lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: W2k users, local admin rights and GPOs It makes me wonder, what legacy software needs local admin to function. In my experience it is more common that the admins don't know or don't care how to make ' strange ' software work under W2k, and generally it is software considered not-supported and non-standardized. The last part usually gives a useful vector to get rid of these security liabilities. ----- Original Message ----- From: "Exibar" <exibar@...lair.com> To: "James Exim" <security@...m.dyndns.org>; <full-disclosure@...ts.netsys.com> Sent: Wednesday, October 29, 2003 4:54 PM Subject: Re: [Full-Disclosure] W2k users, local admin rights and GPOs > It's actually very easy to prevent any policies from coming down to your > system if you have local admin rights. What you do is first, delete the > policies from the registry, then deny everyone (except for a locally created > user) access to the policy key. You'll see the failures in the event log > when a new policy attempts to get written. Viola! no more policies.... > > Easy as pie.... > > Exibar > > > ----- Original Message ----- > From: "James Exim" <security@...m.dyndns.org> > To: <full-disclosure@...ts.netsys.com> > Sent: Wednesday, October 29, 2003 3:50 AM > Subject: [Full-Disclosure] W2k users, local admin rights and GPOs > > > > It has been pointed out several times recently on the SF mailing lists > that > > a W2k user with local administrator rights can prevent group policy > > application on his/her machine and there is apparently nothing the domain > > administrator(s) can do about it (see > > > http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.h tml > > for an example) > > > > Does anyone know exactly (a) how, and (b) why this is possible? Is there > > really no workaround other than removing the users from the local > > Administrators group? I keep discovering W2k machines where end users > have > > been granted local admin rights (yuk!) and I'm trying to convince the > > relevant domain admins that, while this is an easy way to make legacy > > software work, it isn't such a great idea from a security point of view... > > > > Thanks, > > > > James > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists