Administering Security with Group Policy
This chapter shows you how to administer security with Group Policy, which is essential to meet the challenge of protecting your organization from outside forces. Software restriction policies, new in Microsoft Windows XP and the Microsoft Windows 2003 Server family, are available to help govern which software can be installed on users’ computers, reducing the chance of hostile code being introduced to the environment. By establishing an audit policy and administering the security log, you can monitor events you specify to ensure the environment is secure. After you’ve determined your organization’s security goals, you can use the Security Templates and Security Configuration and Analysis tools to establish a baseline security configuration on all computers in your organization.
A small number of the client systems are running Windows NT 4 Workstation.How would you advise Wide World Importers regarding software installation for
these systems?
Group Policy-based software installation will not apply to Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Windows Me), or Windows NT systems. One option to remedy the issue is to purchase and utilize SMS. SMS is a powerful network management application that can be used to push software to pre-Windows 2000 operating systems. How?ever, investing in SMS might not be the best option for the sole purpose of deploying software to a few Windows 95, Windows 98, and Windows NT systems. Instead, it might make more sense to upgrade these systems to Windows 2000, Windows Server 2003, or Windows XP (as appropriate). If for some reason these options don’t work for the company, installing the soft?ware manually or using some other network management tool are the remaining options.
The shipping application is a proprietary application that does not have mcitp enterprise administrator file associated with it. How would you recommend using Group Policy to deploy this application to the Shipping department?
There are two options for deploying an application that does not natively have an .msi file available. The simplest, but least flexible, is to create a Zero Administration Package, or .zap file. This allows an administrator to publish this application to users, so they can select to install that application from Add/Remove Programs (or Add Or Remove Programs in Windows XP). However, a .zap file will not take advantage of Windows Installer features such as installing with elevated privileges, automatic rollback, and automatic repair of damaged or missing program files. A .zap file also cannot be assigned to users or computers, only published to users.
The other option is to use a third-party application to package the program into an free practice IT questions from Veritas, is one such application that can create .msi files from executable files. A limited version of WinlNSTALL is included on the Windows 2000 CD-ROM. However, this application is not available on the Windows Server 2003 CD-ROM.