While certanly you would not be able to affect anything on the Domain but if you set the "HKCU\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime"
value to be very high (10 years should be good), would that not allow you to change the local machine properties at will???? As long as you do not re-boot or drop the network connection they will stay in affect on the local machine.
>
> From: "Arik Fletcher" <arikf (at) joskos (dot) com [email concealed]>
> Date: 2003/09/10 Wed AM 11:43:43 EDT
> To: <robert (at) snrdesigns (dot) com [email concealed]>, "Enrico Pastrello" <epastrello (at) altevie (dot) com [email concealed]>,
> <focus-ms (at) securityfocus (dot) com [email concealed]>
> Subject: RE: Disabling sharing and group policies
>
> Group policies are applied in what is know as LSDO (or LSDOU) which stands for Local, Site, Domain, Organisational Unit. This is the order in which poilicies apply to a computer/user.
>
> One cannot 'bypass' group policies by editing the local registry because if there is a conflict between the local settings and the nearest parent container (i.e. an OU, Domain, or Site) these will override the local settings.
>
>
>
> -----Original Message-----
> From: Robert Blackwell [mailto:robert (at) snrdesigns (dot) com [email concealed]]
> Sent: Wed 9/10/2003 5:11 AM
> To: Enrico Pastrello; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc:
> Subject: RE: Disabling sharing and group policies
>
>
>
> yes they can. In-fact, anyone who has physical access to the box can render
> the majority of group policy objects useless, but that's another story. I'm
> not too clear on what you are wanting to do. If you just want to get rid of
> the everyone share on a local machine, disallow all anonymous access and
> disable the guest account. the everyone share will still be there but it
> will be effectively disabled by these settings. group policies are not
> really needed to do this. Somebody please correct me if this is not the
> case.
>
> -----Original Message-----
> From: Enrico Pastrello [mailto:epastrello (at) altevie (dot) com [email concealed]]
> Sent: Tuesday, September 09, 2003 8:40 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Disabling sharing and group policies
>
>
> Maybe I'm saying something quite stupid but since group policies are saved
> in the registry,
> machine administrators can easilly bypass them.
>
> Greetings,
> Enrico Pastrello
>
> -----Original Message-----
> From: Matthew Wagenknecht [mailto:Matthew.Wagenknecht (at) quantum (dot) com [email concealed]]
> Sent: lunedì 8 settembre 2003 18.49
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Disabling sharing and group policies
>
>
> Is there a way with Group Policies to disable sharing without pulling users
> from the Administrator group or killing adminstrative shares? I'm looking
> for a way to reduce "everyone" shares without flogging end users. Strangely,
> that actually sounds fun.. ;c)
>
> Please keep flames off the list.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Matt Wagenknecht, CISSP
> Security Administrator
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> Never be afraid to try something new.
> Remember, amateurs built the ark; professionals built the Titanic.
>
>
> This email may contain confidential and privileged information for the sole
> use of the intended recipient. Any review or distribution by others is
> strictly prohibited. If you are not the intended recipient, please contact
> the sender and delete all copies of this email message.
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
>
>
value to be very high (10 years should be good), would that not allow you to change the local machine properties at will???? As long as you do not re-boot or drop the network connection they will stay in affect on the local machine.
>
> From: "Arik Fletcher" <arikf (at) joskos (dot) com [email concealed]>
> Date: 2003/09/10 Wed AM 11:43:43 EDT
> To: <robert (at) snrdesigns (dot) com [email concealed]>, "Enrico Pastrello" <epastrello (at) altevie (dot) com [email concealed]>,
> <focus-ms (at) securityfocus (dot) com [email concealed]>
> Subject: RE: Disabling sharing and group policies
>
> Group policies are applied in what is know as LSDO (or LSDOU) which stands for Local, Site, Domain, Organisational Unit. This is the order in which poilicies apply to a computer/user.
>
> One cannot 'bypass' group policies by editing the local registry because if there is a conflict between the local settings and the nearest parent container (i.e. an OU, Domain, or Site) these will override the local settings.
>
>
>
> -----Original Message-----
> From: Robert Blackwell [mailto:robert (at) snrdesigns (dot) com [email concealed]]
> Sent: Wed 9/10/2003 5:11 AM
> To: Enrico Pastrello; focus-ms (at) securityfocus (dot) com [email concealed]
> Cc:
> Subject: RE: Disabling sharing and group policies
>
>
>
> yes they can. In-fact, anyone who has physical access to the box can render
> the majority of group policy objects useless, but that's another story. I'm
> not too clear on what you are wanting to do. If you just want to get rid of
> the everyone share on a local machine, disallow all anonymous access and
> disable the guest account. the everyone share will still be there but it
> will be effectively disabled by these settings. group policies are not
> really needed to do this. Somebody please correct me if this is not the
> case.
>
> -----Original Message-----
> From: Enrico Pastrello [mailto:epastrello (at) altevie (dot) com [email concealed]]
> Sent: Tuesday, September 09, 2003 8:40 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Disabling sharing and group policies
>
>
> Maybe I'm saying something quite stupid but since group policies are saved
> in the registry,
> machine administrators can easilly bypass them.
>
> Greetings,
> Enrico Pastrello
>
> -----Original Message-----
> From: Matthew Wagenknecht [mailto:Matthew.Wagenknecht (at) quantum (dot) com [email concealed]]
> Sent: lunedì 8 settembre 2003 18.49
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Disabling sharing and group policies
>
>
> Is there a way with Group Policies to disable sharing without pulling users
> from the Administrator group or killing adminstrative shares? I'm looking
> for a way to reduce "everyone" shares without flogging end users. Strangely,
> that actually sounds fun.. ;c)
>
> Please keep flames off the list.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Matt Wagenknecht, CISSP
> Security Administrator
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> Never be afraid to try something new.
> Remember, amateurs built the ark; professionals built the Titanic.
>
>
> This email may contain confidential and privileged information for the sole
> use of the intended recipient. Any review or distribution by others is
> strictly prohibited. If you are not the intended recipient, please contact
> the sender and delete all copies of this email message.
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
>
>
>
>
[ reply ]