Full Disclosure mailing list archives
Re: W2k users, local admin rights and GPOs
From: yossarian <yossarian () planet nl>
Date: Wed, 29 Oct 2003 19:21:14 +0100
It makes me wonder, what legacy software needs local admin to function. In my experience it is more common that the admins don't know or don't care how to make ' strange ' software work under W2k, and generally it is software considered not-supported and non-standardized. The last part usually gives a useful vector to get rid of these security liabilities. ----- Original Message ----- From: "Exibar" <exibar () thelair com> To: "James Exim" <security () exim dyndns org>; <full-disclosure () lists netsys com> Sent: Wednesday, October 29, 2003 4:54 PM Subject: Re: [Full-disclosure] W2k users, local admin rights and GPOs
It's actually very easy to prevent any policies from coming down to your system if you have local admin rights. What you do is first, delete the policies from the registry, then deny everyone (except for a locally
created
user) access to the policy key. You'll see the failures in the event log when a new policy attempts to get written. Viola! no more policies.... Easy as pie.... Exibar ----- Original Message ----- From: "James Exim" <security () exim dyndns org> To: <full-disclosure () lists netsys com> Sent: Wednesday, October 29, 2003 3:50 AM Subject: [Full-disclosure] W2k users, local admin rights and GPOsIt has been pointed out several times recently on the SF mailing liststhata W2k user with local administrator rights can prevent group policy application on his/her machine and there is apparently nothing the
domain
administrator(s) can do about it (see
http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.h tml
for an example) Does anyone know exactly (a) how, and (b) why this is possible? Is
there
really no workaround other than removing the users from the local Administrators group? I keep discovering W2k machines where end usershavebeen granted local admin rights (yuk!) and I'm trying to convince the relevant domain admins that, while this is an easy way to make legacy software work, it isn't such a great idea from a security point of
view...
Thanks, James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- W2k users, local admin rights and GPOs James Exim (Oct 29)
- Re: W2k users, local admin rights and GPOs Exibar (Oct 29)
- Re: W2k users, local admin rights and GPOs yossarian (Oct 29)
- <Possible follow-ups>
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 29)
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 29)
- Re[2]: W2k users, local admin rights and GPOs 3APA3A (Oct 30)
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 30)
- Re: W2k users, local admin rights and GPOs Exibar (Oct 29)