Re: Securing Enterprise Policy from local admins
From: Nicole Calinoiu (calinoiu)
Date: 02/09/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET access to DFS share problem"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: PKCS#t Signatures"
- In reply to: Rich: "Securing Enterprise Policy from local admins"
- Next in thread: Rich: "Re: Securing Enterprise Policy from local admins"
- Reply: Rich: "Re: Securing Enterprise Policy from local admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Feb 2005 13:47:53 -0500
Not all Windows machines are on domains, so it makes little sense for any
permission on a local resource to be denied to a local admin by default.
I'm not sure if domain policy can be used to prevent a local admin from
taking ownership of a local file. If not, he will be able to make
modifications to the file regardless of initial ACL on the file, so there
would be no way to prevent the change to the enterprise security policy.
Also, if your local admin users can't be trusted to make reasonable security
decisions, perhaps they shouldn't be trusted with admin permissions in the
first place?
BTW, I've never seen any statement from Microsoft suggesting that their
intent was that machine policy be controlled by local admins and enterprise
policy be controlled by domain admins. I have heard that the intent was to
allow more granular control when a single enterprise policy is not suitable
for all machines. Unless you've seen documentation to the contrary, perhaps
you're hoping for the product to do something that was never in its
requirement set?
"Rich" <Rich@discussions.microsoft.com> wrote in message
news:1DBCF2D6-19FC-4F41-944B-3BB15D9B7BE2@microsoft.com...
> I've created an Enterprise Security policy for the framework and am
> distributing the file via a GPO / MSI package. I have already done this
> successfully.
>
> The problem I have is that Microsoft's documentation states that only
> security admins or domain admins can modify the enterprise policy. This
> does
> not seem to be the case. Any local machine admin can modify the
> enterprise
> policy settings. Obviously, I can restrict access to the
> enterprisesec.config file by modifying the NTFS permissions but I would
> have
> to push the permission modifications out as well.
>
> If the Machine policy is intended for use by local administrators why then
> can they modify the enterprise policy? It kind of defeats the purpose.
> What
> is the point of deploying an enterprise policy if anybody with local admin
> rights can modify it? Once they modify it, the only way to correct it is
> to
> redeploy the enterprise policy package. What is the recommended way to
> prevent local admins from modifying the enterprise policy?
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET access to DFS share problem"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: PKCS#t Signatures"
- In reply to: Rich: "Securing Enterprise Policy from local admins"
- Next in thread: Rich: "Re: Securing Enterprise Policy from local admins"
- Reply: Rich: "Re: Securing Enterprise Policy from local admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
