Windows Vista GPO Changes

Discussion in 'Windows Desktop Systems' started by kcnychief, May 3, 2006.

  1. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I have been loving this site lately :)

    http://thelazyadmin.com/index.php?/archives/412-Whats-New-in-Vista-Group-Policy-Changes.html
     
  2. canadian_divx

    canadian_divx Canadian_divx

    nice. this will give me somthing to read for the night, thanks for the post
     
  3. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    It's not very long, will be a short night, but you are welcome :p
     
  4. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    again im pretty sure some people will try to take advantages of these
     
  5. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    What do you mean by that? They aren't security holes/risks, they are ways to control environments. It's not secret information, and never has been.
     
  6. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    no i know, what i mean is in viruses, trojans spyware etc, they will target those trying cripple the user
     
  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    You can't "target" a Group Policy. All they really do is change Windows Settings such as turning on/off the firewall, allowing read access to USB devices, etc.
     
  8. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Right, like disabling regedit, no virus has ever done that.................
     
  9. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Your missing the point.

    GPO's aren't targeted as succeptable to virii, they are just a way of controlling Windows features. They won't be exploited, only the feature itself will be within windows.
     
  10. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    No, actually you're missing the point. Allowing such things to be disabled via group policy, which means that it is done in the registry, can be exploited. That is how malware removes tabs from the Internet Options menu, http://www.j79zlr.com/gphome.php#InternetControlPanel or like my previous example:

    Prevent access to the registry editting tools

    * KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    * DWORD: DisableRegistryTools = 1

    This is microsoft's problem, they do not think security when designing anything.

    BTW there is no such word, virii.

    EDIT:

    Yea, disabling the firewall isn't a security concern, nah, not at all.
     
  11. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    First off, kudos on that list. That must have taken you awhile to type, unless you copy and pasted it :rolleyes:

    Secondly, only SOME keys are created by GPO. Other times it is modifying a key that is already in place.

    Sorry that there isn't such a word as virii, didn't know you were an English professor too.
     
  12. Steevo

    Steevo Spammer representing. Political User Folding Team

    Messages:
    2,566
    They do think security, security from the local user. They kill lots of local rights while being oblivious to the security risks in simple shares and network access.

    I am not so worried about a person inside my network that I know so much as the person able to get inside through a firewall. You think there is a difference between windows protection and a Sonicwall firewall?

    Like I said, too much local, not enough protection from out there ----->
     
  13. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Didn't take nearly as long to type as it did to create it. Like I say on my site, I literally enabled each setting and found the registry change it made. Its been a while, but if I remember correctly it took about a full week.

    The virii thing is a pet peeve of mine.

    As far as Microsoft's security, they will err on the side of usability instead of security 100% of the time, that is where their design flaw lies.
     
  14. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Should have used windiff, would have been easier.
     
  15. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Windiff wouldn't have helped, I just left regedit open and enabled the policy, then seen what was added to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ key, most of the GPO settings are in that key or a subkey of it.