But they cant stop a HIPS :-) Control the Execution...
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Friday, April 24, 2009 4:43 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Yes, it will go on and on :-) That's the point - you can't really stop administrators from doing whatever they want on their own machines. You need something that's not under their control to do anything that can't be subverted. As Bob Fronk alluded to earlier, Mark Russinovich did a blog post on how admins can stop GPOs applying to their machines. Cheer Ken From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, 24 April 2009 6:41 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... I suppose this could go on and on :-) The facts, which we all already know, is that admins can generally get around most restrictions at this level, given enough time and guile. The question which I am asking, when I get a spare minute, is why the scanning software in use needs admin privs anyway. A bit of process monitor should hopefully provide the answer, however as I have a host of annoying users and senior management to keep happy, finding the time to do it is the key. The GPO only exists to put them off in the meantime...I am relying on the technical ignorance of my users to ensure it works. I have managed to get rid of all but two of the applications in my environment that require admin privs to run, so I think I am getting somewhere. Cheers for the input though...it helps to be reminded of how many bases I have to cover in these situations 2009/4/24 Ken Schaefer <k...@adopenstatic.com> What about SeBackupPrivilege (because that ignores File ACLs - I can just use NTBackup to make a backup of cacls.exe and restore it somewhere)? Cheers Ken From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, 24 April 2009 5:22 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... good point. SeTakeOwnershipPrivilege is now about to be removed. You probably are right, it would have been easier to configure at the perimeter...but that is managed by my boss and I don't trust him to do it properly and/or not reverse it accidentally or deliberately 2009/4/24 Ken Schaefer <k...@adopenstatic.com> Now that it is out there, then it's relatively easy to look them up. But in James' case, I can just bring my own copy of cacls.exe (or have a scheduled job to make a copy of the existing one) and unless SeTakeOwnership Privilege is removed from the Administrators group I can then get permissions back to everything that he's just removed. If the purpose was to block internet access, then I think it would have been easier to just configure this on the outbound proxy or router or firewall or whatever device that's inplace there. Cheers Ken ________________________________ From: Free, Bob [r...@pge.com] Sent: Friday, 24 April 2009 2:18 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Before Russinovich blogged it you at least had to have a bit of a clue about GPO's to defeat them, now it is trivial...relatively From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Thursday, April 23, 2009 12:26 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... If they are administrators, they can defeat GPOs given sufficient knowledge... Cheers Ken ________________________________ From: James Rankin [kz2...@googlemail.com] Sent: Thursday, 23 April 2009 5:12 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... For those who can remember the NT4 days, GPOs as a whole are an awesome admin tool. When I managed an NT4 network with 10,000 users I actually had batch scripts running overnight that reset the user rights on all DCs and members servers, checked the local group memberships and altered them back to a default if they'd changed. Group Policy finally made my life easy. I just recently implemented a group policy that blocks internet access on our few scanning workstations even though the users are admins...a combination of a false proxy and restrictive file permissions on inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. Power is great!!!! 2009/4/22 David Lum <david....@nwea.org> ...all my life! We are just getting to use this feature and it's DA BOMB! Being able to add users to local groups w/out affecting the existing memberships is awesome! We are narrowing down how many Domain Admins we have and this feature is *hugely* helpful in delegating to non domain admins. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~