Re: Enterprise and User security...

From: Eugene V. Bobukh [MS] (eugenebo_at_online.microsoft.com)
Date: 05/11/04


Date: Mon, 10 May 2004 15:18:37 -0700

Klaus,

If you are an Administrator on the machine, you can configure all the three levels. However, the original idea behind this is that normally machine users don't touch Enterprise level, just for the reasons that you've described: their settings will be overwtitten when Enterprise Admin will be pushing his/her own settings.

As per "how that technically happens" -- there are several mechanisms of policy deployment across many machines, such as:

* Deployment thourh SMS package. You configure the policy on one of the machines, create an MSI package [.NET Framework Configuration tool supports that], then drop that MSI to the SMS Server that controls the machines in your organization. There are many technical details behind this, but eventually the package gets distributed and installed on all the client machines.

* Deployment via Group Policy, of which I have weaker idea, but this is some kind of mechanism that lets you to run the installation/configuration code on client machines.

Each deployment mechanism completely overwrites the policy of the level being configured, but does not touch other levels. That's why they are separated: Machine for machine Admin games, and Enterprise for corporation Admin.

-- 
Eugene V. Bobukh
This message is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated within it are my own and do not necessarily constitute those of my employer.
----
"Klaus Salchner" <klaus.salchner@telus.net> wrote in message news:uOUINcVNEHA.1312@TK2MSFTNGP12.phx.gbl...
> When you configure the security policy from .NET you have three levels:
> 
> Enterprise
> Machine
> User
> 
> How does the user and enterprise security level get populated throughout the
> enterprise? So I can configure it for the enterprise and then also for
> certain individuals but how does it get populated to all other machines in
> the enterprise? Because I don't want to configure it per  machine and I also
> don't want to copy the .CONFIG file because then I may over-write machine
> specific security settings.
> 
> Any insight is greatly appreciated!
> 
> Regards, Klaus
> -----------------------------------------------
> Klaus Salchner
> Sr. Enterprise Architect
> email: klaus.salchner@telus.net
> 
> Proud member of
> http://linkedin.com - become part of my professional network; it's a free
> 3rd party tool
> http://gotdotnet.com
> http://theserverside.net
> 
> 


Relevant Pages

  • Re: Securing Enterprise Policy from local admins
    ... >>The enterprise policy level affects every computer and user on the network ... the settings changes to the individual machines on the network. ... > Enterprise security policy that cannot be secured at the Enterprise level. ...
    (microsoft.public.dotnet.security)
  • Re: .NET Smart Clients, transparency and security
    ... > assembly/smart client itself cannot ask the user to trust an assembly. ... > can only be done in advance through a modification of the security policy. ... > to make this stuff work safely and enforce standards enterprise wide. ...
    (microsoft.public.platformsdk.security)
  • Re: .NET Smart Clients, transparency and security
    ... > assembly/smart client itself cannot ask the user to trust an assembly. ... > can only be done in advance through a modification of the security policy. ... > to make this stuff work safely and enforce standards enterprise wide. ...
    (microsoft.public.dotnet.security)
  • Re: Securing Enterprise Policy from local admins
    ... All the .NET Framework security policy docs on the website speak to the ... enterprise policy is intended to be managed at the enterprise and is why it ... Enterprise security policy that cannot be secured at the Enterprise level. ... just because you grant someone local admin rights to their workstation ...
    (microsoft.public.dotnet.security)
  • Securing Enterprise Policy from local admins
    ... I've created an Enterprise Security policy for the framework and am ... security admins or domain admins can modify the enterprise policy. ...
    (microsoft.public.dotnet.security)