GPMC will be removed if you install Vista Service Pack 1 (follow up post)

As I discussed in a previous post, I thought that the removal of the Group Policy Management Console from Vista when installing service pack 1 was a pretty bad idea. David Overton asked if anyone cared about GPMC being pulled out of Vista with sp1, while others claim it really is a good step for a variety of reasons, and I wanted to follow up on this.

There were various articles announcing Vista sp1, including one on the official Vista team blog which managed to say lots about all the good stuff and conveniently forget some things like the removal of the very useful GPMC, which is only mentioned in the whitepaper (and later reported on by various bloggers and journalists of varying degrees of credibility).

I have to admit that reading whitepapers can sound pretty dull, particularly when they relate to something I can’t download yet. I tend to think “I’ll read it nearer the time, once I have actually downloaded <whatever> and can apply what I am reading”. On this basis it is easy for people to overlook this announcement amid the other marketing hype.

In my mind there are two key questions here:
Firstly, I know there is supposed to be a new enhanced version of GPMC available at some point, but will it be available in time for the Beta testers? Or even for the final release of sp1? This remains unanswered at the moment, and is crucial. If it is available, it lessens the impact considerably.

Secondly, why take a retrograde step to remove something which is already in there? This second question is the one which most other commentators have addressed.

Jeremy Moskowitz, MVP for Group Policy makes some valid points on a post entitled “Vista + SP1 = Gbye GPMC” in his blog (sorry but I can’t find a way to link to the specific post):

Today, the GPMC is part of Vista. That’s great. One less thing to load.
But what’s also (now) true is that if you install SP1 for Vista (not yet available) the GPMC will be uninstalled. Why?

Because this allows for something that I’ve personally advocated for. That is, when new goodies are ready to be launched in Group Policy land, let’s GET IT OUT THE DOOR. And it used to be this way. The GPMC was a simple download and simple install. When bugs were found in the GPMC, that meant it was a quick fix to jam the fixes in, and re-upload the file for the masses.

But now (today) the GPMC is part of the Longhorn and Vista operating systems. Is this good? Not really, in this one dude’s opinion. Because what if some new whiz bang feature is suddenly available? Then you’ll have to wait until MAYBE an operating system service pack, or at worst a full operating system revision until it’s updated.

Darren Mar-Elia (another GP MVP) wrote a very extensive post about the Vista sp1 release, specifically pointing out lots of errors in one of the many articles about sp1. In it he takes up the same idea as Jeremy:

Back when GPMC first shipped, out-of-band of the OS, I’m sure Microsoft heard complaints that it should be in the OS, since it became such a crucial part of managing GP for many shops. So, they went and did the most logical thing – they put it in the box in Vista.

But to do that resulted in GPMC having to become part of the behemoth that is the Operating System release cycle at MS. This has obvious limitations if you know how glacially things move within MS when it comes to OS revs. Once inside the OS, they could no longer rev the GPMC and make enhancements to it on their own schedule.

However, I can’t see that the GPMC is so tightly integrated to the operating system as to prevent an update independently of the service pack cycle. The GP processing engine, sure (although making that its own process in Vista outside of winlogon should help with any patches that are needed). But the GPMC is an application. It does nothing until invoked by the user. I realise that it can still use shared code, but does it, in fact?

Anyway, if the GPMC so woven into the fabric of the OS that it can’t be independently tested and upgraded, how are they managing to take it out so easily? Surely that is contradictory?

Other OS components installed by default have upgrades made available periodically, the most obvious being Internet Explorer and Media Player. MS have claimed for a long time that both of these are fundamental components of the OS and it would not be possible to ship Windows without them unless it was severely crippled. This has been the basis of its defence in previous anti-competitive practices (antitrust) lawsuits. Microsoft just spent three years appealing a decision by the EU courts that ruled they had to produce a version of Windows XP without Media Player (which they have subsequently done for both XP and Vista)

Darren goes on to say:

But, with GPMC installed on every desktop, any joe user with normal non-administrative rights in the domain can open GPMC and view the settings on any GPO they have read access to! Further, they can also backup all GPOs that they have read permissions on, to, say, their USB keys

Technically true, and echoed by others. However, this overlooks the fact that to run GPMC on Vista in a default configuration the user requires local admin rights on their domain account (the local admin account won’t be able to access the domain policies, only the local ones). So yes, if you have domain users with local admin rights on their machines, they could run GPMC as described and take a copy of your policies. I’ll ignore for a moment the lack of security inherent with that model (because I accept there may be users who have a second account for doing admin things occasionally via a runas or UAC).
My question is this: surely a user sophisticated and malicious enough to do what Darren suggests would also be able to take the trivial step of installing GPMC if it was not already on their machine?

