RE: Disabling sharing and group policies

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 09/15/03

  • Next message: Marc Fossi: "SecurityFocus Announcement: New Mailing Lists" 
    To: "'Arik Fletcher'" <arikf@joskos.com>, "'Dana Smith'" <dana_smith@comcast.net>, <robert@snrdesigns.com>, "'Enrico Pastrello'" <epastrello@altevie.com>, <focus-ms@securityfocus.com>
Date: Mon, 15 Sep 2003 09:36:34 -0400

    There is a registry modification that can be made that configures the local
    machine to not pull down group policies, effectively making it behave like a
    workgroup machine in terms of policy application, but like a domain member
    in terms of logon. Given the number of environments out there with people
    who have admin rights on their machines, I am loath to give the exact
    registry entry here.

    Laura

    > -----Original Message-----
    > From: Arik Fletcher [mailto:arikf@joskos.com]
    > Sent: Sunday, September 14, 2003 7:34 AM
    > To: Dana Smith; larobins@bellatlantic.net;
    > robert@snrdesigns.com; Enrico Pastrello; focus-ms@securityfocus.com
    > Subject: RE: Disabling sharing and group policies
    >
    >
    > lol, exacly what i was thinking... the whole point of GP is
    > to take control AWAY from the local machine and centralise
    > (or centralize for all you american-spellers) it.
    >
    > -----Original Message-----
    > From: Dana Smith [mailto:dana_smith@comcast.net]
    > Sent: Sat 13/09/2003 22:13
    > To: larobins@bellatlantic.net; Arik Fletcher;
    > robert@snrdesigns.com; 'Enrico Pastrello'; focus-ms@securityfocus.com
    > Cc:
    > Subject: RE: Disabling sharing and group policies
    >
    >
    >
    > Care to explain how?
    >
    > -----Original Message-----
    > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    > Sent: Thursday, September 11, 2003 11:50 AM
    > To: 'Arik Fletcher'; robert@snrdesigns.com; 'Enrico Pastrello';
    > focus-ms@securityfocus.com
    > Subject: RE: Disabling sharing and group policies
    >
    >
    > Actually, somebody with local administrator rights on
    > his/her machine can
    > prevent group policy application to his/her machine.
    >
    > Laura
    >
    > > -----Original Message-----
    > > From: Arik Fletcher [mailto:arikf@joskos.com]
    > > Sent: Wednesday, September 10, 2003 11:44 AM
    > > To: robert@snrdesigns.com; Enrico Pastrello;
    > > focus-ms@securityfocus.com
    > > Subject: RE: Disabling sharing and group policies
    > >
    > >
    > > Group policies are applied in what is know as LSDO (or LSDOU)
    > > which stands for Local, Site, Domain, Organisational Unit.
    > > This is the order in which poilicies apply to a computer/user.
    > >
    > > One cannot 'bypass' group policies by editing the local
    > > registry because if there is a conflict between the local
    > > settings and the nearest parent container (i.e. an OU,
    > > Domain, or Site) these will override the local settings.
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Robert Blackwell [mailto:robert@snrdesigns.com]
    > > Sent: Wed 9/10/2003 5:11 AM
    > > To: Enrico Pastrello; focus-ms@securityfocus.com
    > > Cc:
    > > Subject: RE: Disabling sharing and group policies
    > >
    > >
    > >
    > > yes they can. In-fact, anyone who has physical access
    > > to the box can render
    > > the majority of group policy objects useless, but
    > > that's another story. I'm
    > > not too clear on what you are wanting to do. If you
    > > just want to get rid of
    > > the everyone share on a local machine, disallow all
    > > anonymous access and
    > > disable the guest account. the everyone share will
    > > still be there but it
    > > will be effectively disabled by these settings. group
    > > policies are not
    > > really needed to do this. Somebody please correct me if
    > > this is not the
    > > case.
    > >
    > > -----Original Message-----
    > > From: Enrico Pastrello [mailto:epastrello@altevie.com]
    > > Sent: Tuesday, September 09, 2003 8:40 AM
    > > To: focus-ms@securityfocus.com
    > > Subject: RE: Disabling sharing and group policies
    > >
    > >
    > > Maybe I'm saying something quite stupid but since group
    > > policies are saved
    > > in the registry,
    > > machine administrators can easilly bypass them.
    > >
    > > Greetings,
    > > Enrico Pastrello
    > >
    > > -----Original Message-----
    > > From: Matthew Wagenknecht
    > > [mailto:Matthew.Wagenknecht@quantum.com]
    > > Sent: luned́ 8 settembre 2003 18.49
    > > To: focus-ms@securityfocus.com
    > > Subject: Disabling sharing and group policies
    > >
    > >
    > > Is there a way with Group Policies to disable sharing
    > > without pulling users
    > > from the Administrator group or killing adminstrative
    > > shares? I'm looking
    > > for a way to reduce "everyone" shares without flogging
    > > end users. Strangely,
    > > that actually sounds fun.. ;c)
    > >
    > > Please keep flames off the list.
    > >
    > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    > > Matt Wagenknecht, CISSP
    > > Security Administrator
    > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    > >
    > > Never be afraid to try something new.
    > > Remember, amateurs built the ark; professionals built
    > > the Titanic.
    > >
    > >
    > > This email may contain confidential and privileged
    > > information for the sole
    > > use of the intended recipient. Any review or
    > > distribution by others is
    > > strictly prohibited. If you are not the intended
    > > recipient, please contact
    > > the sender and delete all copies of this email message.
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > KaVaDo provides the first and only integrated Web
    > > application scanner and
    > > firewall security suite that prevent Web applications
    > > attacks, the most
    > > common form of online exploitation. Download a FREE
    > > whitepaper on Security
    > > Policy Automation for Web Applications.
    > >
    > http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    > >
    > > --------------------------------------------------------------
    > > -------------
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > KaVaDo provides the first and only integrated Web
    > > application scanner and
    > > firewall security suite that prevent Web applications
    > > attacks, the most
    > > common form of online exploitation. Download a FREE
    > > whitepaper on Security
    > > Policy Automation for Web Applications.
    > >
    > http://www.securityfocus.com/sponsor/KaVaDo_fo> cus-ms_030818
    >
    > >
    > >
    > --------------------------------------------------------------
    > > -------------
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > KaVaDo provides the first and only integrated Web
    > > application scanner and
    > > firewall security suite that prevent Web applications
    > > attacks, the most
    > > common form of online exploitation. Download a FREE
    > > whitepaper on Security Policy Automation for Web Applications.
    > >
    > http://www.securityfocus.com/sponsor/KaVaDo_fo> cus-ms_030818
    >
    > >
    > >
    > --------------------------------------------------------------
    > > -------------
    > >
    > >
    > >
    > >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > KaVaDo provides the first and only integrated Web
    > application scanner and
    > firewall security suite that prevent Web applications
    > attacks, the most
    > common form of online exploitation. Download a FREE
    > whitepaper on
    > Security Policy Automation for Web Applications.
    > http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    >
    > --------------------------------------------------------------
    > -------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "SecurityFocus Announcement: New Mailing Lists"

    Relevant Pages

    • RE: Disabling sharing and group policies
      ... firewall security suite that prevent Web applications attacks, ... Download a FREE whitepaper on Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)
    • RE: Disabling sharing and group policies
      ... Maybe I'm saying something quite stupid but since group policies are saved in the registry, ... firewall security suite that prevent Web applications attacks, ... Download a FREE whitepaper on Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)