controls security settings and the size of the event logs for the application, security, and system event logs.

4) Restricted Groups: These settings allow the administrator to manage local or domain group membership from within this policy node. Restricted group settings can be used to add members to an existing group without removing any existing members or it can enforce and overwrite membership based on the policy configuration.

5) System Services: These settings can be used to control the startup mode of a service and to define the permissions to manage the service configuration or state. Configuring these settings does not start or stop any services, but the state will be changed upon Group Policy application.

6) Registry: This setting is used to configure the security permissions of defined Registry keys and, if desired, all subkeys and values. This setting is useful in supporting legacy applications that require specific Registry key access that is not normally allowed for standard user accounts.

7) File System: This setting is used to configure NTFS permissions on specified folders on NTFS formatted drives. Also, enabling auditing and configuring folder ownership and propagating these settings to subfolders and files is an option.

8) Wired Network (IEEE 802.3) Policies: This policy node can be used to configure additional security on wired network adapters to allow for or require smart card or computer-based certificate authentication and encryption.

9) Windows Firewall with Advanced Security: This policy node permits administrators to configure the Windows Firewall on Windows Vista and Windows Server 2008 systems. The configured settings can configure specific inbound or outbound rules and can define how the firewall is configured based on the firewall profile or network the system is connected to. The configuration can overwrite the local firewall rules or the group policy and local rules can be merged.

10) Network List Manager Policies: Windows Firewall on Windows Vista and Windows Server 2008 uses firewall profiles based on the network. This setting node can be used to define the permissions end users have regarding the identification and classification of a new network as public or private to allow for the proper firewall profile to be applied.

11) Wireless Network (IEEE 802.11) Policies: These policies help in the configuration settings for a wide range of devices that access the network over wireless technologies, including predefining the preferred wireless network, including the Service Set Identifier (SSID) and the security type for the network. This node contains Windows Vista and Windows XP compatible policies.

12) Public Key Policies: These settings are used to specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate. Public Key Policies are also created and are used in the distribution of the certificate trust list. Public Key Policies can set up common trusted root certification authorities. Encrypting File System settings use this policy node as well.

13) Software Restriction Policies: These policies allow an administrator to control the applications that are allowed to run on the Windows system based on the file properties and not the filename. Additionally, software restrictions can be created based on certificates or the particular network zone from which the application is being accessed or executed. For instance, a rule can be created to block application installations from the Internet zone as defined by Microsoft Internet Explorer.

14) Network Access Restriction Policies: This setting can be used to deploy the configuration of the Network Access Protection client.

15) IP Security Policies on Active Directory: IP Security (IPSec) policies can be applied to the GPO of an Active Directory object to define when and where IPSec communication is allowed or required.