Completely agree with you. I don't think anyone is debating that common controls, well configured will corral the majority of users but it's the last .1% that require the most work.
I believe the point Ken and I are making is that it not a panacea and is easier to bypass than ever before. At least that is the point I am trying to make. Mark's blog didn't even require admin rights to defeat GPO's. Other examples of defeating administrative controls abound today. A few years ago it took a fairly knowledgeable person with administrative rights to circumvent some of these settings we are discussing and details were not blogged or posted on dozens of websites. The bar just keeps getting lower. Any reasonably intelligent person can perform a simple search of the web leads that leads to may possible ways to defeat controls administrators have put in place. I think a lot of companies would be very well served to have someone go to the lengths that James already has. The point is (to me) not to get a false sense of security about what a determined user can do with a minimal amount of pre-existing knowledge or skill. From: David Lum [mailto:[email protected]] Sent: Friday, April 24, 2009 7:02 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... You guys realize in James' case you STILL need to have a clue what you need to do. Russinovich is not exactly a household name to non computer dorks, and someone would still need some savvy to get past those settings. I mean really, they could always use a BartPE disk and get past most anything right? If they know about BartPE then they almost certainly have enough ability to (at least figure out how to) bypass pretty much anything else. My $0.02. Dave From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, April 23, 2009 8:18 PM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Now that it is out there, then it's relatively easy to look them up. But in James' case, I can just bring my own copy of cacls.exe (or have a scheduled job to make a copy of the existing one) and unless SeTakeOwnership Privilege is removed from the Administrators group I can then get permissions back to everything that he's just removed. If the purpose was to block internet access, then I think it would have been easier to just configure this on the outbound proxy or router or firewall or whatever device that's inplace there. Cheers Ken ________________________________ From: Free, Bob [[email protected]] Sent: Friday, 24 April 2009 2:18 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Before Russinovich blogged it you at least had to have a bit of a clue about GPO's to defeat them, now it is trivial...relatively From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, April 23, 2009 12:26 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... If they are administrators, they can defeat GPOs given sufficient knowledge... Cheers Ken ________________________________ From: James Rankin [[email protected]] Sent: Thursday, 23 April 2009 5:12 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... For those who can remember the NT4 days, GPOs as a whole are an awesome admin tool. When I managed an NT4 network with 10,000 users I actually had batch scripts running overnight that reset the user rights on all DCs and members servers, checked the local group memberships and altered them back to a default if they'd changed. Group Policy finally made my life easy. I just recently implemented a group policy that blocks internet access on our few scanning workstations even though the users are admins...a combination of a false proxy and restrictive file permissions on inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. Power is great!!!! 2009/4/22 David Lum <[email protected]> ...all my life! We are just getting to use this feature and it's DA BOMB! Being able to add users to local groups w/out affecting the existing memberships is awesome! We are narrowing down how many Domain Admins we have and this feature is *hugely* helpful in delegating to non domain admins. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
