418 Part II: Group Policy Implementation and Scenarios
Figure 11-15 Specifying global autoenrollment options within public key policy
3. To disable autoenrollment, select Do Not Enroll Certificates Automatically. To
allow autoenrollment, select Enroll Certificates Automatically.
If you choose autoenrollment, two additional options are available:
❑ Renew Expired Certificates, Update Pending Certificates, And Remove
Revoked Certificates
Choose this option to ensure that, beyond simple
autoenrollment, certificates installed to your users and computers are
managed if they expire, are pending, or are revoked.
❑ Update Certificates That Use Certificate Templates Choose this option to
use certificate templates to control what kinds of certificates are autoen-
rolled and to allow certificates to be updated.
4. Click OK.
Managing Public Key Policy
Public key certificates are most commonly used in certain scenarios. For example,
if you have an enterprise CA root installed, you can automatically enroll your user
accounts with a certificate for e-mail signing and encryption. This doesn’t require the
use of public key policies, however, because autoenrollment is enabled by default
within an Active Directory environment with a CA installed.
One area that requires configuration in policy is the implementation of EFS within an
Active Directory environment. By default, when a user encrypts a file using EFS, that
user and the domain administrator account (if the computer is in an Active Directory)
are made the key recovery agents for that file. This means that either the user or the
domain administrator can unencrypt that file. However, you might want to create
additional key recovery agents to ensure that the right people within your organiza-
tion can recover encrypted files before you allow your users to use EFS.
Chapter 11: Maintaining Secure Network Communications 419
To add a new key recovery agent for EFS, complete the following steps:
1. Select the Public Key Policies under Computer Configuration\Windows
Settings\Security Settings.

work from intruders. When users or computers connect indirectly to the Internet
through these firewalls and proxies, you can be reasonably sure the computers are
protected from attacks and malicious users. When users or computers connect
directly to the Internet, however, these protections might not apply. For example, if a
user takes a portable computer to an offsite meeting or uses a portable computer on a
coffee shop wireless network while at lunch, the computer isn’t automatically pro-
tected from attack or intrusion. If the infected computer is reconnected to the internal
network, it can infect other computers, bypassing the protection of the firewall or
proxy. To help prevent these infection scenarios, you must run a firewall on each
computer—not just rely on the firewall or proxy that separates the internal network
from the Internet. This is where Windows Firewall and Windows Firewall Group
Policy settings enter the picture.
How Windows Firewall Works
Windows Firewall, the successor to the Internet Connection Firewall (ICF), was
released with Windows XP SP2 and Windows Server 2003 SP1. Like ICF, Windows
Firewall provides stateful IP port filtering on a per-host basis to protect computers
that are running Windows from unauthorized access.
Stateful port filtering means that Windows Firewall keeps track of connections com-
ing into and going out of your Windows computers and lets you dynamically control
the flow of traffic. Windows Firewall also allows for exception-based firewall protec-
tion. When traffic that does not pass the firewall rules arrives at a Windows Firewall–
protected computer, the user has the option to allow or deny that traffic through a
pop-up dialog box called a Security Alert.
Windows Firewall differs from ICF in that it is completely manageable and config-
urable via Group Policy. The default configuration is different for Windows worksta-
tions and servers as well. The default configuration of Windows Firewall is more
Chapter 11: Maintaining Secure Network Communications 421
secure, for example, because Windows Firewall is enabled for all network connections
by default. Keep the following in mind:
■ On computers running Windows XP SP2 or later, Windows Firewall is installed

