It makes me wonder, what legacy software needs local admin to function. In my experience it is more common that the admins don't know or don't care how to make ' strange ' software work under W2k, and generally it is software considered not-supported and non-standardized. The last part usually gives a useful vector to get rid of these security liabilities. ----- Original Message ----- From: "Exibar" <[EMAIL PROTECTED]> To: "James Exim" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, October 29, 2003 4:54 PM Subject: Re: [Full-Disclosure] W2k users, local admin rights and GPOs
> It's actually very easy to prevent any policies from coming down to your > system if you have local admin rights. What you do is first, delete the > policies from the registry, then deny everyone (except for a locally created > user) access to the policy key. You'll see the failures in the event log > when a new policy attempts to get written. Viola! no more policies.... > > Easy as pie.... > > Exibar > > > ----- Original Message ----- > From: "James Exim" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 29, 2003 3:50 AM > Subject: [Full-Disclosure] W2k users, local admin rights and GPOs > > > > It has been pointed out several times recently on the SF mailing lists > that > > a W2k user with local administrator rights can prevent group policy > > application on his/her machine and there is apparently nothing the domain > > administrator(s) can do about it (see > > > http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.h tml > > for an example) > > > > Does anyone know exactly (a) how, and (b) why this is possible? Is there > > really no workaround other than removing the users from the local > > Administrators group? I keep discovering W2k machines where end users > have > > been granted local admin rights (yuk!) and I'm trying to convince the > > relevant domain admins that, while this is an easy way to make legacy > > software work, it isn't such a great idea from a security point of view... > > > > Thanks, > > > > James > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
