RE: Windoze GPO Question

["Jason Hurst" <Jason.Hurst () PandaRG com>]

Hi Jorge,

> the problem with that is that if the DC is not available the users
won't
be able to login...and some sort of VPN connection need to be setup

Individual computers can be setup to cache domain logins in the event
that domain controllers are not available.

This link will take you to Microsoft's baseline security settings for
Windows XP machines:

(For the most part, they match the CIS/SANS checklists)

http://technet.microsoft.com/en-us/library/cc163074.aspx

Another great tool is the NISTs checklists, located here:

http://iase.disa.mil/stigs/checklist/index.html

The security setting you would be looking for is this one:

Interactive Logon: Number of previous logons to cache (in case domain
controller is not available)
 
Jason Hurst
Network Security Administrator
Panda Restaurant Group
jason.hurst () pandarg com
Work: (626) 799-9898 ext. 8662
Direct: (626) 372-8038
Fax: (626) 372-8397
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jorge L. Vazquez
Sent: Monday, November 10, 2008 3:30 PM
To: Steve Armstrong
Cc: Jon.Kibler () aset com; security-basics () securityfocus com
Subject: Re: Windoze GPO Question

Steve Armstrong wrote:
> Gpo's are always applied - otherwise the client could undo security
and
> other features when away from the DC. Remember they are not connected
to
> the domain, but they are still part of it.
>
> Try making an ou for laptop users that have permissions to apply other
> dhcp settings.
>
> Plus they should not be logging into 'this computer'. It will mess up
> their settings. If you have remote connectivity you still want users
> logging into the domain, and this will also allow them to use domain
> resourses remotely without having to sign on again.
>
> Having users operating with local accounts on laptops is bad as these
> are not subject to domain password policy etc as this is defined on
the
> local system. This usually means users can have blank passwords it the
> same ones for years - neither if which are good.
>
> Remember gpo's are for both the machine and the user. Until the
machine
> is removed from the domain, domain gpo's will be applied. This is
> regardless of the users status (domain or local).
>
> But that's all windows (note spelling) domain/active directory basics
-
> not really doze!
>
> Steve Armstrong
>
> Technical Security Director
> Logically Secure
>
> Tel. 01522 689799
> Mob. 07970 929583
>
> (sent from a mobile device, so please excuse any typos)
>
> On 10 Nov 2008, at 21:33, "Jon Kibler" <Jon.Kibler () aset com> wrote:
>
> Hi,
>
> This may be slightly off topic, but I have a question about GPO scope.
>
> I have a client that has a bunch of sales people who have laptops.
When
> they come into their office, they login to the domain. When they are
on
> the road, they login to 'this computer.'
>
> The problem that the client is seeing has left me scratching my head
> about how GP works. What is happening is the client has recently set
> some new group policies that do things like specify which name servers
> and other network resources a given OU is to use. Now, when these
> laptops are taken on the road and the user tries to get Internet
access,
> it fails. Why? Because the GPO settings are overriding the DHCP
settings
> on 'this computer'.
>
> What I don't understand is why DOMAIN OU GPOs are being applied
outside
> the scope of the domain. If you are not logging into the domain, why
are
> the domain GPOs in effect? This doesn't make sense. Has my client
> somehow misconfigured AD?
>
> THANKS!
>
> Jon Kibler
> >
the problem with that is that if the DC is not available the users won't
be able to login...and some sort of VPN connection need to be setup


Jorge
blog:http://pctechtips.org

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
> >

> The information contained in this e-Mail and any subsequent
> correspondence is private and is intended solely for the intended
> recipient(s). The information in this communication may be
confidential
> and/or legally privileged. Nothing in this e-mail is intended to
> conclude a contract on behalf of Logically Secure Ltd or make
Logically
> Secure Ltd subject to any other legally binding commitments, unless
the
> e-mail contains an express statement to the contrary or incorporates a
> formal Purchase Order.  For persons other than the intended recipient
> any disclosure, copying, distribution, or any action taken or omitted
to
> be taken in reliance on such information is prohibited and may be
unlawful.

> Registered in England and Wales No: 05967368.  Registered Office: 36
> Tudor Road, Lincoln, LN6 3LL.