422 Part II: Group Policy Implementation and Scenarios
To determine whether a computer is connected to the corporate network, Windows
first compares the DNS suffix of the currently active network connection or connec-
tions to the DNS suffix that was found during the last Group Policy processing cycle.
Specifically, it looks at the following registry value to determine the DNS suffix the
last time Group Policy was processed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\
History\NetworkName
If the DNS suffix listed in this registry value is the same as the current active network
connection (a network connection that has an IP address assigned to it and is enabled),
the computer is assumed to be on the corporate network and the Domain Profile
policy is applied. Looking at the DNS suffix of the computer is only one part of the
detection algorithm, however.
A computer is assumed to be off the corporate network and the Standard Profile
policy is applied when any of the following conditions are true:
■ If the DNS suffix of the computer’s current active network connection(s) does
not match the DNS suffix of the NetworkName registry value, the computer is
considered off the corporate network and the Standard profile applies.
■ If the computer is not part of an Active Directory domain, it is considered to be
off the corporate network and the Standard Profile applies.
■ If the only active network connection for a computer is a dial-up or VPN connec-
tion, the computer is considered off the corporate network and the Standard
profile applies.
Windows checks for these conditions at computer startup or when a network connec-
tion changes (such as when a new connection becomes active or a change is made to
an existing connection).
Note
Technically, computers process both the Domain Profile and Standard Profile
policy settings and set those policy values in the registry, but they apply the settings
(based on the current profile) only at computer startup or a network configuration

those networks will mostly likely provide their own DNS suffix.
However, if you have computers whose DNS suffix is hard-coded within the DNS
properties for a connection, as shown in Figure 11-19, this can short-circuit the profile
424 Part II: Group Policy Implementation and Scenarios
determination process. Why? Because if that connection is in use on both the corporate
and noncorporate networks, it will have the same DNS suffix for each area and will
always use the Domain Profile. For this reason, if you plan to implement a different
Domain Profile and Standard Profile, you must ensure that DNS suffixes are provided
dynamically via DHCP and are not hard-coded.
Figure 11-19 Viewing a hard-coded DNS suffix on a network connection
Managing Windows Firewall Policy
When you access Computer Configuration\Administrative Templates\Network\
Network Connections\Windows Firewall in Group Policy, you’ll find separate
policy sections for the Domain Profile and the Standard Profile. Both policy sec-
tions contain the same policies and settings. The only difference is that one set of
policies is used to configure Windows Firewall on the corporate network while the
other is used to configured Windows Firewall off the corporate network. There is
one global policy setting as well, which is found at the same level as these two
profile nodes. This global policy setting controls the way Windows Firewall works
with IPSec.
When you work with Windows Firewall policy, you should generally determine
whether IPSec bypass should be allowed, and if so, configure the computers that
should be allowed to use IPSec bypass, and then you should determine whether Win-
dows Firewall should be enabled or disabled in the Domain Profile and the Standard
Profile. You should then configure permitted exceptions, notification, and logging for
when Windows Firewall is enabled in a profile.
Chapter 11: Maintaining Secure Network Communications 425
Configuring IPSec Bypass
You can use the Windows Firewall: Allow Authenticated IPSec Bypass policy to
configure Windows Firewall to allow IPSec-secured communications to bypass the

In some environments, such as a small office with limited hardware firewall protec-
tion, you might want Windows Firewall to be enabled in the Domain Profile. In this case,
you should also consider configuring the firewall so that computers can be remotely
managed. For details, see “Allowing Remote Desktop Exceptions” in this chapter.
426 Part II: Group Policy Implementation and Scenarios
In policy, you can control whether Windows Firewall is enabled or disabled by using
the Windows Firewall: Protect All Network Connections. Keep the following in mind
when working with this policy:
■ If this policy is enabled, Windows Firewall will be enabled for all network con-
nections on all computers that process the GPO containing this policy setting
(according to the profile in which it is enabled).
■ If this policy is disabled, Windows Firewall will be disabled for all network con-
nections on all computers that process the GPO containing this policy setting
(according to the profile in which it is enabled).
■ Whether this policy is set as Enabled or Disabled, a user on the computer where
the policy has been applied will be unable to change the setting. The option to
change it will be grayed out.
Note
Although you can use the Advanced tab of the Windows Firewall dialog box
on the local computer to specify per-network connection firewall protection, this
functionality is not exposed through Group Policy. With Group Policy, you can only
enable or disable Windows Firewall for all network connections on a given computer.
Group Policy also does not allow you to configure the advanced per-connection
settings for services and ICMP configuration.
Managing Firewall Exceptions with Group Policy
Another option related to enabling and disabling of Windows Firewall functionality
is the allowing of exceptions. You can use exceptions to allow programs to access
certain well-known ports on the computer even when Windows Firewall is enabled.
By default, a user who is working on a computer that has Windows Firewall enabled
receives security alerts when an application attempts to open a port for listening on

