Re: Blocking group policy extensions pocessing

Hi,

M. Eteum schrieb:
> No offense, but how do we prevent such action by users such as this
> original poster? I'm sure that he has his reasons to do it, but imagine
> if all the user has that capability to do as such?

There is no ... If I have physical access to the system, it´s mine.

If he doesn´t has local admin rights or the possibility to get
admin rights, because he knows the password, it is a lot harder,
to do such task during his usual work. He can´t delete files, or
unregsiter DLLs, he can´t delete registry settings or change
things like the computer membership etc.

But if he can access the system via a different boot medium (WinPE, Knoppix
whatever) he can manipulate the system offline.

You have to find a way where restriction can let him work properly and
not causing in a very lot of money you have to spend. In most cases a
regulation in his employment contract can create a psycholocical barriere.

If you can give the users a sense of why they are working in a restricted
environment and don´t only publish high restricted GPOs to them, without
any help or guess of "why", the user will always try to fend it.
So User training is another part of making it more secure.

If all this doesn´t help, lock down the system with 3rd Party like
SecureWave Device Control, restrict physical access to the system.
Lock down computer case, remove CD, Floppy, USB ... it´s endless :-(

At the end, to feel really secure, you are back at paper, pencel and
a abacus :-)

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
.

Relevant Pages

  • Re: Secure local data
    ... To secure a system, you must lock it in a physical room and restrict ... power-cycling the machine at that time; indeed, ... True security can only be achieved by restricting physical access to any ...
    (linux.redhat)
  • Re: [OT]? Recovering a password from a client application
    ... Administrator and physical access to a machine, ... A secure system would require the user to enter their password each ... as emails, passwords to other services etc. Modern ciphers such as ... with all your sensitive data and passwords in plain sight. ...
    (comp.mail.misc)
  • Re: How do I protect folders from teenage eyes?
    ... Is there a way that I can secure folders so that the contents, ... ZIP file encryption is actually fairly strong as encryption schemes go, ... Of course, once you get to stage 5, physical access to the machine is now ... hard drives or USB flash discs are, well, easily removable. ...
    (microsoft.public.win2000.general)
  • Re: 4 wire telco vs CAT5
    ... Of course with ethernet you need physical access. ... Ethernet was not designed to be secure. ... With a wired connection I'm not broadcasting my traffic to everyone ...
    (alt.home.repair)
Loading