[Full-Disclosure] W2k users, local admin rights and GPOs

From: James Exim (security_at_exim.dyndns.org)
Date: 10/29/03

  • Next message: Ben Laurie: "Re: [Full-Disclosure] Coding securely, was Linux (in)security" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 29 Oct 2003 09:50:39 +0100

    It has been pointed out several times recently on the SF mailing lists that
    a W2k user with local administrator rights can prevent group policy
    application on his/her machine and there is apparently nothing the domain
    administrator(s) can do about it (see
    http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html
    for an example)

    Does anyone know exactly (a) how, and (b) why this is possible? Is there
    really no workaround other than removing the users from the local
    Administrators group? I keep discovering W2k machines where end users have
    been granted local admin rights (yuk!) and I'm trying to convince the
    relevant domain admins that, while this is an easy way to make legacy
    software work, it isn't such a great idea from a security point of view...

    Thanks,

    James

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Ben Laurie: "Re: [Full-Disclosure] Coding securely, was Linux (in)security"