Re: Security

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 02/05/05 

Date: Fri, 04 Feb 2005 21:38:28 -0800

"George Hester" <hesterloli@hotmail.com> said

> I don't know if I can provide anymore information than that which I have
> provided. The user did have admin rights that was signed on at the
> time. That's true and was a mstake. That won't happen again. But the
> GPO was still violated and it was not changed.

The GPO was not 'violated'. The GPO is intended to prevent users using the
IE GUI (Tools/Options etc....) to change the homepage. From what you have
stated, the user in question downloaded a program or script which changed
the Homepage. They did not use the IE GUI to achieve this. The GPO worked
as designed.

> In other words the GPO
> was still active.
>
> I cannot suggest all the excuses of why the GPO may have been violated.
> I just know it was set and was violated. I also know that it was not
> possible for anyone to reset the homepage from Windows GUI for that
> purpose. Admin or no admin. The Internet nasty used IE vulnerabilities
> to reset the homepage in the registry. Where? Obviosly:
>
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
>
> or
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
>
> not sure which I had to go into to fix the issue.
>
> But in any case if we set GPO so that policies are obtained is it too
> much to ask that they do hold?

George,
The GPO only locks down the client application - In this case IE.
If the user downloads another program to bypass IE or uses another method
to directly access the registry your GPO will not help. This is not a flaw.
The only way to achieve what you appear to want is by setting appropriate
permissions on the relevant registry key.

> How am I going to set a GPO for the
> client when the user signed in has Admin rights?

Use ACL's on the registry key. Prevent the user from changing it.

> Would their not being
> Domain admin or Ennterprise Admin rights be sufficient to stop these IE
> vulnerabilities from changing this GPO?

Generally speaking, users should never be members of the local
administrators group.

> If so I'll take them out of it.
> The trouble is I don't want to run into Installation issues.

If you use msi packages for your software installation you can use GPO's to
deploy the apps. This will allow for non-admin users to install the
applications you allow. 

-- 
Andy.

Relevant Pages

  • Re: Best way to give local admin rights only across the domain
    ... restricted groups feature in a GPO --> allows you to add a group/user to local groups on clients/servers if those fall under the scope of management of the GPO with that configuration ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... afraid that will give them admin rights on the domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing IP address as standard user
    ... The first thing that comes to mind is some sort of .REG file or GPO. ... > to change their IP address without giving them Admin rights? ...
    (Security-Basics)
  • Re: Admin rights to local system via GPO
    ... >I'm really confussed after reading several articals about ... >how to set the GPO to allow a group to have admin rights ...
    (microsoft.public.windows.group_policy)
  • Re: System admin
    ... > user who we would want to assign admin rights to? ... This option lets You specify who will be a member of specified ... group (for example administrators) and then force this setting on all ... system which are under the scope of this GPO ...
    (microsoft.public.win2000.active_directory)
  • Re: Running a program with elevated privilages
    ... You just need to create an msi package for it, ... you can keep admin rights restricted. ... If it's trying to add a registry key as you ... in which case you could relax filesystem permissions on ...
    (microsoft.public.windows.server.security)