|
Posted by Anthony [MVP] on May 12, 2008, 4:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
client side extensions are run in the System context or the User context.
All these are available to the administrator of the machine. There is no
"third party" controlling the machine.
Secedit.sdb is just a template of settings.
I don't see a security risk in assuming the administrator has full control
of the local machine.
Anthony,
http://www.airdesk.co.uk
> Gurus,
>
> This is a re-post of a message sent solely to the group_policy NG. I'm
> copying a wider audience here to engage some discussions amongst you IT
> Security Managers/security consultants out there.
>
> Running Windows Server 2003 SP2 in a single Active Directory domain (Lab
> environment). I am experimenting with the Group Policy Security database,
> secedit.sdb If you run the Setup Security INF in the Security
> Configuration and Analysis Snapin against this database, you will bring
> your system back Windows security default settings and it will remain that
> way until the next Group Policy Refresh interval. You must be an admin on
> the machine to do this. My question is, isn't this a security risk in
> it's own right, bypassing domain and OU GPO settings? A respondent in
> the Group Policy newsgroup (Marcin) stated that if my sole goal is to
> prevent use of Security Configuration and Analysis, I have ability to
> restrict access to arbitrarily selected snap-ins via GPO. In addition I
> could restrict ability to execute Secedit (which one can do by following
> http://support.microsoft.com/kb/323525). While I agree this is a major
> technical challenge, has anyone else in these other NGs I've copied on
> this message ever worried about this? Or should I just let it pass?
>
> --
> Spin
| 
XML site map