selected and both users and local administrators will be unable to clear this
setting.
■ If you disable this policy, exceptions defined in policy will be allowed and any
exceptions defined in the local Windows Firewall configuration will also be
accepted. Further, in the Windows Firewall dialog box, the Don’t Allow Excep-
tions check box will be cleared and both users and local administrators will be
unable to change this setting.
Administrators who log on locally can work around this policy setting by turning off
Windows Firewall.
Allowing File and Printer Sharing Exceptions
You can use file and printer sharing exceptions to accept or block file and print traffic
to and from specific computers. File and printer sharing exceptions manage traffic on
these ports:
■ TCP 139
■ TCP 445
428 Part II: Group Policy Implementation and Scenarios
■ UDP 137
■ UDP 138
These ports are used during file and printer sharing. You can manage their use by
enabling or disabling the Windows Firewall: Allow File And Printer Sharing Excep-
tions policy. When working with this policy, keep the following in mind:
■ If you need to be able to map server shares and printers to a computer (usually
a server), you can enable this policy. In the Windows Firewall dialog box, the
File And Printer Sharing check box will be selected and both users and local
administrators will be unable to clear this setting.
■ If you want to prevent computers from mapping server shares and printers, you
can disable this policy. In the Windows Firewall dialog box, the File And Printer
Sharing check box will be cleared and both users and local administrators will
be unable to change this setting.
To enable and configure file and printer sharing exceptions, complete the following

policy setting also allows Svchost.exe and Lsass.exe to receive incoming messages and
allows hosted services to open TCP ports in the 1024 to 1034 range to facilitate RPC
communications. If you have any administrative applications that require RPC or SMB,
you should enable this exception. If this policy is disabled or not configured, the follow-
ing MMC snap-in tools cannot remotely access a computer protected by Windows
Firewall:
■ Certificates
■ Computer Management
■ Device Management
■ Disk Management
■ Event Viewer
■ Group Policy
430 Part II: Group Policy Implementation and Scenarios
■ Indexing Service
■ IPSec Monitor
■ Local Users and Groups
■ Removable Storage Management
■ Resultant Set of Policy
■ Services
■ Shared Folders
■ WMI Control
Note
Because malicious users often try to attack computers through RCP and
DCOM, you should enable remote administration exceptions only when you are cer-
tain they are needed. Also, note that if you allow remote administration exceptions,
Windows Firewall allows incoming ICMP echo request (ping) messages on TCP
port 445 even if Windows Firewall: Allow ICMP Exceptions policy would otherwise
block them.
To enable and configure remote administration exceptions, complete the following
steps:

Allowing UPnP Framework Exceptions
UPnP Framework exceptions permit Universal Plug and Play (UPnP) messages to be
received by a computer. UPnP messages are used by services such as built-in firewall
software to communicate with a Windows computer. When you permit UPnP Frame-
work exceptions, TCP port 2869 and UDP port 1900 are allowed for use by the UPnP
Framework services. Keep the following in mind:
■ If you enable this policy, computers that process this policy can receive UPnP
Framework requests from specifically allowed computers. In the Windows Fire-
wall dialog box, the UPnP Framework check box will be selected and both users
and administrators will be unable to clear this setting.
■ If you disable this policy, UPnP Framework requests will be blocked by Win-
dows firewall for all computers that process this policy. In the Windows Firewall
dialog box, the UPnP Framework check box will be cleared and both users and
administrators will be unable to change this setting.
To enable and configure UPnP Framework exceptions, complete the following steps:
1. Access Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall.
2. Access Domain Profile or Standard Profile as appropriate, and then double-click
Windows Firewall: Allow UPnP Framework Exceptions.
3. Select Enabled, and then use the Allow Unsolicited Incoming Message From text
box to specify the scope of allowed communications, as described previously.
4. Click OK.
432 Part II: Group Policy Implementation and Scenarios
Defining Program Exceptions
In addition to configuring various exceptions for services, you can define exceptions
for programs, ICMP messages, and specific ports. When you configure program
exceptions, you specify applications for which you want to allow communications
rather than services.
Program exceptions are useful if you don’t know the particular port that an application
requires. You can simply select the executable name and Windows Firewall will detect

