Re: Securing Enterprise Policy from local admins

From: Nicole Calinoiu (calinoiu)
Date: 02/10/05

• Next message: Nicole Calinoiu: "Re: get computer name of client machine"
• Previous message: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Securing Enterprise Policy from local admins"
• Next in thread: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 10 Feb 2005 12:54:20 -0500

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OvGi3HvDFHA.3596@TK2MSFTNGP12.phx.gbl...
> Admin is admin. If you ACL the file so they can't edit it, they can just
> take ownership of the file and undo your ACL. It is not possible to stop
> this.

Thanks for confirming that. It was nagging at me, and I would probably have
wasted altogether too much time testing it if you hadn't jumped in.

>
> The intention is good, but it is just the fact that a local admin on the
> box owns the box and everything on it.
>
> Administrators can also just turn off CAS entirely with caspol.
>
> Joe K.
>
> "Rich" <Rich@discussions.microsoft.com> wrote in message
> news:8B53627C-B1E5-4AEC-B499-25B7E714E4C1@microsoft.com...
>> Nicole,
>>
>> Thanks for your reply.
>>
>> All the .NET Framework security policy docs on the website speak to the
>> contrary. Here is an excerpt from the .NET Framework Developer's Guide
>> on
>> the MS website.
>>
>>>Enterprise Policy Administration
>>>The enterprise policy level affects every computer and user on the
>>>network and >can only be administered by enterprise or domain
>>>administrators. See the section >on Deploying Security Policy for
>>>information on deployment strategies.
>>
>> There are other statements in this guide regarding the use of the
>> individual
>> policy levels.
>>
>> As far as machines that are not on domains, that is why the default
>> enterprise policy is set to "full trust" for all code and the effective
>> policy is set at the machine policy level. This way the local machine
>> admin
>> has full control of the security settings through the machine policy. An
>> enterprise policy is intended to be managed at the enterprise and is why
>> it
>> is evaluated first. The Machine policy can further restrict settings but
>> cannot grant more permissions beyond what is set at the enterprise level.
>>
>> This is why I am saying that it doesn't make sense for MS to provide an
>> Enterprise security policy that cannot be secured at the Enterprise
>> level.
>> It just defeats the purpose of the whole thing.
>>
>> Also, just because you grant someone local admin rights to their
>> workstation
>> doesn't mean you want them to be able to modify settings that are
>> supposed to
>> be domain or enterprise wide.
>>
>> Maybe your right and I'm asking too much but it would have made more
>> sense
>> for MS to provide the ability to control the enterprise settings directly
>> with a GPO rather than just pushing out the Enterprise settings as an MSI
>> package in the GPO. This way if a local admin modified the enterprise
>> settings, they would be automatically reset back to the appropriate
>> values at
>> the next GPO update interval and it wouldn't require redeploying a
>> package or
>> rebooting any machines.
>>
>> "Nicole Calinoiu" wrote:
>>
>>> Not all Windows machines are on domains, so it makes little sense for
>>> any
>>> permission on a local resource to be denied to a local admin by default.
>>> I'm not sure if domain policy can be used to prevent a local admin from
>>> taking ownership of a local file. If not, he will be able to make
>>> modifications to the file regardless of initial ACL on the file, so
>>> there
>>> would be no way to prevent the change to the enterprise security policy.
>>> Also, if your local admin users can't be trusted to make reasonable
>>> security
>>> decisions, perhaps they shouldn't be trusted with admin permissions in
>>> the
>>> first place?
>>>
>>> BTW, I've never seen any statement from Microsoft suggesting that their
>>> intent was that machine policy be controlled by local admins and
>>> enterprise
>>> policy be controlled by domain admins. I have heard that the intent was
>>> to
>>> allow more granular control when a single enterprise policy is not
>>> suitable
>>> for all machines. Unless you've seen documentation to the contrary,
>>> perhaps
>>> you're hoping for the product to do something that was never in its
>>> requirement set?
>>>
>>>
>>> "Rich" <Rich@discussions.microsoft.com> wrote in message
>>> news:1DBCF2D6-19FC-4F41-944B-3BB15D9B7BE2@microsoft.com...
>>> > I've created an Enterprise Security policy for the framework and am
>>> > distributing the file via a GPO / MSI package. I have already done
>>> > this
>>> > successfully.
>>> >
>>> > The problem I have is that Microsoft's documentation states that only
>>> > security admins or domain admins can modify the enterprise policy.
>>> > This
>>> > does
>>> > not seem to be the case. Any local machine admin can modify the
>>> > enterprise
>>> > policy settings. Obviously, I can restrict access to the
>>> > enterprisesec.config file by modifying the NTFS permissions but I
>>> > would
>>> > have
>>> > to push the permission modifications out as well.
>>> >
>>> > If the Machine policy is intended for use by local administrators why
>>> > then
>>> > can they modify the enterprise policy? It kind of defeats the
>>> > purpose.
>>> > What
>>> > is the point of deploying an enterprise policy if anybody with local
>>> > admin
>>> > rights can modify it? Once they modify it, the only way to correct it
>>> > is
>>> > to
>>> > redeploy the enterprise policy package. What is the recommended way
>>> > to
>>> > prevent local admins from modifying the enterprise policy?
>>> >
>>>
>>>
>>>
>>>
>>>
>
>

---

• Next message: Nicole Calinoiu: "Re: get computer name of client machine"
• Previous message: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Securing Enterprise Policy from local admins"
• Next in thread: Nicole Calinoiu: "Re: Securing Enterprise Policy from local admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Securing Enterprise Policy from local admins ... Admin is admin. ... but it is just the fact that a local admin on the box ... >>Enterprise Policy Administration ... (microsoft.public.dotnet.security) Re: Group Policy for hardened PCs ... These automatically pick up the default domain policy. ... Now when I log in as ANYBODY on the development PC [even a Domain Admin], ... the user settings for THAT PC apply. ... So, even though the Developers are admins on the local machines, because ... (microsoft.public.windows.group_policy) Re: Security Filtering does not work correctly in GPO ... I am not sure how you set this up but set the doman admin to deny on apply ... In this Policy, there are just user settings configured. ... The domain admin shouln't receive this settings. ... (microsoft.public.windows.server.active_directory) Re: Group Policy question ... They best are to create two or more GPOs then. ... Common Policy Setting ... > I agree with admin settings in part. ... (microsoft.public.win2000.active_directory) Re: At this point, Im wondering if GPOs even work? ... Two things to factor into your experience/understanding of GPO. ... templates, IE admin kit, etc. and you will find quite a few "exception" ... Policy Troubleshooting Document. ... Config (so why do these settings even exist in Computer Config if they ... (microsoft.public.windows.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)