OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: *potential* Windows 2000 holes
From: Phil Cox (Phil.CoxSYSTEMEXPERTS.COM)
Date: Fri Oct 13 2000 - 15:20:52 CDT

**Note: I did a bit of re-thinking, and my real focus was on the User
portion of the GPO not being applied to network logons. This in reality is
not that big of an issue, since there is little that that portion of the GPO
does to limit network logon "stuff" anyways. So I started a thread that at
this time in history for GPOs is almost irrelevant, sorry. **My point in
starting the tread was that I believe that security policies should apply to
everyone by default, and I am not sure why the decision was made otherwise.

[If the following is not in the context of the list, because now we are
getting into admin type stuff, please feel free to kill it]

Although I may have not been thinking correctly to begin with, I would like
to explore a statement Paul made.

> And I'm saying that using GPOs to try to "restrict and limit"
> users _at their own client machines_ is a losing proposition.

I disagree strongly. So what is the whole User portion of the Group Policy
for if not to "restrict and limit" users at their own client machines?

> At the very least, I think you'd have to agree that not relying on
> attackers to have had GPO applied is a more conservative approach
> than trying to depend on it.

Absolutely. The problem I have, is that how many admins will assume that
Group Policy *will* be applied?

Phil

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net