Chapter 11: Maintaining Secure Network Communications 433
We use the environment variable %ProgramFiles% because this policy might need to
run on multiple computers and we don’t necessarily know which disk volume the
program files folder are on. The scope of 192.168.3.0/24 indicates that we want this
exception to apply to all devices on the 192.168.3.0 subnet—/24 indicates a 24-bit
subnet mask. If we want to allow all computers on the local subnet to talk with this
application, we can use the localsubnet string within the scope portion in addition to
any IP subnet or IP addresses that are specified:
192.168.3.0/24,localsubnet,192.168.1.5
Tip You can also use an asterisk (*) to specify that all networks can communicate
with a particular application.
To enable and configure program exceptions, complete the following steps:
1. Access Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall.
2. Access Domain Profile or Standard Profile as appropriate, and then double-click
Windows Firewall: Define Program Exceptions.
3. Select Enabled, and then click Show. The Show Contents dialog box lists any
currently defined program exceptions (Figure 11-21).
Figure 11-21 Viewing and managing program exceptions
4. To add a new program exception, click Add. In the Add Item dialog box, type the
exception string. Exception strings take the form of a free text string that con-
tains a set of parameters in the following format:
PathToProgram:Scope:Status:Name
434 Part II: Group Policy Implementation and Scenarios
Note Do not use quotation marks when specifying any elements of the pro-
gram exception, including the localsubnet string within the scope option. Even
the name string should be entered without quotation marks.
5. To remove an existing program exception, select the exception and then click
Remove.
6. Click OK twice.

receiving them.
If you disable Windows Firewall: Allow ICMP Exceptions, no ICMP communications
are allowed and an administrator cannot set any exceptions. However, if you enabled
remote administrative exceptions or the file and printer sharing exceptions as
described previously, Allow Inbound Echo Request is allowed for the related ports
regardless.
Defining Port Exceptions
Port exceptions policy works much like program exceptions policy, except that you
specify a particular port to allow communications to instead of an application. If you
enable this policy, you can add a series of exceptions using the following format:
Port:Transport:Scope:Status:Name
These parameters are used as follows:
■ Port Specifies a particular port number.
■ Transport Specifies whether the port is UDP or TCP.
■ Scope A comma-separated list of IP addresses or IP subnets or the entire local
subnet for which you are configuring the exception. Any computers that process
the related GPO are either allowed to communicate or blocked from communi-
cating with the defined program on the designated IP addresses.
436 Part II: Group Policy Implementation and Scenarios
■ Status Specifies whether communications are allowed or blocked (enabled or
disabled).
■ Name Text that can describe anything about the exception.
To see how this works, consider the following example: Suppose we want to allow
TCP port 80 (HTTP) access to a server from the 192.168.1.0/24 subnet. We define the
port exception as follows:
80:TCP:192.168.1.0/24:enabled:Allow HTTP Access
To enable and configure port exceptions, complete the following steps:
1. Access Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall.
2. Access Domain Profile or Standard Profile as appropriate, and then double-click

