Re: RESPONSE: Users "bypassing" Group Policy restrictions
From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 01/29/05
- Previous message: Laura A. Robinson: "RE: Domain logon without network connection + group policies"
- In reply to: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 23:49:21 +0100 To: focus-ms@securityfocus.com
On 2005-01-28 Miroslaw Slawek Chorazy wrote:
>> 'fraid not. Local administrators can take ownership of any file, and
>> any registry key. The owner of a file/reg key can change its
>> permissions. Always. No matter what.
>
> But because the scenario Edward describes is an Active Directory
> Domain then he has additional tools at his disposal...
>
> There exists a policy setting in \Computer Configuration\Windows
> Settings\Security Settings\Local Policies\User Rights Assignment\ This
> security setting determines which users can take ownership of any
> securable object in the system, including Active Directory objects,
> files and folders, printers, registry keys, processes, and threads.
>
> What if he removes local 'Administrators' group from having this right
> and adds 'Domain Administrators' group (of which he is hopefully a
> member) and then if he further applies permissions to the registry key
> which applies to the above policy and removes the local administrator
> and substitutes it for "domain administrators" then in theory it
> should work Ricardo is suggesting?
AFAICS they could easily re-assign the "Take Ownership" privilege to
themselves, so this doesn't look like a solution to me. Plus, the
purpose of local administrators is the administration of the local
machine. That's why they *have* the privilege to take the ownership of
each file/object. Instead of revoking the privilege you should actually
ask yourself whether the members of the local administrators group
really need to be members of that group.
Regards
Ansgar Wiechers
-- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Domain logon without network connection + group policies"
- In reply to: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