If they don’t have local admin rights they could still take a copy of the files for the policies they have read access to by going directly into the sysvol share. This would then take more effort to interpret than a GPMC report but they could easily restore them into another domain (in a virtual machine, say) in the same way you would have done before GPMC.

As a counter to this, surely we should be advising people to take more care in the creation of their Group Policies? It is very easy to ignore the security filtering for most purposes if you have designed your AD to enable you to target your policy links exactly where you need them. However, it may be prudent to remove “authenticated users” from the security filter (or via the delegation tab) and add back in only those groups who actually need to receive each policy.

You could start by having a security group for all computer accounts and another for users if you are following recommended practice of keeping the two types of settings separated and only enabling one ‘half’ of the policy. This would immediately secure your computer policies against the sort of access that we are concerned with here, including via sysvol. More granular groups would be ideal, but would increase the overhead of managing things.

So, I remain to be convinced that having GPMC pre-installed actually makes anything less secure than it already is. I am also unconvinced that it needs to be removed in order for independent updates to take place, as that would imply it was very tightly integrated in the OS, which would imply it could be quite hard to take out of the codebase, which seems to me a little contradictory.

I’ll just have to live without it, or install the enhanced version as long as it is available soon enough. It just still seems illogical.

7 Responses to GPMC will be removed if you install Vista Service Pack 1 (follow up post)

  1. Adam-
    You’re welcome to be unconvinced, but I can tell you from first-hand conversations with the GP product team that having GPMC as part of the OS cripples its updatability. This is simply a matter of fact and makes sense if you think about the development lifecycle an OS the size of Windows must go through. OS components typically have to be locked down far earlier than anything else that goes into the box. And, when you make changes to an OS component, the test matrix for ensuring it does not break anything else is immense. So, yes, having it in the OS simply slows down the innovation of GPMC.

    To your point about my comment on security, I’ll make a couple of points. First off, good security practice always calls for reducing the attack surface as much as is feasible. This often means removing any components that aren’t critical to function of the system, as bugs that exist in those “extra” components can be exploited for no good reason (lots of examples of this in Windows in the past).
    2nd, my point about GPMC being a source of exploit for regular users is this; It doesn’t take a malicious user to take advantage of the information that GPMC gives them. It only takes a curious user to take possession of information that they don’t have a need for, and then expose that to seomeone who is malicious, to make this a problem. The point is that you don’t make it easy for someone to get information about your security configuration in any case–and that is what GPMC does. Yes, you could use security filtering to minimize the number of GPOs any given user can read, but ultimately, if I can read a GPO, you can use GPMC to back it up, report on it, etc. And I’m not sure what you’re saying about local admin–are you saying that if I’m not a local admin, I can’t use GPMC? Because that’s not the case. A regular, non-admin domain user on Vista can launch and read GPOs that they have read access to using GPMC.

    Finally, the reality is that its only admins that use GPMC. Its trivial, as you mentioned, to download and install it. Now, if as an admin. you frequently move from machine to machine managing GP, then I can see where having GPMC on every machine would be convenient. However, if not, then I don’t see what all the fuss is about, since it will be trivial, once SP1 ships, to download GPMC once to your Vista admin. workstation and be done with it.

  2. The tools used to manage Group Policy for Windows Vista will change with the installation of Windows Vista Service Pack 1. GPMC will be uninstalled with Service Pack 1 and GPEdit will default to Local Group Policy editing. Following these changes, SP1 users can download an updated version of GPMC that contains much requested functionality including the ability to add comments to GPOs or individual settings, to search for specific GP settings, and to use Starter GPOs which encapsulate best practices.

