Windows Server Reference Guide

Building Policies with Vista's SIDs

Last updated Nov 22, 2006.

Windows Vista gives the desktop computer administrator, for the first time, the ability to control resource access with the same sensible tools that the Windows Server 2003 admin has been using for the past few years. In a way, it signals the appropriate and welcome surrender of some of Microsoft’s designers to the idea that, when they try too hard to make an idea warm and fuzzy for consumers to embrace, they end up making it way too convoluted for anyone to want to tackle. The Management Console tools, while obviously far more complex, are also orders of magnitude more sensible. It’s more like scaling a mountain with a skill-requiring set of climbing gear than with an easy-to-use pogo stick.

Applying SIDs to Local Policies

Vista starts out with a limited number of local group policies that can be applied to the SIDs listed earlier. Believe it or not, this list is extensible, not only through newly installed software, but also by .NET processes, which developers can craft using any language the .NET runtime supports, that register themselves using Microsoft’s new XML-based template for policies.

We won’t get into that here; instead, let’s check out the procedure for attributing an existing policy restriction to an existing group. This is how you decide which types of accounts (especially the non-human ones) are prohibited from performing certain acts. Notice we’re using Vista now, not XP or WS2K3, so some of the "familiar" items we’ve been discussing in procedures since Windows 95, aren’t quite as familiar now.

1. To engage the Local Security Policy console, from the Start button (which is no longer marked "Start," but just has the Windows logo in a sphere in the lower left corner), select Administrative Tools, Local Security Policy.
2. User Account Control should stop you at this point. If it’s just looking for notification, click Continue. Otherwise, if you see a password dialog, enter the administrator password and click OK.
3. In the left pane, under Security Policy, Local Policies, choose User Rights Assessment. The Detail pane will list those policies that Vista can presently enforce.
4. To see the explicit list of what you can do for an item you’ve chosen in the detail pane, open up the right "Action" pane by clicking on the Show/Hide Action Pane button in the toolbar.
   

   Figure 7

5. In the detail pane under Policy, choose the policy whose enforcement you wish to change.
6. n the action pane under Actions, below the name of the policy you just chose, select More Actions, Properties. The properties pane for the policy you just chose will appear.
7. To remove a generic SID or group from enforcement, in the list, choose that object, then click on Remove. You’ll see the item removed from the list, but your choice won’t be finalized until you click Apply or OK (and really not even then). For example, to change policy so that not just everyone can log onto this local computer from the network, open the properties page for the Access this computer from the network policy, then from the list, choose Everyone and click on Remove.
8. To add a group to the list so that the policy is enforced for all members of that group, first click on Add User or Group. Then from the Select Users or Groups dialog (which will look familiar, thankfully), under Enter the object names to select, you can simply type their names on lines unto themselves. You could also click on Advanced followed by Find Now to see a list of all applicable SIDs, then choose the ones you want from the list, then click OK. To add the names you’ve chosen, from the Select Users or Groups dialog, click OK.
9. To finalize your changes, click OK. You’ll see the usual security warning. Click Yes.

Here’s something you might be wondering: How come you didn’t see User Account Control come up just before the policy change was applied? The answer has to do with where Microsoft decided to post its guard. UAC elevates accounts to authenticator status for running Microsoft Management Console, and Local Security Policy is just one MMC plug-in.

Can Microsoft Not Count to 700?

In some of its promotional literature for Windows Vista, Microsoft mentioned that it would be the first general Windows version (outside of Windows Server) to include Group Policy Management Console. A number of early Vista book authors simply took that fact for granted, giving readers instructions like "Start GPMC from the Administrative Tools menu." Maybe that’s where it was in the betas ... no, wait, it wasn’t there in the betas either.

GPMC is definitely on your Vista machine; you don’t have to download it. But you do have to install it as an MMC plug-in. And that’s a little weirdness unto itself, because MMC isn’t on the Administrative Tools menu either. Anyway, you should be able to start MMC the old-fashioned way, and install the GPMC plug-in as follows:

1. From the Start button, select Run, and at the prompt, type mmc and click OK. (Some things never change.)
2. UAC should appear here to ask for verification or the admin password.
3. Besides the addition of the Actions pane, Microsoft Management Console in Vista isn’t much different. From the File menu (are you surprised it’s still there?) select Add/Remove Snap-in.
4. In the Available snap-ins list at left, you’ll want to choose Group Policy Management and Group Policy Object Editor. Trouble is, you can only choose one at a time, so start with Management, then click Add. Then choose Object Editor and click Add.
5. Instantaneously, as though you were being interrupted by an unseen overlord, the very instant you click Add, you’ll start this Group Policy Wizard. Leave the GPO set to Local Computer, then click Finish. Notice on the list of Selected Snap-ins, you’ll actually find Local Computer Policy, which wasn’t the name of what you chose, but so be it.
6. Click OK.
7. You’ll see a warning telling you to log in using a domain user account. This will be odd for all those home users not connected to an Active Directory domain at home. But click OK and don’t worry about it for now.

The Group Policy Management plug-in pertains to GPOs throughout the entire domain, not specifically local computer policies. So any restrictions that can be placed on the local user’s ability to change policy, must be enforced through the network for now. I’m curious as to whether this fact might actually leave the door open a crack for malicious use, because technically, one who hacks the group policies themselves need not necessarily go through MMC or GPMC or Local Security Policy to get to them.

Online Resources

• What’s New in Group Policy in Windows Vista and Windows Server ‘Longhorn.’" Documentation from Microsoft TechNet.
• Windows Vista: Achieve the Non-admin Dream with User Account Control" by Alex Heaton. Article from TechNet Magazine, November 2006.