Security Basics mailing list archives
RE: Locking down a stand-alone 2000 Server with Group Policy
From: "Dale Smith" <d.l.smith () cqu edu au>
Date: Tue, 30 Sep 2003 17:12:25 +1000
I've been doing the same, but not using mandatory profiles (although I may end up using them due to the fiddly nature of MS's implementation of local GPOs. It's true that Local GPOs apply to all users and that there's no immediate way to deny the policy being applied to select users/groups - but you can use NTFS permissions to simulate something similar to domain policies (although it's still not as functional). In a nutshell, you can deny the administrator a/c access to the %systemroot%\System32\GroupPolicy\gpt.ini file and this will prevent the policy from applying to them. You should also be aware that should you deny access, you won't be able to change the permissions - so make sure you set the Take Ownership and Read/Write Permissions special rights. Doing so will enable to give yourself access again should you need to alter the GPO. A handy thing to keep around, I've found, is a folder on the admin's desktop which has a shortcut to gpedit.msc and a shortcut to %systemroot%\System32\GroupPolicy\ - that way, if you're using a policy that includes denying access to the security tab, C drive or context menus - you can leave the folder open and also leave the security tab open whilst editing (as the policy will apply around you if you're not quick enough while editing and you could be locked out of changing the permissions back again). The above isn't really necessary - just a handy thing to keep. The main thing is to ensure that you have the Ownership and change permissions rights assigned when you go to deny access to the file for admin again. I've also created a backup admin account that still gets the policy applied to them, but has a shortcut to cmd in their start menu (I made sure I changed permissions on cmd.exe to only allow admins to run it) and I can change the permissions back using xcacls.exe. Hope that made sense - let me know if you want more info (I've got some doco here that I've written about it and also a few other paper references). Dale -----Original Message----- From: Donald Voss [mailto:voss () albany edu] Sent: Tuesday, September 30, 2003 3:01 AM To: Al Cook; security-basics () securityfocus com Subject: RE: Locking down a stand-alone 2000 Server with Group Policy Do some reading on mandatory profiles [google is your friend] Ignore the use of network share to store profile .. store locally in a read only area. /don "When you get too old to set bad examples, you start giving good advice." -----Original Message----- From: Al Cook [mailto:cookas () msn com] Sent: Monday, September 29, 2003 10:59 AM To: security-basics () securityfocus com Subject: Locking down a stand-alone 2000 Server with Group Poicy Apologies if this is slightly off topic, but I have a stand-alone laptop running windows 2000 and it will be used for training external customers. I've setup a user account which they will use to log in to the machine and run our company application. I need to ensure that this user account can't do anything on the laptop other than run the application. Things like the run command, task manager, explorer, control panel etc all must be disabled. I was wondering what would be the best way to achieve this without purchasing external software, I've played around with the group policy editor snap in, but all the setting then apply to the administrator account also. Has anyone got any suggestions, I found windows help pretty confusing and geared towards group policy for domains rather than stand-alone machines. Many thanks, Al _________________________________________________________________ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Locking down a stand-alone 2000 Server with Group Policy Dale Smith (Sep 30)