In-Depth

Active Directory in Vista: Same Name, Substantial Changes

Don’t let the lack of a name change fool you. Under Vista, Active Directory and Group Policy settings get a substantial makeover, and that has security-policy management, endpoint security, and backwards compatibility implications. Here’s what to expect.

• By Mathew Schwartz
• 04/18/2006

Under Vista, Microsoft’s next-generation operating system (due to ship to enterprises by the end of the year), Active Directory and the Group Policy settings it applies to enterprise user groups won’t get a name change.

Under the hood, however, expect substantial security improvements, thanks in part to 1,500 new Group Policy settings, many of which are security-related, including the ability to lock down device drivers. Furthermore, Microsoft’s endpoint security standard, Network Access Protection (NAP), will allow administrators to quarantine PCs which don’t comply with Group Policy settings.

To learn more, including how to manage 3,000 Group Policy settings, plus post-Vista security implications for shops still standardized on Windows 2000 or XP, we talk to Danny Kim, chief technology officer of Boston-based FullArmor Corp., a Group Policy software management vendor.

How will Group Policies change under Vista?

Previously—with Windows XP Service Pack 2 (SP2)—there were 1,500 settings in there, and with Vista, they’ve more than doubled the settings, to more than 3,000. About 80 percent of the things that were added were security-related.

What accounts for the growth in Group Policy settings?

Usually when you think of Group Policy, you think it’s going to lock down my desktop, disable the run statement—a lot of UI [user interface] stuff. …

For Vista, they’re actually policy-enabling things at the device-driver level, which is where security really should be happening. For instance, before they had this level of granularity for removable storage devices [in Vista], the only way to disable USB storage devices was either to squirt superglue into the USB port—and I’ve heard a lot of banks have done that—or you actually go in and delete DLLs and registry keys. You actually delete the drive.

With Vista, because they now have granular control and device driver [controls] … you’ll see a policy for a specific device. For example, [I can make it so] I’m not going to allow you to install any PC cards, or PCMCIA cards, but you can install a printer.

How do Group Policy settings enforce which drivers can or cannot load?

Before these device drivers load up, they check Group Policy to see if they should load up. And that’s a very different model [from before]. …

So for banks, health care, government, and public-sector environments where keeping data in the computer is just as helpful as keeping hackers out, you’ve got a policy now that says if you bring a USB key and put it into your machine, I’ll give you read access, but you can’t take data off of the machine. Or I’ll disable all USB storage devices. So it’s really getting to the nitty gritty of security control for the endpoint.

Speaking of endpoints, how will Vista handle security policies for PDAs and smart phones?

They have a different class for PDAs. So if I hook up my PocketPC, I can enable synchronization to the corporate directory, but I can disable the storage card in the device, so you can’t take other information out.

The other area I think you’ll see is support for Windows Mobile Devices. … So, Group Policy-enabling mobile devices. Windows mobile devices should be managed through Group Policy. … It’s a Windows device, it’s got an IP address, … so why not add it to Active Directory and target it with Group Policy?

For Vista, are Group Policies or Active Directory being renamed?

The name stays the same. It’s still Group Policy and Active Directory.

What infrastructure changes must companies make to take advantage of the new Group Policies or Active Directory?

This is a point most people miss. When they see 3,000 policies in Active Directory, they say, “I have to deploy Longhorn Server to take advantage of these.” But that’s actually not the case. … The actual storage settings [are backward compatible]. So even if you have Windows 2000, you can create Vista Group Policy settings and backwards-target them to Windows 2000 clients, because all the features you put in will be stored in the [same format].

Now if a Vista policy comes out on Windows 2000, Windows 2000 just ignores it, because it won’t have the additional endpoint security, anti-spyware capabilities, [and so on]. … But when that policy hits a Vista machine, all those policies will work.

Will any forthcoming Vista security features also get released for Windows XP SP2?

You’re also seeing several of the Vista-based features now being delivered for XP. For example, the Windows Defender product, the anti-spyware service controlled by Group Policy; they’re actually releasing an XP version of that.

Same thing with NAP, which is controlled by Group Policy. It quarantines things that are out of compliance. So if the machine doesn’t have the latest patch or setting, the server will throw it off the DHCP server list.

When will Microsoft release NAP?

That is built into Vista, and they’re actually going to be delivering down-level-compatible clients for XP SP2 [too]. So you can actually do out-of-band control for XP SP 2 environments. They just have a server you have to implement [running NAP management software].

NAP is getting a lot of attention, and they know that to support it in any capacity, they have to roll it out in an XP-compatible environment.

With 3,000 potential settings, how does one even begin to approach Group Policy?

One of the running jokes in the IT environment, and obviously there’s a hint of truth in it, is that to use Group Policy, you need a Ph.D. in Group Policy. And with 3,000 settings, you’re going to require a double-Ph.D. or something. It’s crazy the amount of knowledge you need.

I know [Microsoft] wanted to put in a lot of these manageability features, for being able to filter and search and “template-ize” policies in Vista, but they ran out of time, so this will go in the Vista SP1 release.

What Active Directory management features do you expect Vista SP1 to have?

What’s going to be added in Vista SP1 is the ability to search and do filters on settings. It’s kind of like, there’s a feature in [the] Group Policy administrator that says, “Show me only settings applicable with IE version 7,” or “Show me only settings that apply to Vista.” … It’s a really good feature, and with 3,000 settings, you really need a Group Policy administrator that’s like Google search.

The other feature they added in Vista is the ability to put comments on settings. People tend to pass it over as a feature, but every time I change a Group Policy setting, you [could require me] to put a comment in.

So you can have a change ID, a user ID, and why I changed it. And if you even just implement that, you actually have a change-management process for Group Policy. Because now you can track changes, and you can actually filter it: [for example,] give me the settings that have the change ID associated with John on them.

Will there be any preset Group Policies to help?

Another thing they’re adding to Service Pack 1 is templates of GPOs [Group Policy Objects]. These are kind of like pre-made GPOs. … Microsoft is going to ship Vista with about 12 templates: a template to configure mobile devices, a—I’m hoping, and I’ve heard—template to configure HIPAA, or some level of compliance. … Each template will have a bunch of comments next to the settings it sets, and it tells you why you would want to set these settings.

The other neat feature is the templates can then be saved off as a single CAB file, which will spur consultants and third parties to create … pre-made templates, which is great. So I can create templates which are best practices and allow people to download them from my Web site. …

So the templates will help organizations quickly get up and running with Group Policies?

It gives [companies] a way to really reduce the Ph.D. requirement to maybe a Master’s degree. But anything helps.

• More Vista Security Details Emerge, But Will Enterprises Bite?
• The Shape of Endpoint Security to Come