|
Posted by Daniel Petri on May 13, 2008, 8:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
Like the others said the moment you give someone enough rights they can do
whatever they want.
But I wonder why one would go through all the trouble to disable the GPO as
you've described it. Isn't it much simpler to download the KillPol tool from
my site, and simply enter the right administrative username and password?
Running the tool again will bring back the GPO. Quite useful for
troubleshooting and management scenarios.
www.petri.co.il/killpol.htm
Daniel Petri
www.petri.co.il
> Gurus,
>
> This is a re-post of a message sent solely to the group_policy NG. I'm
> copying a wider audience here to engage some discussions amongst you IT
> Security Managers/security consultants out there.
>
> Running Windows Server 2003 SP2 in a single Active Directory domain (Lab
> environment). I am experimenting with the Group Policy Security database,
> secedit.sdb If you run the Setup Security INF in the Security
> Configuration and Analysis Snapin against this database, you will bring
> your system back Windows security default settings and it will remain that
> way until the next Group Policy Refresh interval. You must be an admin on
> the machine to do this. My question is, isn't this a security risk in
> it's own right, bypassing domain and OU GPO settings? A respondent in
> the Group Policy newsgroup (Marcin) stated that if my sole goal is to
> prevent use of Security Configuration and Analysis, I have ability to
> restrict access to arbitrarily selected snap-ins via GPO. In addition I
> could restrict ability to execute Secedit (which one can do by following
> http://support.microsoft.com/kb/323525). While I agree this is a major
> technical challenge, has anyone else in these other NGs I've copied on
> this message ever worried about this? Or should I just let it pass?
>
> --
> Spin
| 
XML site map