NOTE: This page covers policies for Windows 98, NT and 2000.
For information about Microsoft policies on later versions of Windows, see the following pages:
Maintaining control over what users can do to a public access computer's operating system is one of the primary goals of a library computer administrator. For instance, patrons must not be able to use certain desktop icons such as Network Neighborhood or My Computer. They should have only limited access to Start Menu items, including applets in the Control Panel and Taskbar features. They should have heavily restricted access to the C drive. One of the primary ways to secure these features and others is by modifying the registry.
It is possible to manually open up the registry and make modifications, but doing that can be a complicated and messy solution. Microsoft uses a "registry manipulating" system called Policies to take care of organizing registry changes that effect security. Microsoft Policies allow you to make registry modifications by outlining all the possible changes using check boxes to enable, disable, or define certain features. Different operating systems use slightly different versions of this system, but they essentially all do the same thing.
Here are a just a few examples of security features Microsoft Policies provide:
- Make drives not visible to the user
- Hide desktop icons like Network Neighborhood and My Computer
- Disable making changes to features like Taskbar and desktop settings
- Remove items on the Start Menu
- Disable access to Control Panel applets and configuration programs, like screen settings and network settings
Here is a quick summary of what each operating system offers:
- Windows 95/98
- Group Policies
- Windows NT
- Domain Policy
- User Rights Policy
- Group Policy
- Windows 2000
- Local Security Policy
- Local Group Policy
- Active Directory Policy
ADM File Templates
All Policies are created using a tool called a Policy Editor. By itself, the Policy Editor does not know where or what to edit in the registry. It has to be used in conjunction with ADM template. The ADM template is loaded in to the Policy Editor and outlines the various security policies that can be set in the registry. An ADM files is a text file that defines each security policy by providing the editor with information on the location in the registry to be edited as well as the policy name and the different policy options that can be set. Microsoft supplies different ADM templates for different products and versions.
Windows 95/98 Group Policies
When a Windows 95 or 98 computer configured to use group policies logs on, it first accesses the policy file Config.POL in the Netlogon directory of the NT domain controller. If a policy within that file corresponds to a user or group that is logging on, the policy is applied. Polices can be configured specifically for the machine or the user.
To create a Policy (Config.POL) for a Windows 95 or 98 computer, you must use the Policy Editor found in the \tools\reskit\netadmin\poledit directory of the Windows 95/98 CD. It is best to use the latest version found on the Windows 98 2nd edition CD. Although the file created with the Policy Editor can be stored on a Windows NT or 2000 server, it must be created on a Windows 95/98 computer.
In order to set up Policies for Windows 95 or 98, certain steps must be taken:
- On the Workstation
- Windows 95 or 98 computers must be configured to participate in a Windows NT or 2000 domain.
- Profiles must be enabled.
- On the Domain Controller
A policy file that is specific to Windows 95 and 98 must be placed in the "Netlogon" directory for the domain and must be named Config.POL. This policy file is created by an editor called the "Policy Editor." It comes standard on the Windows 95/98 CD. To create the policy file, the editor first loads template files (.ADM files) that are specific to Windows 95 and 98. These template files define the specific restrictions and security settings that can be applied. The policy file can be created to apply to specific users, groups, or computers within a domain.
Windows NT Policies
There are two main kinds of Policies that can be configured for Windows NT computers.
- Domain and User Rights Policies
Domain and User Rights Policies are different from the more commonly known "Group Policies." Where Group Policies control application functions, interface restrictions, etc., Domain and User Policies apply more to restrictions over OS functions, such as who can log in locally, act as part of the operating system, start and stop services, etc. These policies are edited using the policy tools found in "User Manager for Domains." For more detail on User Rights policies, see: User Rights.
- Group polices
Group Policies for Windows NT are similar to Group Policies for Windows 95 and 98. The Policies must be configured on a Windows NT computer using the Policy Editor found on the Windows NT CD in \clients\srvtools\winnt\i386. Windows NT also needs a policy file placed in the Netlogon directory of the domain controller and it must be named NTConfig.POL. The templates loaded must be specific to Windows NT. Like Windows 95 and 98 Group Policies, Windows NT Policies can be applied to users, groups, or computers within a domain. A network consisting of a mix of Windows NT and 98 computers utilizing group polices would have two different policy files in the Netlogon directory called NTConfig.POL and Config.POL.
Windows 2000 Policies
Policy restrictions in Windows 2000 are vastly expanded over Windows NT. Because there are so many new different kinds of policies to configure, understanding them can sometimes get complicated. Instead of using a special Policy Editor, Windows 2000 utilizes the universal MMC snap-in. This is just a viewer that can load various programs, including a Policy Editor. Here is a rough outline of what Windows 2000 offers for security control using Policies.
- Local Security Policy
The Windows 2000 Local Security Policy is equivalent to the Windows NT User Rights Policy. This policy works the same as it does on Windows NT by controlling how local users and groups can interact with OS level functions. The snap-in for editing this policy can be found in the "Administrative Tools" group. For more detail on the Windows 2000 Local Security policy, see Microsoft's Granting Log on Locally Rights.
- Local Group Policies
Local Group Policies are local policies that apply to only one computer. There is no standard shortcut to the snap-in, but it can be opened by running "gpedit.msc." Although the policy is called a "group policy," it is misleading because the policy applies to all users that log in to the computer. There is a way around this limitation: by using a previous version of the Windows NT Group Policy Editor. It allows you to apply Policies to local (as opposed to Domain or Active Directory objects) groups and users on a Windows 2000 workstation, but Microsoft does not support it.
- Active Directory Policies
Active Directory Policies work on the Domain level and can be applied to networks of workstations, small and large. They allow you to set up a structure of containers that hold users, computers, or groups of users or computers. A policy can be applied to any number of containers and is applied depending on whether a user or computer belongs to one of those containers. The domain policy similar to the Windows NT domain policy can be found here at the highest level container. All of the snap-ins to administer the Policies are found in the Administrative Tools group on a domain controller. Like the local Group Policies, these Policies are divided into two main subcategories:
- The user subsection of an Active Directory policy applies to the user section of the registry as explained above. (HKEY_CURRENT_USER)
- The computer subsection applies to the machine or computer section of the registry. (HKEY_LOCAL_MACHINE)
Making Microsoft Policies Secure
- Windows 95, 98, NT - Locking down Policies for these operating systems is simple. Any user or group that shouldn't have rights to access the Policies shouldn't have rights to the NTConfig.POL and/or Config.POL files in the Netlogon directory. By default, only administrative and system groups have access here, so it is unlikely that rights will need to be changed. Also, non-administrative users should neither be able to see nor have access to the Policy Editor.
- Windows 2000 - Locking down Policies for Windows 2000 is fairly simple, as well. For each policy, there is a security tab that gives rights to users and groups. By default, users and groups that shouldn't have access to edit Policies are already denied rights. Additionally, shortcuts to the policy editing snap-ins are normally not created for non-administrative users.