By and large, Windows 8 supports the same collection of group policy settings as Windows 7, so organizations that already have Windows 7 in place can move to Windows 8 with relative confidence that their existing group policy structure will continue to work.
While this is certainly good news for those tasked with keeping Windows secure, there is a bit of bad news. Even though Windows 8 can use Windows 7 group policy settings, those settings alone will likely prove to be inadequate to keep Windows 8 secure.
As you no doubt know, Windows 8 has two widely used modes. On one hand, there is the new modern user interface (formerly known as Metro), but there is also a desktop mode that looks suspiciously like Windows 7. Windows 7 group policy settings do a great job of locking down Windows 8's desktop mode, but they have little impact on the modern user interface.
Thankfully, Microsoft has created a number of new group policy settings that are specifically designed for Windows 8 and Windows Server 2012. There are 169 new policy settings in all (plus some extra settings for Internet Explorer 10). In order to use these new policy settings you will need to either have a Windows Server 2012 domain controller or you can add the policy settings to Windows 8's local security policy.
Windows store policy settings
Some of the most useful new policy settings are related to the Windows store. For organizations that operate managed desktops, the thought of users going into the Windows store and downloading unapproved applications can be stomach churning. Fortunately, Microsoft provides group policy settings that can be used to control access to the store. Group policy settings can be applied at either the user or the computer level and exist at \Administrative Templates\Windows Components\Store. The policy settings themselves are self-explanatory. They include turning off automatic downloads of updates, allowing the store to install apps on Windows To Go workspaces, turning off store applications.
Connected accounts
One of the things that makes Windows 8 really unique is its use of connected accounts. When a user gets ready to log on, Windows 8 gives them the option of logging in using a Microsoft connected account (such as a Windows Live account or a Hotmail account). This account links Windows 8 to online services such as Hotmail, SkyDrive, or even Xbox Live. Of course, these are all consumer-grade services that have no place in most business environments. Worse yet, connected accounts are often tied into social networking sites, such as Facebook.
One of an administrator's first tasks in planning for a Windows 8 deployment should be to prevent users from being able to provide Windows 8 with a connected account. As you have probably already guessed, this can be accomplished through group policy settings.
The policy settings exist at the computer level of the Group Policy hierarchy. You can find them at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts.
There are actually a couple of different options that you can use when enabling this policy setting. You can either choose the Users Can't Add Microsoft Accounts option or you can choose the Users Can't Add Or Log On With Microsoft Accounts option. The secondary option will prevent Microsoft accounts from being used, even if a user has already added the account to their Windows 8 desktop.
Preventing the accidental removal of modern apps
Windows 8 makes it easy for users to remove modern UI apps. Maybe a little too easy. A user needs only right-click on the app's tile and then tap Uninstall. If you'd rather that users not be able to remove the apps that you have placed on their start screen, you can use group policy settings to prevent them from doing so.
The option to prevent users from uninstalling modern apps is a user-level group policy setting. The option is quite ironically located at: User Configuration\Administrative Templates\Start Menu and Taskbar. This section of the group policy hierarchy contains a number of different settings. The specific group policy setting that you must enable is named Prevent Users From Uninstalling Applications From Start.
Obviously there is no way to discuss hundreds of individual policy settings within the confines of a blog post. While I have tried to discuss some of the more useful policy settings, there are many others. You can access the full list of new group policy settings here. Chances are, there's a policy you need to know about that I couldn't get to.
没有评论:
发表评论