Security Basics mailing list archives
Re: Spying in a corporate environment
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 22 Nov 2007 20:54:19 +0100
On 2007-11-22 Mario DeBono wrote:
On 22 November 2007 16:48 Ansgar -59cobalt- Wiechers wrote:On 2007-11-22 Mario DeBono wrote:If you have a 2003 domain enforce group policies and restrict access to certain windows components. I presume even if a user has admin rights on a pc, he should not be able to over right the group policies, if he is not so keen to remove the policies from the pc himself.You're mistaken. A local admin can override policies (at the very least for a short while until they are reapplied), and even if that wasn't possible (s)he can always log on locally, in which case domain policies don't apply at all. The only way to control users with local admin privileges is to revoke their local admin privileges. Everything else are futile efforts.Yep, could be possible, but if you apply the policies on a pc level not user level, than that is some thing different.
No, that doesn't make any difference at all. As long as a local admin is a local admin he can acquire any right/privilege whatsoever on that machine and can thus override any setting that may have been applied through other means. That is what makes a local admin.
Another way is to apply frequent policy updates depending on the lan/wan you administer. This can be done through login as well.
Like I said before: they log into the local machine instead of logging into the domain. Voilà, no domain policies applied.
OR but I highly don't suggest to do is to Amend files at local security level removing access to local administrators and grant only access to domain admins but you have to be sure of what u are doing else you might end making a mess.
That too doesn't make any difference at all. To repeat myself: a local administrator can acquire each and every privilege on the local machine. In your example all he has to do is take ownership and grant himself access permissions. If you revoke that privilege from a local admin, you actually demoted him from being a local admin. Which - like I said before - is the only way to restrict local admins: demote them from being local admins. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Spying in a corporate environment, (continued)
- RE: Spying in a corporate environment Nick Vaernhoej (Nov 20)
- RE: Spying in a corporate environment Jayson Agagnier (Nov 20)
- RE: Spying in a corporate environment Карпинский Артем (Nov 20)
- RE: Spying in a corporate environment Murda Mcloud (Nov 21)
- Re: Spying in a corporate environment Col (Nov 21)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 21)
- RE: Spying in a corporate environment Mario DeBono (Nov 22)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 22)
- Re: Spying in a corporate environment Tremaine Lea (Nov 22)
- RE: Spying in a corporate environment Mario DeBono (Nov 22)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 22)
- Re: Spying in a corporate environment Big Joe Jenkins (Nov 23)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 23)
- Re: Spying in a corporate environment Big Joe Jenkins (Nov 23)
- Re: Spying in a corporate environment Col (Nov 23)
- RE: Spying in a corporate environment Craig Wright (Nov 23)
- Re: Spying in a corporate environment Col (Nov 21)
- RE: Spying in a corporate environment Nick Vaernhoej (Nov 20)
- Re: Spying in a corporate environment Col (Nov 21)
- Re: Spying in a corporate environment Tremaine Lea (Nov 27)