|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Disabling sharing and group policies
From: Laura A. Robinson (larobins
bellatlantic.net)
Date: Thu Sep 18 2003 - 11:38:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Again, this is not the case. A user with local Administrator rights to
his/her machine *can* exempt his/her machine from group policy application.
No ifs, ands or buts.
Laura
> -----Original Message-----
> From: Sergey V. Gordeychik [mailto:gordeyinfosec.ru]
> Sent: Thursday, September 18, 2003 1:59 AM
> To: larobinsbellatlantic.net; robertsnrdesigns.com; Focus-Ms
> Subject: RE: Disabling sharing and group policies
>
>
> If you disable Group Policy loopback mode in domain-level
> GPO, local administrator will unable to change group policy
> on computer. Yes, administrator can modify some settings, but
> these settings will replaced when GPO applied again.
>
> Simplest way to disable sharing for any user with
> administrative rights
> - it's filter CIFS/SMB/Netbios servers (TCP/UDP 445, 139)
> packets with IPSec packet filter policies (SPD).
> Even user share something on computer - filters will drop
> connection packets and prevent network sharing.
> In policy you can also allow CIFS/Netbios connections from
> management stations for logs collection, etc.
> Information about IPSec filtering you can find, for example,
> in Windows Server 2003 Security Guide:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/Windows/Win2003/W2003HG/SGCH04.asp
Regards,
Sergey V. Gordeychik.
-----Original Message-----
From: Laura A. Robinson [mailto:larobinsbellatlantic.net]
Sent: Tuesday, September 16, 2003 6:47 PM
To: robertsnrdesigns.com; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Actually, as I said, anybody with administrative rights on his/her machine
can exempt his/her machine from group policy application- *regardless* of
whether or not that machine is a domain member. The local admin does
*not*
have to leave the domain to accomplish this.
Laura
---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]