On 2005-01-28 Miroslaw Slawek Chorazy wrote:
>> 'fraid not. Local administrators can take ownership of any file, and
>> any registry key. The owner of a file/reg key can change its
>> permissions. Always. No matter what.
>
> But because the scenario Edward describes is an Active Directory
> Domain then he has additional tools at his disposal...
>
> There exists a policy setting in \Computer Configuration\Windows
> Settings\Security Settings\Local Policies\User Rights Assignment\ This
> security setting determines which users can take ownership of any
> securable object in the system, including Active Directory objects,
> files and folders, printers, registry keys, processes, and threads.
>
> What if he removes local 'Administrators' group from having this right
> and adds 'Domain Administrators' group (of which he is hopefully a
> member) and then if he further applies permissions to the registry key
> which applies to the above policy and removes the local administrator
> and substitutes it for "domain administrators" then in theory it
> should work Ricardo is suggesting?
AFAICS they could easily re-assign the "Take Ownership" privilege to
themselves, so this doesn't look like a solution to me. Plus, the
purpose of local administrators is the administration of the local
machine. That's why they *have* the privilege to take the ownership of
each file/object. Instead of revoking the privilege you should actually
ask yourself whether the members of the local administrators group
really need to be members of that group.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
>> 'fraid not. Local administrators can take ownership of any file, and
>> any registry key. The owner of a file/reg key can change its
>> permissions. Always. No matter what.
>
> But because the scenario Edward describes is an Active Directory
> Domain then he has additional tools at his disposal...
>
> There exists a policy setting in \Computer Configuration\Windows
> Settings\Security Settings\Local Policies\User Rights Assignment\ This
> security setting determines which users can take ownership of any
> securable object in the system, including Active Directory objects,
> files and folders, printers, registry keys, processes, and threads.
>
> What if he removes local 'Administrators' group from having this right
> and adds 'Domain Administrators' group (of which he is hopefully a
> member) and then if he further applies permissions to the registry key
> which applies to the above policy and removes the local administrator
> and substitutes it for "domain administrators" then in theory it
> should work Ricardo is suggesting?
AFAICS they could easily re-assign the "Take Ownership" privilege to
themselves, so this doesn't look like a solution to me. Plus, the
purpose of local administrators is the administration of the local
machine. That's why they *have* the privilege to take the ownership of
each file/object. Instead of revoking the privilege you should actually
ask yourself whether the members of the local administrators group
really need to be members of that group.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]