here is the link
http://www.microsoft.com/windows2000/docs/rbppaper.doc
and here is the summary...end of story.
Overview of Registry-Based Policy
Registry-based policy is the simplest and most common type of policy
setting. This type of policy is implemented using:
. The Administrative Templates extension snap-in in the Group Policy snap-in
to configure which policies are applied from the server side.
. A built in registry client side extension on every Windows 2000 or higher
client to process the data and create the client registry keys.
Registry-based policy settings are stored in any of the four Group Policy
keys listed below. These are considered the approved registry locations for
policy settings.
For computer policy settings:
. HKLM\Software\Policies (The preferred location)
. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
For user policy settings:
. HKCU\Software\Policies (The preferred location)
. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
These locations have security permissions so that a standard user cannot
change these keys to disable or change the behavior of applied policies. The
keys are created when the GPO is applied. If the GPO that applied the keys
is ever removed, the registry keys associated with it will also be removed
at that time.
Note: A local administrator can overwrite these registry keys and thus
change or disable the behavior of the policy. (Refer to the Windows 2000
Group Policy white paper
-----Original Message-----
From: Dana Smith [mailto:dana_smith (at) comcast (dot) net [email concealed]]
Sent: Thursday, September 18, 2003 2:17 PM
To: larobins (at) bellatlantic (dot) net [email concealed]; 'Sergey V. Gordeychik';
robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
I think it's time we saw some official M$ documentation on this issue. Does
anybody have a link on the topic?
Dana Smith
-----Original Message-----
From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
Sent: Thursday, September 18, 2003 12:38 PM
To: 'Sergey V. Gordeychik'; robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Again, this is not the case. A user with local Administrator rights to
his/her machine *can* exempt his/her machine from group policy
application.
No ifs, ands or buts.
Laura
> -----Original Message-----
> From: Sergey V. Gordeychik [mailto:gordey (at) infosec (dot) ru [email concealed]]
> Sent: Thursday, September 18, 2003 1:59 AM
> To: larobins (at) bellatlantic (dot) net [email concealed]; robert (at) snrdesigns (dot) com [email concealed]; Focus-Ms
> Subject: RE: Disabling sharing and group policies
>
>
> If you disable Group Policy loopback mode in domain-level
> GPO, local administrator will unable to change group policy
> on computer. Yes, administrator can modify some settings, but
> these settings will replaced when GPO applied again.
>
> Simplest way to disable sharing for any user with
> administrative rights
> - it's filter CIFS/SMB/Netbios servers (TCP/UDP 445, 139)
> packets with IPSec packet filter policies (SPD).
> Even user share something on computer - filters will drop
> connection packets and prevent network sharing.
> In policy you can also allow CIFS/Netbios connections from
> management stations for logs collection, etc.
> Information about IPSec filtering you can find, for example,
> in Windows Server 2003 Security Guide:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/Windows/Win2003/W2003HG/SGCH04.asp
Regards,
Sergey V. Gordeychik.
-----Original Message-----
From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
Sent: Tuesday, September 16, 2003 6:47 PM
To: robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Actually, as I said, anybody with administrative rights on
his/her machine
can exempt his/her machine from group policy application-
*regardless* of
whether or not that machine is a domain member. The local admin does
*not*
have to leave the domain to accomplish this.
Laura
----------------------------------------------------------------
-----------
KaVaDo provides the first and only integrated Web application
scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper
on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
----------------------------------------------------------------
-----------
http://www.microsoft.com/windows2000/docs/rbppaper.doc
and here is the summary...end of story.
Overview of Registry-Based Policy
Registry-based policy is the simplest and most common type of policy
setting. This type of policy is implemented using:
. The Administrative Templates extension snap-in in the Group Policy snap-in
to configure which policies are applied from the server side.
. A built in registry client side extension on every Windows 2000 or higher
client to process the data and create the client registry keys.
Registry-based policy settings are stored in any of the four Group Policy
keys listed below. These are considered the approved registry locations for
policy settings.
For computer policy settings:
. HKLM\Software\Policies (The preferred location)
. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
For user policy settings:
. HKCU\Software\Policies (The preferred location)
. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
These locations have security permissions so that a standard user cannot
change these keys to disable or change the behavior of applied policies. The
keys are created when the GPO is applied. If the GPO that applied the keys
is ever removed, the registry keys associated with it will also be removed
at that time.
Note: A local administrator can overwrite these registry keys and thus
change or disable the behavior of the policy. (Refer to the Windows 2000
Group Policy white paper
-----Original Message-----
From: Dana Smith [mailto:dana_smith (at) comcast (dot) net [email concealed]]
Sent: Thursday, September 18, 2003 2:17 PM
To: larobins (at) bellatlantic (dot) net [email concealed]; 'Sergey V. Gordeychik';
robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
I think it's time we saw some official M$ documentation on this issue. Does
anybody have a link on the topic?
Dana Smith
-----Original Message-----
From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
Sent: Thursday, September 18, 2003 12:38 PM
To: 'Sergey V. Gordeychik'; robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Again, this is not the case. A user with local Administrator rights to
his/her machine *can* exempt his/her machine from group policy
application.
No ifs, ands or buts.
Laura
> -----Original Message-----
> From: Sergey V. Gordeychik [mailto:gordey (at) infosec (dot) ru [email concealed]]
> Sent: Thursday, September 18, 2003 1:59 AM
> To: larobins (at) bellatlantic (dot) net [email concealed]; robert (at) snrdesigns (dot) com [email concealed]; Focus-Ms
> Subject: RE: Disabling sharing and group policies
>
>
> If you disable Group Policy loopback mode in domain-level
> GPO, local administrator will unable to change group policy
> on computer. Yes, administrator can modify some settings, but
> these settings will replaced when GPO applied again.
>
> Simplest way to disable sharing for any user with
> administrative rights
> - it's filter CIFS/SMB/Netbios servers (TCP/UDP 445, 139)
> packets with IPSec packet filter policies (SPD).
> Even user share something on computer - filters will drop
> connection packets and prevent network sharing.
> In policy you can also allow CIFS/Netbios connections from
> management stations for logs collection, etc.
> Information about IPSec filtering you can find, for example,
> in Windows Server 2003 Security Guide:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/Windows/Win2003/W2003HG/SGCH04.asp
Regards,
Sergey V. Gordeychik.
-----Original Message-----
From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
Sent: Tuesday, September 16, 2003 6:47 PM
To: robert (at) snrdesigns (dot) com [email concealed]; 'Focus-Ms'
Subject: RE: Disabling sharing and group policies
Actually, as I said, anybody with administrative rights on
his/her machine
can exempt his/her machine from group policy application-
*regardless* of
whether or not that machine is a domain member. The local admin does
*not*
have to leave the domain to accomplish this.
Laura
----------------------------------------------------------------
-----------
KaVaDo provides the first and only integrated Web application
scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper
on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
----------------------------------------------------------------
-----------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]