Re: security policy 'not specified' option

From: Thor (Hammer of God) (thor_at_hammerofgod.com)
Date: 10/21/05

  • Next message: Slawek: "Re: security policy 'not specified' option" 
    To: "matthew patton" <pattonme@yahoo.com>, <focus-ms@securityfocus.com>
Date: Thu, 20 Oct 2005 18:58:10 -0700

    Through the "normal" tools (not knowing what tool you used) the options
    would be Enabled, Disabled, or "Not Defined" where applicable. If a setting
    is not defined, that just means that the corresponding registry key does
    not exist. If you go into your Local Security Policy and enable or disable
    the policy element, the associated key is created with the appropriate data
    value.

    I would not recommend that you *not* play "registry magic" to get around
    this behavior, as the results can be squirrelly. For instance, if you check
    out a default "not defined" element like "Interactive Logon: Do not require
    Ctrl+Alt+Del," you'll see that there is no "DisableCAD" registry value in
    Winlogon (HKLM\Software\Microsoft\Windows NT\." But if you Disable it
    (which is the same as not being defined, really) the registry key is
    created. However, if you then go back and delete the key entirely, it does
    not change it back to "not defined" in the Local Security Policy. And if
    you decide to enable it, the key is not recreated. Not really cool if you
    asked me. (If anyone else knows what's going on under the hood in that
    scenario, how about let me know please.)

    You're not really in a hole though, (referring to the "dig myself out") as
    you just need to decide if you want the policy or not, and at what level. A
    "not defined" policy is the same as setting the action as the reverse of the
    policy setting logic. But you have to make sure you think about it-- I've
    never really like the variation of logic Microsoft used with some of the
    security settings, particularly on the double-negatives like "disabling" the
    "Do not require..." particularly when the opposite logic in used in the
    registry. But hey, that's the way it goes.

    If you are worried about "not defined" domain policies leaving defined local
    policies set, then define everything in the domain as appropriate. Settings
    are applied in the following order: Local, Site, Domain, OU. And don't
    worry about "No Override" as Local objects can't have that set... (Of
    course, you'll have to worry about it for the others.)

    It may be a PITA to set up at first, but then you'll be in a much better
    position, as you'll never have to worry about "not defined" again.

    hth
    t

    ----- Original Message -----
    From: "matthew patton" <pattonme@yahoo.com>
    To: <focus-ms@securityfocus.com>
    Sent: Thursday, October 20, 2005 1:56 PM
    Subject: security policy 'not specified' option

    > Some time back I used a security policy editor that had 3 options:
    > enabled, disabled, and 'unset'. By not setting it either way, the
    > machine inherited the domain settings. Unfortunately the standard
    > system policy editors shipped with 2K/2K3/XP don't appear to have that
    > 3rd option which means now I've got all kinds of machine running with
    > who knows what setting and ignoring the domain policy. And once you've
    > selected en/disabled via the radio box, there isn't a way to unset it.
    > How do I dig myself out of this?
    >
    > I probably can play Registry Magic and accomplish what I need but I
    > could have sworn I had a tool that would let me do what I used to be
    > able to do.
    >
    > any ideas?
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Slawek: "Re: security policy 'not specified' option"

    Relevant Pages

    • Re: secure logon
      ... [[To set a policy related to this entry, ... This entry corresponds to the Disable CTRL+ALT+DEL requirement for ... Value Name: DisableCAD ... > i had a the secure logon enabled(ctrl+alt+delete) on startup but it has ...
      (microsoft.public.windowsxp.help_and_support)
    • Disable CTRL+ALT+DEL
      ... If you make the change through group policy then it ... computer is connected to a domain and the domain settings ... CurrentVersion \policies \ SYstem\ disablecad to 1 ...
      (microsoft.public.win2000.security)