RE: RESPONSE: Users "bypassing" Group Policy restrictions

From: Miroslaw Slawek Chorazy (mchorazy_at_depaul.edu)
Date: 01/29/05

  • Next message: Ivan Carlos: "Re: Preventing multiple logins in 2003"
    Date: Fri, 28 Jan 2005 20:09:08 -0600
    To: <larobins@bellatlantic.net>, <gricardo@gableseng.com>, <Zamora@gableseng.com>, <focus-ms@securityfocus.com>, <gt4200b@yahoo.com>
    
    

    >'fraid not. Local administrators can take ownership of any file, and
    any
    >registry key. The owner of a file/reg key can change its permissions.
    >Always. No matter what.

    But because the scenario Edward describes is an Active Directory Domain
    then he has additional tools at his disposal...
     
    There exists a policy setting in
    \Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment\
    This security setting determines which users can take ownership of any
    securable object in the system,
    including Active Directory objects, files and folders, printers,
    registry keys, processes, and threads.
     
    What if he removes local 'Administrators' group from having this right
    and adds 'Domain Administrators' group
    (of which he is hopefully a member) and then if he further applies
    permissions to the registry key which applies
    to the above policy and removes the local administrator and substitutes
    it for "domain administrators" then in
    theory it should work Ricardo is suggesting?
     
    slawek
     
     

    >>> "Laura A. Robinson" <larobins@bellatlantic.net> 1/27/2005 19:10
    >>>
    Inline...

    > -----Original Message-----
    > From: Gerson Ricardo [mailto:gricardo@gableseng.com]
    > Sent: Thursday, January 27, 2005 5:00 PM
    > To: Edward VanDewars; focus-ms@securityfocus.com; Zamora, Robert
    > Subject: RESPONSE: Users "bypassing" Group Policy restrictions
    >
    >
    > Edward,
    >
    > Talk about circumventing! You indeed have creative users in
    > your midst, to say the least. The answer lies with setting
    > local policies to match your domain level AD GPOs - and if
    > any user has local admin privileges for whatever reason,
    > simply exclusively allow domain access to the
    > %systemroot%\system32\GroupPolicy directory, followed by an
    > exclusive 'deny'
    > disallowing and local user account, including local
    > administrators, access to modify local computer policy.
    >
    > Problem should be solved - all without the use of super glue :)

    'fraid not. Local administrators can take ownership of any file, and
    any
    registry key. The owner of a file/reg key can change its permissions.
    Always. No matter what.

    This, of course, is one of a bazillion reasons not to let users have
    local
    admin privileges on their machines. :-)

    Laura

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Ivan Carlos: "Re: Preventing multiple logins in 2003"

    Relevant Pages

    • Re: Controlling user access to external drive
      ... For a start, if the "Administrators" GROUP had been deleted, as I ... permissions or take ownership with Explorer.exe or Winfile.exe fail. ... Windows XP ...
      (microsoft.public.windowsxp.general)
    • Re: XP Folder Ownership Problems, Permissions, Inheritances
      ... I can change the ownership of all my root folders to "Administrators". ... " Permissions", "Inheritances", Users can have certain levels of security ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Profile - roaming and server copy problem
      ... > how to give the NTFS permission. ... So, you took ownership as Administrators, right? ... and add the permissions you want....what folder did ...
      (microsoft.public.windows.server.sbs)
    • Re: Profile - roaming and server copy problem
      ... > how to give the NTFS permission. ... So, you took ownership as Administrators, right? ... and add the permissions you want....what folder did ...
      (microsoft.public.windowsxp.general)
    • Re: Everyone group deny all
      ... By default administrators of the operating system you are using to access ... So logon as a local administrator and take ownership and you ... > rather silly mistake with the access permissions. ... > the hard disk. ...
      (microsoft.public.win2000.security)