RE: Locking down a stand-alone 2000 Server with Group Policy

["Dale Smith" <d.l.smith () cqu edu au>]

I've been doing the same, but not using mandatory profiles (although I
may end up using them due to the fiddly nature of MS's implementation of
local GPOs.  It's true that Local GPOs apply to all users and that
there's no immediate way to deny the policy being applied to select
users/groups - but you can use NTFS permissions to simulate something
similar to domain policies (although it's still not as functional).

In a nutshell, you can deny the administrator a/c access to the
%systemroot%\System32\GroupPolicy\gpt.ini file and this will prevent the
policy from applying to them. You should also be aware that should you
deny access, you won't be able to change the permissions - so make sure
you set the Take Ownership and Read/Write Permissions special rights.
Doing so will enable to give yourself access again should you need to
alter the GPO.

A handy thing to keep around, I've found, is a folder on the admin's
desktop which has a shortcut to gpedit.msc and a shortcut to
%systemroot%\System32\GroupPolicy\ - that way, if you're using a policy
that includes denying access to the security tab, C drive or context
menus - you can leave the folder open and also leave the security tab
open whilst editing (as the policy will apply around you if you're not
quick enough while editing and you could be locked out of changing the
permissions back again).

The above isn't really necessary - just a handy thing to keep.  The main
thing is to ensure that you have the Ownership and change permissions
rights assigned when you go to deny access to the file for admin again.
I've also created a backup admin account that still gets the policy
applied to them, but has a shortcut to cmd in their start menu (I made
sure I changed permissions on cmd.exe to only allow admins to run it)
and I can change the permissions back using xcacls.exe.

Hope that made sense - let me know if you want more info (I've got some
doco here that I've written about it and also a few other paper
references).

Dale

-----Original Message-----
From: Donald Voss [mailto:voss () albany edu] 
Sent: Tuesday, September 30, 2003 3:01 AM
To: Al Cook; security-basics () securityfocus com
Subject: RE: Locking down a stand-alone 2000 Server with Group Policy


Do some reading on mandatory profiles [google is your friend]

Ignore the use of network share to store profile .. store locally in a
read only area.

/don


 "When you get too old to set bad examples, you start giving good
advice."

-----Original Message-----
From: Al Cook [mailto:cookas () msn com]
Sent: Monday, September 29, 2003 10:59 AM
To: security-basics () securityfocus com
Subject: Locking down a stand-alone 2000 Server with Group Poicy


Apologies if this is slightly off topic, but I have a stand-alone laptop
running windows 2000 and it will be used for training external
customers. I've setup a user account which they will use to log in to
the machine and run our company application. I need to ensure that this
user account can't do anything on the laptop other than run the
application. Things like the run command, task manager, explorer,
control panel etc all must be disabled.

I was wondering what would be the best way to achieve this without
purchasing external software, I've played around with the group policy
editor snap in, but all the setting then apply to the administrator
account also.  Has anyone got any suggestions, I found windows help
pretty confusing and geared towards group policy for domains rather than
stand-alone machines.

Many thanks, Al

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger
http://www.msn.co.uk/messenger


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------