RE: Disabling sharing and group policies
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 09/18/03
- Previous message: Sergey V. Gordeychik: "RE: Disabling sharing and group policies"
- In reply to: Sergey V. Gordeychik: "RE: Disabling sharing and group policies"
- Next in thread: Robert Blackwell: "RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Sergey V. Gordeychik'" <gordey@infosec.ru>, <robert@snrdesigns.com>, "'Focus-Ms'" <focus-ms@securityfocus.com> Date: Thu, 18 Sep 2003 12:38:06 -0400
Again, this is not the case. A user with local Administrator rights to
his/her machine *can* exempt his/her machine from group policy application.
No ifs, ands or buts.
Laura
> -----Original Message-----
> From: Sergey V. Gordeychik [mailto:gordey@infosec.ru]
> Sent: Thursday, September 18, 2003 1:59 AM
> To: larobins@bellatlantic.net; robert@snrdesigns.com; Focus-Ms
> Subject: RE: Disabling sharing and group policies
>
>
> If you disable Group Policy loopback mode in domain-level
> GPO, local administrator will unable to change group policy
> on computer. Yes, administrator can modify some settings, but
> these settings will replaced when GPO applied again.
>
> Simplest way to disable sharing for any user with
> administrative rights
> - it's filter CIFS/SMB/Netbios servers (TCP/UDP 445, 139)
> packets with IPSec packet filter policies (SPD).
> Even user share something on computer - filters will drop
> connection packets and prevent network sharing.
> In policy you can also allow CIFS/Netbios connections from
> management stations for logs collection, etc.
> Information about IPSec filtering you can find, for example,
> in Windows Server 2003 Security Guide:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/Windows/Win2003/W2003HG/SGCH04.asp
Regards,
Sergey V. Gordeychik.
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Tuesday, September 16, 2003 6:47 PM
To: robert@snrdesigns.com; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Actually, as I said, anybody with administrative rights on his/her machine
can exempt his/her machine from group policy application- *regardless* of
whether or not that machine is a domain member. The local admin does
*not*
have to leave the domain to accomplish this.
Laura
---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------
- Previous message: Sergey V. Gordeychik: "RE: Disabling sharing and group policies"
- In reply to: Sergey V. Gordeychik: "RE: Disabling sharing and group policies"
- Next in thread: Robert Blackwell: "RE: Disabling sharing and group policies"
- Maybe reply: robert_at_snrdesigns.com: "Re: RE: Disabling sharing and group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
