Access and connectivity policies control
network connections, dial-up connections, and Remote Assistance
configurations. These policies affect a system’s connectivity to the
network, as well as remote access to the system.
Configuring Network Policies
Many network policies are available. Network policies that control Internet Connection Sharing, Internet Connection Firewall, Windows Firewall, and Network
Bridge are configured at the computer level. Network policies that
control local area network (LAN) connections, TCP/IP configuration, and
remote access are configured at the user level. The primary policies
that you’ll want to use are summarized in Table 1.
You’ll find network policies under the Administrative Templates
policies for Computer Configuration under Network\Network Connections
and the Administrative Templates policies for User Configuration under
Network\Network Connections.
Table . Network Policies
|
POLICY TYPE |
POLICY NAME |
DESCRIPTION |
|---|
|
Computer |
Prohibit Installation And Configuration Of Network Bridge On Your DNS Domain Network |
Determines whether users can install and configure network bridges.
This policy applies only to the domain in which it is assigned. |
|
Computer |
Require Domain Users To Elevate When Setting A Network’s Location |
Determines whether the elevation prompt is displayed prior to setting a network’s location. |
|
Computer |
Route All Traffic Through The Internal Network |
Used with DirectAccess. Determines whether remote computers access
the Internet via the internal corporate network or via their own
Internet connection. |
|
User |
Ability To Change Properties Of An All User Remote Access Connection |
Determines whether users can view and modify the properties of remote access connections available to all users of the computer. |
|
User |
Prohibit Deletion Of Remote Access Connections |
Determines whether users can delete remote access connections. |
As shown in Table 1,
network policies for computers are designed to restrict actions on an
organization’s network. When you enforce these restrictions, users are
prohibited from using features such as Internet Connection Sharing in
the applicable domain. This is designed to protect the security of
corporate networks, but it doesn’t prevent users with laptops, for
example, from taking their computers home and using these features on
their own networks. To enable or disable these restrictions, follow
these steps:
-
Access Group Policy for the resource you want to work with. Next, access the Network Connections node using the Administrative Templates policies for Computer Configuration under Network\Network Connections.
-
Double-tap or double-click the policy that you want to configure. Select Enabled or Disabled, and then tap or click OK.
User policies for network connections usually prevent access to
certain configuration features, such as the advanced TCP/IP property
settings. To configure these policies, follow these steps:
-
Access Group Policy for the resource you want to work with. Next,
access the Administrative Templates policies for User Configuration
under Network\Network Connections.
-
Double-tap or double-click the policy that you want to configure. Select Enabled or Disabled, and then tap or click OK.
Configuring Remote Assistance Policies
Remote Assistance policies can be used to prevent or permit use of
remote assistance on computers. Typically, when you set Remote
Assistance policies, you’ll want to prevent unsolicited offers for
remote assistance while allowing requested offers. You can also force a
specific expiration for invitations through policy rather than by
setting this time limit through the System Properties dialog box of each
computer. To improve security, you can use strong invitation
encryption. This enhancement, however, limits who can answer Remote
Assistance invitations to only those running Windows Vista or later
releases of Windows.
To configure policy in this manner, follow these steps:
-
Access Group Policy for the computer you want to work with. Next,
access the Administrative Templates policies for Computer Configuration
under System\Remote Assistance.
-
Double-tap or double-click Configure Solicited Remote Assistance.
Select Enabled. When enabled, this policy allows authorized users to
solicit remote assistance.
-
You can now specify the level of access for assistants. The Permit
Remote Control Of This Computer selection list has two options:
-
Allow Helpers To Remotely Control The Computer
Permits viewing and remote control of the computer.
-
Allow Helpers To Only View This Computer Permits only viewing; assistants cannot take control to make changes.
-
Next, as shown in Figure 1, use the Maximum Ticket Time (Value) and Maximum
Ticket Time (Units) options to set the maximum time limit for remote
assistance invitations. The default maximum time limit is 1 hour. Tap or
click OK.
Note
REAL WORLD The method for sending email invitations can be set to Mailto or Simple MAPI.
Mailto is a browser-based mail submission technique in which the
invitation’s recipient connects through an Internet link. Simple MAPI
uses Messaging
Application Programming Interface (MAPI) for sending the email
invitation as an attachment to an email message. So long as computers
can establish a connection with each other over port 80 and you’re using
a standard email program such as Microsoft Outlook or Windows Mail,
you’ll probably want to use Mailto.
-
Double-tap or double-click Configure Offer Remote Assistance. In the
Configure Offer Remote Assistance dialog box, select Disabled. Disabling
this policy prevents unsolicited assistance offers. Tap or click OK.
-
If you want to use strong invitation encryption and limit connections
so they can come only from computers running Windows Vista, Windows 7,
Windows 8, or later releases of Windows, double-tap or double-click
Allow Only Vista Or Later Connections. In the Allow Only Vista Or Later
Connections dialog box, select Enabled. Tap or click OK.
To prevent remote assistance and remote control, follow these steps:
-
Access Group Policy for the computer you want to work with. Next,
access the Administrative Templates policies for Computer Configuration
under System\Remote Assistance.
-
Double-tap or double-click Configure Solicited Remote Assistance. Select Disabled, and then tap or click Previous Setting or Next Setting, as appropriate.
-
In the Configure Offer Remote Assistance dialog box, select Disabled, and then tap or click OK.
