RE: Disabling sharing and group policies
From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 09/18/03
- Previous message: Laura A. Robinson: "RE: Why Programs get written to need admin priveleges."
- Maybe in reply to: Matthew Wagenknecht: "Disabling sharing and group policies"
- Next in thread: Laura A. Robinson: "RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Reply: Laura A. Robinson: "RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 09:59:10 +0400 To: <larobins@bellatlantic.net>, <robert@snrdesigns.com>, "Focus-Ms" <focus-ms@securityfocus.com>
If you disable Group Policy loopback mode in domain-level GPO, local
administrator will unable to change group policy on computer.
Yes, administrator can modify some settings, but these settings will
replaced when GPO applied again.
Simplest way to disable sharing for any user with administrative rights
- it's filter CIFS/SMB/Netbios servers (TCP/UDP 445, 139) packets with
IPSec packet filter policies (SPD).
Even user share something on computer - filters will drop connection
packets and prevent network sharing.
In policy you can also allow CIFS/Netbios connections from management
stations for logs collection, etc.
Information about IPSec filtering you can find, for example, in Windows
Server 2003 Security Guide:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/Windows/Win2003/W2003HG/SGCH04.asp
Regards,
Sergey V. Gordeychik.
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Tuesday, September 16, 2003 6:47 PM
To: robert@snrdesigns.com; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Actually, as I said, anybody with administrative rights on his/her
machine
can exempt his/her machine from group policy application- *regardless*
of
whether or not that machine is a domain member. The local admin does
*not*
have to leave the domain to accomplish this.
Laura
---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Why Programs get written to need admin priveleges."
- Maybe in reply to: Matthew Wagenknecht: "Disabling sharing and group policies"
- Next in thread: Laura A. Robinson: "RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Reply: Laura A. Robinson: "RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
