RESPONSE: Users "bypassing" Group Policy restrictions
From: Gerson Ricardo (gricardo_at_gableseng.com)
Date: 01/27/05
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #225"
- Next in thread: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Reply: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Maybe reply: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 17:00:26 -0500 To: "Edward VanDewars" <gt4200b@yahoo.com>, <focus-ms@securityfocus.com>, "Zamora, Robert" <Zamora@gableseng.com>
Edward,
Talk about circumventing! You indeed have creative users in your midst, to
say the least. The answer lies with setting local policies to match your
domain level AD GPOs - and if any user has local admin privileges for
whatever reason, simply exclusively allow domain access to the
%systemroot%\system32\GroupPolicy directory, followed by an exclusive 'deny'
disallowing and local user account, including local administrators, access
to modify local computer policy.
Problem should be solved - all without the use of super glue :)
Cordially,
gerson j. ricardo
Gables Engineering, Inc
-----Original Message-----
From: Edward VanDewars [mailto:gt4200b@yahoo.com]
Sent: Thursday, January 27, 2005 8:29 AM
To: focus-ms@securityfocus.com
Subject: Users "bypassing" Group Policy restrictions
We utilize Group Policies and Software Restriction Policies as the primary
means of limiting unwanted user actions on our desktop machines.
Recently, however, several of our more "creative"
users have discovered that if they remove the ethernet cable from the
computer immediately after logging in (i.e. as soon as their credentials are
accepted) GPs are not downloaded/applied. These users then are able to use
"net use" commands to map their necessary network drives so they can work
with full access to resources usually mapped by GPs but without any of the
restrictions/limitations we impose and without Software Restriction Policies
preventing unwanted programs from running (i.e. my nightmare).
Short of gluing in the ethernet cables, how can I prevent this bypassing of
GPs? It appears that this is only an issue if a cached local profile does
not exist on the computer. However, these computers use drive "freezing"
software to make changes to local disks non-persistent. Thus, at each
reboot a local cache of their profile is gone. I tried shortening the
"Group Policy refresh interval for users" but obviously if they don't
download the policy in the first place the computer will not see the
shortened refresh interval.
Any advice is greatly appreciated; thanks in advance.
__________________________________
Do you Yahoo!?
All your favorites on one personal page - Try My Yahoo!
http://my.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #225"
- Next in thread: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Reply: Laura A. Robinson: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Maybe reply: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
