Re: Network Cable Disconnection and Elevated Access

From: "Colin Nash [MVP]" <cnashx@xxxxxxxxx>
Date: Tue, 5 Sep 2006 23:36:40 -0400

"Lokiarmos" <2198234981234810834@Localhost> wrote in message
news:4F0D4037-3FBA-4D22-899F-6FFB7BD52E9A@xxxxxxxxxxxxxxxx

We have discovered in my workplace (A School) that they students are
unplugging
the network cables as the students log on, this prevents the GP from been
applied.

This then allows them the browse the network, although they can only see
visable shares which are not many but what did surprise me was that they
could get access to the sysvol and where able not only to write to it but
change permissions.

This in turned stuffed up sysvol and forced me to do a authorative restore
on it.

Now the questions i have are
1. Whom or to what level are they been authenticated as
2. How can i prevent them from logging on if the GPOs are not
applied.
3. And how do i do it in the way that won't affect the other users
(teachers) who use the machine.

Preventing them from browsing the network isn't really an effective security
method, it hides some interface elements from them but it doesn't prevent
them from manually mapping drives or connecting to a UNC path (etc etc etc.)
It's better to properly secure the resources you want to keep them out of
rather than to try to hide parts of the desktop interface on the client
machines. (Locking down the desktop can be a good secondary way of securing
things but it's never the main way of protecting *server/domain* resources.)

You need to look at the permissions on the sysvol folder and share, because
Authenticated Users should only have Read access there. Write (and Full
Control) should only be held by administrators. Has somebody been playing
with the permissions there, or did you somehow manage to install a domain
controller using FAT32 volumes?

--
Colin Nash
Microsoft MVP
Windows Shell/User

.

Prev by Date: Re: Digital Certificate "There are problems with the signature"
Next by Date: Re: I was just wondering
Previous by thread: Re: Pirated software - to legal
Next by thread: Re: Network Cable Disconnection and Elevated Access
Index(es):
- Date
- Thread

Relevant Pages

RE: Access denied creating GPO
... issue may cause by the permissions for the SYSVOL share were incorrect. ... Administrators: Full Control ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ...
(microsoft.public.windows.server.sbs)
Re: Need Help RE: NTFS
... I'm trying to create a share on our W2k3 network. ... so lets say I have this NTFS Folder structure: ... control what files get published and controls who can have access). ... who can place files in specific folders via NTFS permissions. ...
(microsoft.public.windows.server.general)
Re: FileIOPermissions issue - howto fix?
... In the .NET CAS security manager, doesn't really matter what user permissions you ... have on that network share, the code-origin is queried first and it is LocalInternet ... > control and edit/save capabilities) disappears from the main form. ...
(microsoft.public.dotnet.security)
RE: NTFS permissons on SystemRoot and below...
... permissions on my sysvol share to the default permissions for this folder it ... Adminstrators = Full Control ... Any thoughts on how to permanently address this issue on the sysvol share ... someone mistakenly created a GPO that sets NTFS ...
(microsoft.public.windows.file_system)
Re: GPO errors and not applying to workstations....
... controller does it show that the sysvol share exists? ... and folders [NTFS permissions] and is included in the user right for access ... for access this computer from the network would be in Domain Controller ...
(microsoft.public.windows.group_policy)