on a computer that is blocking communications to that application. This policy is
most often enabled on servers because there are typically no users logged on to see
these messages.
Allowing Logging
The Windows Firewall: Allow Logging policy allows to you enforce logging of Win-
dows Firewall activity. You’ll typically want to enable Windows Firewall logging only
when you need to troubleshoot a problem. If you disable this policy, users and admin-
istrator cannot configure logging locally on computers that process the policy.
To enable and configure logging, complete the following steps:
1. Access Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall.
2. Access Domain Profile or Standard Profile as appropriate, and then double-click
Windows Firewall: Allow Logging.
3. Select Enabled, and then use the following options to configure logging:
❑ Log Dropped Packets Configures logging of any incoming packets that
are blocked due to the firewall. You can use this information to trouble-
shoot applications that are unable to communicate with a computer.
❑ Log Successful Connections Configures logging on all incoming and out-
going connections that succeed. This can obviously result in a lot of data,
but you can see all traffic going to and from the computer.
❑ Log File Path And Name Select this option to specify the folder path and
filename for the Windows firewall log. The default location for logging is
%SystemRoot%\pfirewall.log.
Tip
You can specify a different path and filename, including a remote
UNC path (as long as the computer logging the data has permissions to
that remote path). If you log on to a UNC path, you should include the
%ComputerName% environment variable in the filename or path to cre-
ate a unique log for each computer. Keep in mind, however, that this can
generate a lot of network traffic on the remote computer.

Group Policy, you can configure Windows Firewall exceptions and prevent users and
local administrators from modifying Windows Firewall configurations locally.
439
Chapter 12
Creating Custom
Environments
In this chapter:
Loopback Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Group Policy over Slow Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
This chapter focuses mainly on modifying the default behavior of Group Policy
objects (GPOs) in custom environments, such as when a user’s computer is connect-
ing to the network in a unique manner or needs special configurations. We will inves-
tigate the GPO settings that allow you to control, secure, and configure these
environments to ensure a functional but secure environment.
The scenarios we will examine here may include the use of loopback processing, and
this is reviewed first. Loopback processing is a unique and flexible option that allows
for control of user settings through computer configurations. You can thus have con-
trol over the settings for all users who use a particular computer. We will next discuss
Terminal Services sessions, which require special security and functionality control.
Finally, we will look at slow link detection and how to control the GPO settings for
slow link clients differently from those GPOs that typically affect all computers.
Active Directory Design and Normal GPO Processing
To design and implement custom environments, you need a good understand-
ing of the basics of Group Policy, including how to design Active Directory® to
facilitate deploying GPOs. Here are some basic and important concepts to
remember with regard to designing Active Directory and deploying GPOs:
■ You must design GPOs with consideration of delegation of administration
in mind.

Loopback Processing
User Group Policy loopback processing mode is a policy setting you can use to main-
tain a computer’s configuration regardless of who logs on. Loopback processing
mode configures the user policy settings based on the computer rather than on the
user. When this policy setting is enabled, one set of user settings applies to all users
who log on to the computer. Because this policy setting targets computer accounts,
it is a powerful tool and ideally suited for closely managed environments such as
servers, terminal servers, classrooms, public kiosks, and reception areas.
Chapter 12: Creating Custom Environments 441
Note When you enable the policy setting for loopback processing mode, you must
ensure that both the computer and user portions of the GPO are enabled.
The loopback policy is set in the Group Policy Object Editor snap-in by using the
following policy setting:
Computer Settings\Administrative Templates\System\Group Policy\User Group Policy
loopback processing mode
As shown in Figure 12-1, when you enable this policy you can select one of two
loopback processing modes: Replace or Merge.
Figure 12-1 The Replace and Merge loopback processing modes
Replace Mode
In Replace mode, the list of GPOs and their settings for the user account is not used.
Instead, the GPO list for the user is entirely replaced by the GPO list that was obtained
for the computer at startup, and the User Configuration settings from the GPO that
has the loopback setting configured are applied to the user account instead. This
means that when loopback processing in Replace mode is enabled, policy is processed
as follows:
1. The computer settings in the GPOs for the computer account are applied.
2. The user settings in the GPOs for the user account are ignored.
3. The user settings in the GPOs for the computer account are applied.
442 Part II: Group Policy Implementation and Scenarios
As a best practice, you might use Replace mode when you have computers that are

providing users with their desktops, applications, and other features that allow them
to perform their job functions.
Here are some best practices when using loopback processing in Merge mode:
■ Access to Control Panel items