OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: *potential* Windows 2000 holes
From: Paul Leach (paulleEXCHANGE.MICROSOFT.COM)
Date: Fri Oct 13 2000 - 15:31:05 CDT

> -----Original Message-----
> From: Jesper M. Johansson [mailto:jjohanssBU.EDU]
> Sent: Friday, October 13, 2000 11:29 AM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: *potential* Windows 2000 holes
>
>
> >And I'm saying that using GPOs to try to "restrict and
> limit" users _at
> their own client machines_ is a losing proposition. If you
> are using GPOs to
> protect servers by making sure that they have appropriate
> policies set, that
> will work just fine, but then they have no incentive to try and bypass
> having the getting the GP downloaded and applied.
>
> Paul, while I, in principle, agree with what you are saying,
> I must point
> out that this is a contradictory statement to much of the
> documentation that
> Microsoft has issued on Group Policy. For example, from the Microsoft
> Windows 2000 Server Resource Kit:
> ---
> Group Policy settings:
> * Are secure. Only an administrator can change the settings
> * Can be used for finely tuned desktop control and to
> enhance the
> user's computing environment
> ---
> Also from the Win2K Server Resource Kit, in the "Introduction
> to desktop
> management" section: "Group Policy is the MMC snap-in that you use to
> specify the behavior of users' desktops."

I guess I don't see that this is contradictory. Indeed, only the admin
of a machine (or someone with physical access) can override group
policy.

But I take your point -- I was a little too bald with the claim -- but
it was for educational emphasis; I have run into too many people who
believe that one can depend, for security of their servers, on group
policy having been applied to all clients.

To try and be more precise: using GPOs to try and achieve a _guarantee_
that the user's machines can't be used in certain ways, so that you
don't have to have as good security on the server, is a losing
proposition.
 
> GP is fine for enforcing security on the desktop, as long as
> we understand
> what security on the desktop means. It is also an
> exceptionally useful tool
> for configuration management. As long as we understand that and also
> understand the limitations, we can use it and derive great
> functionality
> from it.

I agree completely. I was hoping to contribute to that understanding.

Paul

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net