  3. Pingback: UK SMB Girl » Microsoft Windows Vista Service Pack 1

  4. Adam Vero says:

    Thanks for your comments – that’s why we need MVPs who are close to MS to get the inside track on stuff that us mere mortals can’t get.
    I guess my frustration is that, given the slow movement of these test cycles, GPMC was ever put into the OS and not released as a separate application, which denies us the ability to download and install the current version.

    Once it was in, they decided to take it out again. But still not release it as a separate application yet.
    There is a new version ’round the corner’ but no clarity as to whether this will be available as sp1 goes to Beta, nor even for the final release (I’m not saying it won’t be, I just want some clarity). Presumably the same part of the internal process that decided to take it out and how to do so (with such an immense cross-testing requirement) should be able to work out how long it will be before we can put it back in.

    A version for 2003 that handles ADMX natively and can edit Vista policies would be nice too.

    As to local admin requirement to run GPMC, that’s what I was seeing (via UAC), but after some digging I think I turned up a reason for that on my machine as my shortcuts were set to require admin (to save me using runas), but directly running the msc was OK. My bad.

    So the security issue is worse than I thought and yes, that does mean a slightly easier job for someone trying to get a copy of the policies. Sysvol is still wide open though, so people should not believe that removing this tool protects them entirely – as you say, they can still get at any policy they can read (so at least all the ones which apply to them).

  5. Adam-
    I agree that there has been a general lack of clarity about timing and availability about this (and a lot) of stuff related to Server 2008 and SP1. One thing I can tell is that you won’t see a version of GPMC that runs on Server 2003 and can parse ADMX. That just won’t happen. Microsoft’s standard line on that is that if you want to manage Vista+ policies, use a Vista management station. I’m sure the same will hold true with Server 2008.

    I don’t know for sure, but I suspect the moment Server 2008 ships, or shortly thereafter, there will be a version of GPMC that will install on Vista as part of a Server 2008 AdminPak. But don’t quote me on that :).

  6. Thomas Gantner says:

    I don’t see much of problems for me. Mainly it’s because I rarely launch GPMC because almost all of my configuration settings rely on Scriptlogic’s Desktop Authority. In fact I am using GPMC very rarely these days because most of core policies I need to have were created ages ago and I don’t even want to think about changing them because I find grup policies hardly applicable for working with changing environment. However, there’s also one point I’d like to add here. When GMPC was first released to public back in August of 2004 (if mind serves me rightly because the GPMC SP1 was released a year after that) it was provided mainly as an addon for Windows Server 2003. It was said however that it would be able to work under Windows XP but you had to have Windows XP Service Pack 1 installed along with .NET framework on the workstation machine. That’s why I don’t see it will create problems now, when the Service Pack 1 of Vista will be issued to public. In fact Microsoft may even decide to include it again. Who would make a bid? As we know, GPMC was included as one of the new features for the Windows Server .NET back in 2002. Then, as it is know it was decided to exclude the feature from the final version of the product that was given the name of Windows Server 2003. I guess, Darren may know it far more better as it was him who’ve been contributing to .NET magazine with the news about .NET in 2002. Furthermore, I see it may be reasonable to exclude the console from the Windows Vista package. No one would tell against that GPMC is not installed by default in Windows Server 2008 RC0, right? You can’t launch it until you don’t add the feature to the list of active features in the Server Manager manually. That even blocks you from making preliminary security changes such as changing password complexity because you can’t change it with gpedit. Here it would be reasonable to quote Darren but as he said “But don’t quote me on that”. This all serves for the extendibility. That’s by the way one of the key moments I like in Scriptlogic’s desktop management tool. I can extend this application according to my needs by adding and removing tasks and rules to configure execution of the tasks for the users or computers in my domain. Provides for greater responsiveness to changes I need to reflect in my domain. I don’t need to care about links, tune security filtering and so on. I just make changes to the configuration and that’s it. Sometimes though I need to access Desktop Authority when I don’t have direct access to the box where I have deployed its manager. Then I just launch it via network.

  7. casimir says:

    try the last 2008 beta ( the GPMC with Preferences in Edit )

%d bloggers like this: