RE: Disabling sharing and group policies

From: Arik Fletcher (arikf_at_joskos.com)
Date: 09/10/03

  • Next message: Jon Strange: "RE: GPO for one machine" 
    Date: Wed, 10 Sep 2003 16:43:43 +0100
To: <robert@snrdesigns.com>, "Enrico Pastrello" <epastrello@altevie.com>, <focus-ms@securityfocus.com>

    Group policies are applied in what is know as LSDO (or LSDOU) which stands for Local, Site, Domain, Organisational Unit. This is the order in which poilicies apply to a computer/user.
     
    One cannot 'bypass' group policies by editing the local registry because if there is a conflict between the local settings and the nearest parent container (i.e. an OU, Domain, or Site) these will override the local settings.
     
     

            -----Original Message-----
            From: Robert Blackwell [mailto:robert@snrdesigns.com]
            Sent: Wed 9/10/2003 5:11 AM
            To: Enrico Pastrello; focus-ms@securityfocus.com
            Cc:
            Subject: RE: Disabling sharing and group policies
            
            

            yes they can. In-fact, anyone who has physical access to the box can render
            the majority of group policy objects useless, but that's another story. I'm
            not too clear on what you are wanting to do. If you just want to get rid of
            the everyone share on a local machine, disallow all anonymous access and
            disable the guest account. the everyone share will still be there but it
            will be effectively disabled by these settings. group policies are not
            really needed to do this. Somebody please correct me if this is not the
            case.
            
            -----Original Message-----
            From: Enrico Pastrello [mailto:epastrello@altevie.com]
            Sent: Tuesday, September 09, 2003 8:40 AM
            To: focus-ms@securityfocus.com
            Subject: RE: Disabling sharing and group policies
            
            
            Maybe I'm saying something quite stupid but since group policies are saved
            in the registry,
            machine administrators can easilly bypass them.
            
            Greetings,
            Enrico Pastrello
            
            -----Original Message-----
            From: Matthew Wagenknecht [mailto:Matthew.Wagenknecht@quantum.com]
            Sent: lunedì 8 settembre 2003 18.49
            To: focus-ms@securityfocus.com
            Subject: Disabling sharing and group policies
            
            
            Is there a way with Group Policies to disable sharing without pulling users
            from the Administrator group or killing adminstrative shares? I'm looking
            for a way to reduce "everyone" shares without flogging end users. Strangely,
            that actually sounds fun.. ;c)
            
            Please keep flames off the list.
            
            -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
            Matt Wagenknecht, CISSP
            Security Administrator
            -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
            
            Never be afraid to try something new.
            Remember, amateurs built the ark; professionals built the Titanic.
            
            
            This email may contain confidential and privileged information for the sole
            use of the intended recipient. Any review or distribution by others is
            strictly prohibited. If you are not the intended recipient, please contact
            the sender and delete all copies of this email message.
            
            
            ---------------------------------------------------------------------------
            KaVaDo provides the first and only integrated Web application scanner and
            firewall security suite that prevent Web applications attacks, the most
            common form of online exploitation. Download a FREE whitepaper on Security
            Policy Automation for Web Applications.
            http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
            ---------------------------------------------------------------------------
            
            
            ---------------------------------------------------------------------------
            KaVaDo provides the first and only integrated Web application scanner and
            firewall security suite that prevent Web applications attacks, the most
            common form of online exploitation. Download a FREE whitepaper on Security
            Policy Automation for Web Applications.
            http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
            ---------------------------------------------------------------------------
            
            
            ---------------------------------------------------------------------------
            KaVaDo provides the first and only integrated Web application scanner and
            firewall security suite that prevent Web applications attacks, the most
            common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
            http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
            ---------------------------------------------------------------------------
            
            

  • Next message: Jon Strange: "RE: GPO for one machine"