You guys realize in James' case you STILL need to have a clue what you need to do. Russinovich is not exactly a household name to non computer dorks, and someone would still need some savvy to get past those settings. I mean really, they could always use a BartPE disk and get past most anything right? If they know about BartPE then they almost certainly have enough ability to (at least figure out how to) bypass pretty much anything else.
My $0.02. Dave From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, April 23, 2009 8:18 PM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Now that it is out there, then it's relatively easy to look them up. But in James' case, I can just bring my own copy of cacls.exe (or have a scheduled job to make a copy of the existing one) and unless SeTakeOwnership Privilege is removed from the Administrators group I can then get permissions back to everything that he's just removed. If the purpose was to block internet access, then I think it would have been easier to just configure this on the outbound proxy or router or firewall or whatever device that's inplace there. Cheers Ken ________________________________ From: Free, Bob [[email protected]] Sent: Friday, 24 April 2009 2:18 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Before Russinovich blogged it you at least had to have a bit of a clue about GPO's to defeat them, now it is trivial...relatively From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, April 23, 2009 12:26 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... If they are administrators, they can defeat GPOs given sufficient knowledge... Cheers Ken ________________________________ From: James Rankin [[email protected]] Sent: Thursday, 23 April 2009 5:12 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... For those who can remember the NT4 days, GPOs as a whole are an awesome admin tool. When I managed an NT4 network with 10,000 users I actually had batch scripts running overnight that reset the user rights on all DCs and members servers, checked the local group memberships and altered them back to a default if they'd changed. Group Policy finally made my life easy. I just recently implemented a group policy that blocks internet access on our few scanning workstations even though the users are admins...a combination of a false proxy and restrictive file permissions on inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. Power is great!!!! 2009/4/22 David Lum <[email protected]<mailto:[email protected]>> ...all my life! We are just getting to use this feature and it's DA BOMB! Being able to add users to local groups w/out affecting the existing memberships is awesome! We are narrowing down how many Domain Admins we have and this feature is *hugely* helpful in delegating to non domain admins. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
