Sunday, February 1, 2009

[THIN] Re: GPO Debate

Greg,

 

If the computer is unplugged from the network, then the system can’t get attacked via the network does it ?

So then the only weak spot is to log on locally , and having physical access to the system. Which brings us

to securing physical access to the system/serverroom/datacenter.

 

Remember the GPO’s are basically registry hacks that travel the network from your site DC to your member server

Or PC.

Actually the GPO’s are stored on the PDC (yes one of the single master roles in a ‘multimaster’ directory service) on one

Hand on the filesystem, actually the \sysvol\sysvol\GUID of GPO

and the directory service itself.  

 

You may of course set local policies to the nodes itself, these of course will get overridden by GPO’s applied

To the OU or domain (according to the LSDOU principle) .

However you could still set a local password policy to all your servers. I would recommend

to apply the exact same settings as you apply at the Default Domain Policy.

 

Actually I work for Big blue and that’s what we do. Securing all systems with local security policies (in addition).

The most noteable security settings are locking down filessystem, registry , system services, userright assignments and

Account/Password policies.

 

Once you’ve created you local policies via a template , you can easily import them using secedit …

 

If you need the exact syntax for importing an *.inf template secedit…. Just give me a ring, but

I leave it up to your creative spirit.

 

With the help of psexec,(Ex-Sysinternals) and using a FOR/DO filelist of all you members  you could even execute it from

A central location on all you systems from the prompt..

 

Regards,

 

Stefan

 

 

 

 


From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Greg Reese
Sent: zondag 1 februari 2009 21:02
To: Thin
Subject: [THIN] GPO Debate

 

I admit that as I have been in this career for over 15 years, there may be some things that I still don't understand, or worse, some things that I don't understand as well as I think i do.  But keeping an open mind and being willing to learn something from everyone I meet has served me pretty well.

currently, I am having a debate over  GPO use with a colleague  (for those of you in government work, think "IA asshole").

anyway, the debate is that setting a GPO at the domain or OU level does not properly protect a server because as soon as the the server is unplugged from the network, the settings disappear leaving the server in an unprotected state.  So this person nwants us to make all adjustments by hand with local policies.  As much as my gut tells me this is wrong, I really don't have anything to back it up with.

I say the settings will stay applied in the absence of the rest of the domain structure or servers being present.  But the more I thnk about it, I really don't know how it really works.  I am going to setup a test next week but figured it was worth throwing out to all of you.

Thanks!

Greg

No comments: