Well, it should be pretty simple to test… However, and unplugged server is the most secure (network wise, physical access is a different story) of the all. I joke with my customers when they go overboard on security I suggest unplugging it.
And just GPO setting are we talking about? It could be simple enough to write a script that makes the appropriate registry changes.
Joe
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Greg Reese
Sent: Sunday, February 01, 2009 1:02 PM
To: Thin
Subject: [THIN] GPO Debate
I admit that as I have been in this career for over 15 years, there may be some things that I still don't understand, or worse, some things that I don't understand as well as I think i do. But keeping an open mind and being willing to learn something from everyone I meet has served me pretty well.
currently, I am having a debate over GPO use with a colleague (for those of you in government work, think "IA asshole").
anyway, the debate is that setting a GPO at the domain or OU level does not properly protect a server because as soon as the the server is unplugged from the network, the settings disappear leaving the server in an unprotected state. So this person nwants us to make all adjustments by hand with local policies. As much as my gut tells me this is wrong, I really don't have anything to back it up with.
I say the settings will stay applied in the absence of the rest of the domain structure or servers being present. But the more I thnk about it, I really don't know how it really works. I am going to setup a test next week but figured it was worth throwing out to all of you.
Thanks!
Greg
No comments:
Post a Comment