New Security Policy Management Support

In addition to adding quite a few new Administrative Template settings, Windows Vista and Windows Server 2008 also introduced a number of new Client Side Extensions (CSEs) for managing a variety of policy areas. We will focus on the security-related ones here because those are what this book is all about, but suffice to say that Group Policy has become an even more powerful tool for centrally managing configuration for most aspects of the operating system.


Device Restrictions

Device restriction is a high-demand item for most organizations. Namely, how do you keep your users from bringing their USB Flash drives and USB backup devices to work and taking away a bunch of sensitive information? Well, Group Policy in Windows Vista and Windows Server 2008 has the answer: a set of Administrative Template policies provided in Group Policy that give you two levels of control over these removable devices. The first level of control gives you the ability to prevent installation of device drivers for any class of device, specifically removable storage devices. The second class of policy lets you control access to that media, assuming installation of the driver is allowed. This second class of policy has the ability to let you control read-only or write access to a removable device that the user was allowed to install.

Let us look at the device installation restrictions first. These policies are located within the Group Policy editor under Computer Configuration\Administrative Templates\System\Device Installation\Device Restrictions. From within this per-computer policy, you can define device setup classes that can be installed or prevented from being installed or you can restrict all removable devices from being installed. Note that this policy area is designed to prevent the device driver installation in the first place. If a device driver for a particular device is already installed, this particular policy will only prevent subsequent updates to that driver.