RE: Disabling sharing and group policies
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 09/16/03
- Previous message: Laura A. Robinson: "RE: Why Programs get written to need admin priveleges."
- In reply to: Robert Blackwell: "RE: Disabling sharing and group policies"
- Next in thread: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <robert@snrdesigns.com>, "'Focus-Ms'" <focus-ms@securityfocus.com> Date: Tue, 16 Sep 2003 10:47:02 -0400
Actually, as I said, anybody with administrative rights on his/her machine
can exempt his/her machine from group policy application- *regardless* of
whether or not that machine is a domain member. The local admin does *not*
have to leave the domain to accomplish this.
Laura
> -----Original Message-----
> From: Robert Blackwell [mailto:robert@snrdesigns.com]
> Sent: Sunday, September 14, 2003 4:18 PM
> To: Focus-Ms
> Subject: RE: Disabling sharing and group policies
>
>
> This was off topic from what Matt was originally asking
> about but I will clarify somewhat here. As far is I know at
> this point in time, a standard user on an active directory
> domain cannot change group policy objects. Once the local
> machine is off of the domain the picture changes
> dramatically. Get local administrator access by using your
> favorite exploit ( Mount from Linux, hash the repair
> dir...etc ), log on to local machine as administrator and
> make whatever changes to the registry you want. This will not
> stay if you log back onto the domain but it allows you to
> install programs and things of that nature that will hang
> around after you log back on to the domain.
>
> If a domain user is anything higher than user(has
> registry write access), they will be able to edit the
> registry with a third party reg app and suppress group policy
> refresh and edit all other registry values for the local
> machine that GPA has put in place. These will stay in effect
> until the machine is rebooted or the network connection is lost.
>
> I'm not an authority on the group policy admin at the
> domain level but I believe there are settings that can be
> changed to make all of this at least more difficult to
> accomplish. I was simply trying to point out that group
> policies are not an iron clad security measure. I would tend
> to consider them more of an obfuscation tool but a good tool
> nonetheless as long as it is used correctly.
>
>
> --------------------------------------------------------------
> -------------
> KaVaDo provides the first and only integrated Web application
> scanner and
> firewall security suite that prevent Web applications
> attacks, the most
> common form of online exploitation. Download a FREE
> whitepaper on Security Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Why Programs get written to need admin priveleges."
- In reply to: Robert Blackwell: "RE: Disabling sharing and group policies"
- Next in thread: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
