Re: Securing Enterprise Policy from local admins
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/09/05
- Previous message: Rich: "Re: Securing Enterprise Policy from local admins"
- In reply to: Rich: "Re: Securing Enterprise Policy from local admins"
- Next in thread: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
- Reply: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Feb 2005 15:54:43 -0600
Admin is admin. If you ACL the file so they can't edit it, they can just
take ownership of the file and undo your ACL. It is not possible to stop
this.
The intention is good, but it is just the fact that a local admin on the box
owns the box and everything on it.
Administrators can also just turn off CAS entirely with caspol.
Joe K.
"Rich" <Rich@discussions.microsoft.com> wrote in message
news:8B53627C-B1E5-4AEC-B499-25B7E714E4C1@microsoft.com...
> Nicole,
>
> Thanks for your reply.
>
> All the .NET Framework security policy docs on the website speak to the
> contrary. Here is an excerpt from the .NET Framework Developer's Guide on
> the MS website.
>
>>Enterprise Policy Administration
>>The enterprise policy level affects every computer and user on the network
>>and >can only be administered by enterprise or domain administrators. See
>>the section >on Deploying Security Policy for information on deployment
>>strategies.
>
> There are other statements in this guide regarding the use of the
> individual
> policy levels.
>
> As far as machines that are not on domains, that is why the default
> enterprise policy is set to "full trust" for all code and the effective
> policy is set at the machine policy level. This way the local machine
> admin
> has full control of the security settings through the machine policy. An
> enterprise policy is intended to be managed at the enterprise and is why
> it
> is evaluated first. The Machine policy can further restrict settings but
> cannot grant more permissions beyond what is set at the enterprise level.
>
> This is why I am saying that it doesn't make sense for MS to provide an
> Enterprise security policy that cannot be secured at the Enterprise level.
> It just defeats the purpose of the whole thing.
>
> Also, just because you grant someone local admin rights to their
> workstation
> doesn't mean you want them to be able to modify settings that are supposed
> to
> be domain or enterprise wide.
>
> Maybe your right and I'm asking too much but it would have made more sense
> for MS to provide the ability to control the enterprise settings directly
> with a GPO rather than just pushing out the Enterprise settings as an MSI
> package in the GPO. This way if a local admin modified the enterprise
> settings, they would be automatically reset back to the appropriate values
> at
> the next GPO update interval and it wouldn't require redeploying a package
> or
> rebooting any machines.
>
> "Nicole Calinoiu" wrote:
>
>> Not all Windows machines are on domains, so it makes little sense for any
>> permission on a local resource to be denied to a local admin by default.
>> I'm not sure if domain policy can be used to prevent a local admin from
>> taking ownership of a local file. If not, he will be able to make
>> modifications to the file regardless of initial ACL on the file, so there
>> would be no way to prevent the change to the enterprise security policy.
>> Also, if your local admin users can't be trusted to make reasonable
>> security
>> decisions, perhaps they shouldn't be trusted with admin permissions in
>> the
>> first place?
>>
>> BTW, I've never seen any statement from Microsoft suggesting that their
>> intent was that machine policy be controlled by local admins and
>> enterprise
>> policy be controlled by domain admins. I have heard that the intent was
>> to
>> allow more granular control when a single enterprise policy is not
>> suitable
>> for all machines. Unless you've seen documentation to the contrary,
>> perhaps
>> you're hoping for the product to do something that was never in its
>> requirement set?
>>
>>
>> "Rich" <Rich@discussions.microsoft.com> wrote in message
>> news:1DBCF2D6-19FC-4F41-944B-3BB15D9B7BE2@microsoft.com...
>> > I've created an Enterprise Security policy for the framework and am
>> > distributing the file via a GPO / MSI package. I have already done
>> > this
>> > successfully.
>> >
>> > The problem I have is that Microsoft's documentation states that only
>> > security admins or domain admins can modify the enterprise policy.
>> > This
>> > does
>> > not seem to be the case. Any local machine admin can modify the
>> > enterprise
>> > policy settings. Obviously, I can restrict access to the
>> > enterprisesec.config file by modifying the NTFS permissions but I would
>> > have
>> > to push the permission modifications out as well.
>> >
>> > If the Machine policy is intended for use by local administrators why
>> > then
>> > can they modify the enterprise policy? It kind of defeats the purpose.
>> > What
>> > is the point of deploying an enterprise policy if anybody with local
>> > admin
>> > rights can modify it? Once they modify it, the only way to correct it
>> > is
>> > to
>> > redeploy the enterprise policy package. What is the recommended way to
>> > prevent local admins from modifying the enterprise policy?
>> >
>>
>>
>>
>>
>>
- Previous message: Rich: "Re: Securing Enterprise Policy from local admins"
- In reply to: Rich: "Re: Securing Enterprise Policy from local admins"
- Next in thread: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
- Reply: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
