RE: Users "bypassing" Group Policy restrictions

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 01/28/05

  • Next message: Laura A. Robinson: "RE: Preventing multiple logins in 2003" 
    To: "'Edward VanDewars'" <gt4200b@yahoo.com>, <focus-ms@securityfocus.com>
Date: Thu, 27 Jan 2005 20:17:29 -0500

    Well, my first instinct would be to say that you have a managerial problem
    rather than a technical problem. Have you considered using wireless NICs so
    they can't disconnect 'em before the policy comes down? ;-)

    Laura

    > -----Original Message-----
    > From: Edward VanDewars [mailto:gt4200b@yahoo.com]
    > Sent: Thursday, January 27, 2005 8:29 AM
    > To: focus-ms@securityfocus.com
    > Subject: Users "bypassing" Group Policy restrictions
    >
    > We utilize Group Policies and Software Restriction Policies
    > as the primary means of limiting unwanted user actions on our
    > desktop machines.
    >
    > Recently, however, several of our more "creative"
    > users have discovered that if they remove the ethernet cable
    > from the computer immediately after logging in (i.e. as soon
    > as their credentials are accepted) GPs are not
    > downloaded/applied. These users then are able to use "net
    > use" commands to map their necessary network drives so they
    > can work with full access to resources usually mapped by GPs
    > but without any of the restrictions/limitations we impose and
    > without Software Restriction Policies preventing unwanted
    > programs from running (i.e. my nightmare).
    >
    > Short of gluing in the ethernet cables, how can I prevent
    > this bypassing of GPs? It appears that this is only an issue
    > if a cached local profile does not exist on the computer.
    > However, these computers use drive "freezing" software to
    > make changes to local disks non-persistent. Thus, at each
    > reboot a local cache of their profile is gone. I tried
    > shortening the "Group Policy refresh interval for users" but
    > obviously if they don't download the policy in the first
    > place the computer will not see the shortened refresh interval.
    >
    > Any advice is greatly appreciated; thanks in advance.
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > All your favorites on one personal page  Try My Yahoo!
    > http://my.yahoo.com
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Laura A. Robinson: "RE: Preventing multiple logins in 2003"