RE: RESPONSE: Users "bypassing" Group Policy restrictions
From: Miroslaw Slawek Chorazy (mchorazy_at_depaul.edu)
Date: 01/29/05
- Previous message: dave kleiman: "RE: Preventing multiple logins in 2003"
- Maybe in reply to: Gerson Ricardo: "RESPONSE: Users "bypassing" Group Policy restrictions"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: RESPONSE: Users "bypassing" Group Policy restrictions"
- Reply: Ansgar -59cobalt- Wiechers: "Re: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jan 2005 20:09:08 -0600 To: <larobins@bellatlantic.net>, <gricardo@gableseng.com>, <Zamora@gableseng.com>, <focus-ms@securityfocus.com>, <gt4200b@yahoo.com>
>'fraid not. Local administrators can take ownership of any file, and
any
>registry key. The owner of a file/reg key can change its permissions.
>Always. No matter what.
But because the scenario Edward describes is an Active Directory Domain
then he has additional tools at his disposal...
There exists a policy setting in
\Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\
This security setting determines which users can take ownership of any
securable object in the system,
including Active Directory objects, files and folders, printers,
registry keys, processes, and threads.
What if he removes local 'Administrators' group from having this right
and adds 'Domain Administrators' group
(of which he is hopefully a member) and then if he further applies
permissions to the registry key which applies
to the above policy and removes the local administrator and substitutes
it for "domain administrators" then in
theory it should work Ricardo is suggesting?
slawek
>>> "Laura A. Robinson" <larobins@bellatlantic.net> 1/27/2005 19:10
>>>
Inline...
> -----Original Message-----
> From: Gerson Ricardo [mailto:gricardo@gableseng.com]
> Sent: Thursday, January 27, 2005 5:00 PM
> To: Edward VanDewars; focus-ms@securityfocus.com; Zamora, Robert
> Subject: RESPONSE: Users "bypassing" Group Policy restrictions
>
>
> Edward,
>
> Talk about circumventing! You indeed have creative users in
> your midst, to say the least. The answer lies with setting
> local policies to match your domain level AD GPOs - and if
> any user has local admin privileges for whatever reason,
> simply exclusively allow domain access to the
> %systemroot%\system32\GroupPolicy directory, followed by an
> exclusive 'deny'
> disallowing and local user account, including local
> administrators, access to modify local computer policy.
>
> Problem should be solved - all without the use of super glue :)
'fraid not. Local administrators can take ownership of any file, and
any
registry key. The owner of a file/reg key can change its permissions.
Always. No matter what.
This, of course, is one of a bazillion reasons not to let users have
local
admin privileges on their machines. :-)
Laura
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: dave kleiman: "RE: Preventing multiple logins in 2003"
- Maybe in reply to: Gerson Ricardo: "RESPONSE: Users "bypassing" Group Policy restrictions"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: RESPONSE: Users "bypassing" Group Policy restrictions"
- Reply: Ansgar -59cobalt- Wiechers: "Re: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
