Can this be stopped

Discussion in 'Windows Server Systems' started by celticfan11, Oct 4, 2007.

  1. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    So i figured this out.

    If i login as a test student (who is locked down VIA Group Policy):

    As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible?

    Server 2003 SP2
     
  2. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Well this would only happen the first time for a very short period.


    Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

    This default profile can have any settings you like and can even use local user policy.

    Another solutio would be to use roaming profiles.

    GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.
     
  3. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT

    Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC?
     
  4. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of.

    Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User

    This will make it the default user on the PC obviously

    If you then copy that entire folder into the NETLOGON folder then thats it!

    Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)
     
  5. ZeroHour

    ZeroHour ho3 ho3 ho3

    Messages:
    1,118
    Location:
    Scotland
    You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
    I am working on a solution for our network right now but I currently dont have to time to implement my ideas.
     
  6. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level.
     
  7. ZeroHour

    ZeroHour ho3 ho3 ho3

    Messages:
    1,118
    Location:
    Scotland
    LOL I manage a school network too.
    Damn evil kiddies ;)
    I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.
     
  8. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    Sounds like a plan. And no they cant install, i have them fairly locked down :).