• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Windows Vista GPO Changes

kcnychief

█▄█ ▀█▄ █
Political User
#1
I have been loving this site lately :)

The first thing you'll notice is that Vista has over 3,000 group policy settings. Compare that to the 1500 settings in XP SP2 and approximatley 1200 in Windows 2000 and the power of group policy over Vista becomes quite apparent. Up to 80 percent of these additional settings are security related further emphasising the security push Microsoft is making.

Some of the other new settings will allow you to

-configre Windows Defender
-block storage device driver install (i.e. USB Key, Portable Hard Drives)
-block PCI device driver install
-make users local Standard Users
-control Windows Firewall
-manage Network Access Protection (requires Longhorn Server)
http://thelazyadmin.com/index.php?/archives/412-Whats-New-in-Vista-Group-Policy-Changes.html
 

kcnychief

█▄█ ▀█▄ █
Political User
#5
Kush said:
again im pretty sure some people will try to take advantages of these
What do you mean by that? They aren't security holes/risks, they are ways to control environments. It's not secret information, and never has been.
 

Kush

High On Life!
#6
no i know, what i mean is in viruses, trojans spyware etc, they will target those trying cripple the user
 

kcnychief

█▄█ ▀█▄ █
Political User
#7
You can't "target" a Group Policy. All they really do is change Windows Settings such as turning on/off the firewall, allowing read access to USB devices, etc.
 

kcnychief

█▄█ ▀█▄ █
Political User
#9
Your missing the point.

GPO's aren't targeted as succeptable to virii, they are just a way of controlling Windows features. They won't be exploited, only the feature itself will be within windows.
 

j79zlr

Glaanies script monkey
Political User
#10
No, actually you're missing the point. Allowing such things to be disabled via group policy, which means that it is done in the registry, can be exploited. That is how malware removes tabs from the Internet Options menu, http://www.j79zlr.com/gphome.php#InternetControlPanel or like my previous example:

Prevent access to the registry editting tools

* KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
* DWORD: DisableRegistryTools = 1

This is microsoft's problem, they do not think security when designing anything.

BTW there is no such word, virii.

EDIT:

You can't "target" a Group Policy. All they really do is change Windows Settings such as turning on/off the firewall
Yea, disabling the firewall isn't a security concern, nah, not at all.
 

kcnychief

█▄█ ▀█▄ █
Political User
#11
First off, kudos on that list. That must have taken you awhile to type, unless you copy and pasted it :rolleyes:

Secondly, only SOME keys are created by GPO. Other times it is modifying a key that is already in place.

Sorry that there isn't such a word as virii, didn't know you were an English professor too.
 

Steevo

Spammer representing.
Political User
#12
j79zlr said:
No, actually you're missing the point. Allowing such things to be disabled via group policy, which means that it is done in the registry, can be exploited. That is how malware removes tabs from the Internet Options menu, http://www.j79zlr.com/gphome.php#InternetControlPanel or like my previous example:

Prevent access to the registry editting tools

* KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
* DWORD: DisableRegistryTools = 1

This is microsoft's problem, they do not think security when designing anything.

BTW there is no such word, virii.

EDIT:



Yea, disabling the firewall isn't a security concern, nah, not at all.
They do think security, security from the local user. They kill lots of local rights while being oblivious to the security risks in simple shares and network access.

I am not so worried about a person inside my network that I know so much as the person able to get inside through a firewall. You think there is a difference between windows protection and a Sonicwall firewall?

Like I said, too much local, not enough protection from out there ----->
 

j79zlr

Glaanies script monkey
Political User
#13
kcnychief said:
First off, kudos on that list. That must have taken you awhile to type, unless you copy and pasted it :rolleyes:

Secondly, only SOME keys are created by GPO. Other times it is modifying a key that is already in place.

Sorry that there isn't such a word as virii, didn't know you were an English professor too.
Didn't take nearly as long to type as it did to create it. Like I say on my site, I literally enabled each setting and found the registry change it made. Its been a while, but if I remember correctly it took about a full week.

The virii thing is a pet peeve of mine.

As far as Microsoft's security, they will err on the side of usability instead of security 100% of the time, that is where their design flaw lies.
 

j79zlr

Glaanies script monkey
Political User
#15
Windiff wouldn't have helped, I just left regedit open and enabled the policy, then seen what was added to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ key, most of the GPO settings are in that key or a subkey of it.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,016
Latest member
poordown814