Yes, but if they get around the restrictions that I have implemented, then they can have a job :-) They can't change the false proxy because they are locked out of the inetcpl.cpl, the regedit tool and the reg.exe tool via NTFS permissions. And they can't change the NTFS permissions on the files because they are locked out of rshx32.dll and cacls.exe via NTFS permissions. There is probably a way around it, but even if they do get around it, WebSense will alert me straight away to the traffic flowing from these hosts, in which case I can go and offer them a post in first-line support.
2009/4/23 Ken Schaefer <[email protected]> > If they are administrators, they can defeat GPOs given sufficient > knowledge... > > Cheers > Ken > > ------------------------------ > *From:* James Rankin [[email protected]] > *Sent:* Thursday, 23 April 2009 5:12 PM > *To:* NT System Admin Issues > *Subject:* Re: Restricted groups, where have you been.... > > For those who can remember the NT4 days, GPOs as a whole are an awesome > admin tool. When I managed an NT4 network with 10,000 users I actually had > batch scripts running overnight that reset the user rights on all DCs and > members servers, checked the local group memberships and altered them back > to a default if they'd changed. Group Policy finally made my life easy. > > I just recently implemented a group policy that blocks internet access on > our few scanning workstations even though the users are admins...a > combination of a false proxy and restrictive file permissions on > inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. > Power is great!!!! > > 2009/4/22 David Lum <[email protected]> > >> …all my life! We are just getting to use this feature and it’s DA BOMB! >> Being able to add users to local groups w/out affecting the existing >> memberships is awesome! >> >> >> >> We are narrowing down how many Domain Admins we have and this feature is * >> *hugely** helpful in delegating to non domain admins. >> >> *David Lum** **// *SYSTEMS ENGINEER >> NORTHWEST EVALUATION ASSOCIATION >> (Desk) 971.222.1025 *// *(Cell) 503.267.9764 >> >> >> >> >> >> >> >> > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
