Bypassing domain and OU GPO settings using the Security Configuration and Analysis MMC
Spin
Running Windows Server 2003 SP2 in a single Active Directory domain (Lab
environment). I am experimenting with the Group Policy Security database,
secedit.sdb If you run the Setup Security INF in the Security Configuration
and Analysis Snapin against this database, you will bring your system back
Windows security default settings and it will remain that way until the next
Group Policy Refresh interval. You must be an admin on the machine to do
this. My question is, isn't this a security risk in it's own right,
bypassing domain and OU GPO settings?
--
Spin
Marcin
that a potential compromise comes from someone with local Admin privileges
and physical access to the computer...
Marcin
Spin
news:39BE2F9C-DC66-4185...@microsoft.com...
I'm discussing the technical aspects of this, not the political ones. Now,
does anyone have a technical way to block this?
Marcin
you have ability to restrict access to arbitrarily selected snap-ins via
GPO. In addition you would want to restrict ability to execute Secedit
(which you can do by following http://support.microsoft.com/kb/323525).
However, the question which still remains is what exactly you are trying to
accomplish (I assume this goes beyond ability to modify default
configuration by a member of local Administrators)...
I wouldn't agree that this is political issue - you are dealing with major
technical challenge here...
Marcin
Spin
This is a re-post of a message sent solely to the group_policy NG. I'm
copying a wider audience here to engage some discussions amongst you IT
Security Managers/security consultants out there.
bypassing domain and OU GPO settings? A respondent in the Group Policy
newsgroup (Marcin) stated that if my sole goal is to prevent use of Security
Configuration and Analysis, I have ability to restrict access to arbitrarily
selected snap-ins via GPO. In addition I could restrict ability to execute
Secedit (which one can do by following
http://support.microsoft.com/kb/323525). While I agree this is a major
technical challenge, has anyone else in these other NGs I've copied on this
message ever worried about this? Or should I just let it pass?
--
Spin
Kerry Brown
key. There are several ways a local administrator can get around group
policy.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Spin" <Sp...@invalid.com> wrote in message
news:68pld0F...@mid.individual.net...
Herb Martin
Moral is really "Don't make admins" who are not trustworth admins.
If you don't trust people to do the right thing, don't give them the
privilege.
Anthony [MVP]
client side extensions are run in the System context or the User context.
All these are available to the administrator of the machine. There is no
"third party" controlling the machine.
Secedit.sdb is just a template of settings.
I don't see a security risk in assuming the administrator has full control
of the local machine.
Anthony,
http://www.airdesk.co.uk
"Spin" <Sp...@invalid.com> wrote in message
news:68pld0F...@mid.individual.net...
Mark Heitbrink [MVP]
Spin schrieb:
> [...] You must be an admin on the machine to do this. My question
> is, isn't this a security risk in it's own right, bypassing domain
> and OU GPO settings?
Sure, but what did you expect? An Adminis an Admin is an Admin.
Thats the reason why he is an Administrator.
He MUST be able to revert all settings, that unsuspecting user
possibly have made. An Administrator is a job or a role and being
an Administrator means that I know what I do by definition.
But here is your solution:
Because of the problem, that local Admins can override security settings
from the domain, the Client Side Extension of Security is running every
16 hours with a /FORCE option.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
"MaxNoGPOListChangesInterval"=0x3C0 (960 minutes = 16 hours)
Just wait a day and everything will be fine agan, if the local
Administrator does not have find a much easier and more efectiv way
to block your settings.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Spin
default. What is this 16 hours thing all about? That Group Policy is a
template of settings being pushed to a machine, is the Client Side
Extensions just basically Local Group Policy, in other words?
"Mark Heitbrink [MVP]" <spam...@gruppenrichtlinien.de> wrote in message
news:OueAkmCt...@TK2MSFTNGP04.phx.gbl...
Florian Frommherz [MVP]
Spin schrieb:
> I though Group Policy Refresh Interval was every 90 minutes +/- 30 by
> default.
Yes. Very 16 hours, the security settings for the machine are
re-downloaded and re-applied on the machine, no matter if they have changed.
> What is this 16 hours thing all about? That Group Policy is a
> template of settings being pushed to a machine, is the Client Side
> Extensions just basically Local Group Policy, in other words?
The Client Side Extensions (CSE) are basically the pieces of code on
every single machine that are responsible for applying the policies.
They do the work of downloading and enforcing the settings a policy
dictates. They process both domain-based and local policies.
Just to make it clear: Group Policy is not a push-mechanism. The client
itself actually asks a DC for new policies and changes in its
configuration. It then downloads the policies from there. DCs don't push
anything...
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Roger Abell [MVP]
>
> This is a re-post of a message sent solely to the group_policy NG. I'm
> copying a wider audience here to engage some discussions amongst you IT
> Security Managers/security consultants out there.
>
> Running Windows Server 2003 SP2 in a single Active Directory domain (Lab
> environment). I am experimenting with the Group Policy Security database,
> secedit.sdb If you run the Setup Security INF in the Security
> Configuration and Analysis Snapin against this database, you will bring
> your system back Windows security default settings and it will remain that
> way until the next
That setup security.inf will do that is a common belief, one that is
almost right, but not fully correct.
> Group Policy Refresh interval. You must be an admin on the machine to do
> this. My question is, isn't this a security risk in it's own right,
> bypassing domain and OU GPO settings?
What you are actually asking is:
Isn't it a security risk that people believe that group policy
will control settings such that they cannot be altered and/or
circumvented? To that I would say yes, anytime someone
running a system does not fully understand the operational
characteristics of the system, that poses a risk.
As others have said, a) it takes an admin to do what you
outline, b) it can be made more difficult to do, c) there are
many ways to change what group policy has set and those
changes will stay until group policy resets, which in some
cases can be a very long time.
Roger
Mark Heitbrink [MVP]
> I though Group Policy Refresh Interval was every 90 minutes +/- 30 by
> default.
Right. But on a usual background refresh or even in foreground, the
gpupdate process only checks for newer GPOs. If a GPO never changes,
it will never be applied again. You need to run "gpupdate /force"
to apply "...even if GPO doesn´t have changed"
> What is this 16 hours thing all about?
Security Settings will be appkied by /force everey 16 hours.
All other Client Side Extension do not behave like this (by default).
Daniel Petri
whatever they want.
But I wonder why one would go through all the trouble to disable the GPO as
you've described it. Isn't it much simpler to download the KillPol tool from
my site, and simply enter the right administrative username and password?
Running the tool again will bring back the GPO. Quite useful for
troubleshooting and management scenarios.
Daniel Petri
www.petri.co.il
"Spin" <Sp...@invalid.com> wrote in message
news:68pld0F...@mid.individual.net...
Spin
news:%23vAz6JP...@TK2MSFTNGP03.phx.gbl...
> Like the others said the moment you give someone enough rights they can do
> whatever they want.
>
> But I wonder why one would go through all the trouble to disable the GPO
> as you've described it. Isn't it much simpler to download the KillPol tool
> from my site, and simply enter the right administrative username and
> password? Running the tool again will bring back the GPO. Quite useful for
> troubleshooting and management scenarios.
>
> www.petri.co.il/killpol.htm
Daniel I just tried Kilpol.exe from your web site and while it looked
promising, after I executed it, I immediately ran another RSOP.msc and all
of the customized domain policies were showing still in place. What am I
doing wrong?
Daniel Petri <MVP>
given moment.
Try disabling something visible, you'll see KillPol works...
--
Daniel Petri
www.petri.co.il
"Spin" <Sp...@invalid.com> wrote in message
news:690tajF...@mid.individual.net...