Re: services running in windows domain (winXP clients)
From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 12/16/04
- Previous message: Scott Mulcahy: "Subdomain security"
- In reply to: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
- Next in thread: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 22:32:48 +0100 To: focus-ms@securityfocus.com
On 2004-12-15 Triantafyllidis Christos wrote:
>> Another thing you can do is set registry permissions on
>> HKLM\SYSTEM\CurrentControlSet\Services to not allow anyone (even
>> administrators) to create new keys. Obviously, this will also make it
>> difficult for an administrator to install new legitimate services, so
>> that is something you must balance. Another option is to only allow
>> one specific administrator or a small group of admins to create new
>> keys.
>
> How safe is that?
Not.
> i mean if someone is administrator (local administator) can change the
> registry permissions. i need somehow to disable this ability even to
> local admins.
The only possibility to prevent local admins from doing whatever they
want to the computer is not to have local admins. Any local admin owns
the machine. Period.
Regards
Ansgar Wiechers
-- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Scott Mulcahy: "Subdomain security"
- In reply to: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
- Next in thread: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
