Windows Vista GPO Changes

kcnychief

??? ??? ?
Political Access
Joined
8 Apr 2005
Messages
16,950
I have been loving this site lately :)

The first thing you'll notice is that Vista has over 3,000 group policy settings. Compare that to the 1500 settings in XP SP2 and approximatley 1200 in Windows 2000 and the power of group policy over Vista becomes quite apparent. Up to 80 percent of these additional settings are security related further emphasising the security push Microsoft is making.

Some of the other new settings will allow you to

-configre Windows Defender
-block storage device driver install (i.e. USB Key, Portable Hard Drives)
-block PCI device driver install
-make users local Standard Users
-control Windows Firewall
-manage Network Access Protection (requires Longhorn Server)

http://thelazyadmin.com/index.php?/archives/412-Whats-New-in-Vista-Group-Policy-Changes.html
 
It's not very long, will be a short night, but you are welcome :p
 
again im pretty sure some people will try to take advantages of these
 
Kush said:
again im pretty sure some people will try to take advantages of these
What do you mean by that? They aren't security holes/risks, they are ways to control environments. It's not secret information, and never has been.
 
no i know, what i mean is in viruses, trojans spyware etc, they will target those trying cripple the user
 
You can't "target" a Group Policy. All they really do is change Windows Settings such as turning on/off the firewall, allowing read access to USB devices, etc.
 
Right, like disabling regedit, no virus has ever done that.................
 
Your missing the point.

GPO's aren't targeted as succeptable to virii, they are just a way of controlling Windows features. They won't be exploited, only the feature itself will be within windows.
 
No, actually you're missing the point. Allowing such things to be disabled via group policy, which means that it is done in the registry, can be exploited. That is how malware removes tabs from the Internet Options menu, http://www.j79zlr.com/gphome.php#InternetControlPanel or like my previous example:

Prevent access to the registry editting tools

* KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
* DWORD: DisableRegistryTools = 1

This is microsoft's problem, they do not think security when designing anything.

BTW there is no such word, virii.

EDIT:

You can't "target" a Group Policy. All they really do is change Windows Settings such as turning on/off the firewall

Yea, disabling the firewall isn't a security concern, nah, not at all.
 
First off, kudos on that list. That must have taken you awhile to type, unless you copy and pasted it :rolleyes:

Secondly, only SOME keys are created by GPO. Other times it is modifying a key that is already in place.

Sorry that there isn't such a word as virii, didn't know you were an English professor too.
 
j79zlr said:
No, actually you're missing the point. Allowing such things to be disabled via group policy, which means that it is done in the registry, can be exploited. That is how malware removes tabs from the Internet Options menu, http://www.j79zlr.com/gphome.php#InternetControlPanel or like my previous example:

Prevent access to the registry editting tools

* KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
* DWORD: DisableRegistryTools = 1

This is microsoft's problem, they do not think security when designing anything.

BTW there is no such word, virii.

EDIT:



Yea, disabling the firewall isn't a security concern, nah, not at all.

They do think security, security from the local user. They kill lots of local rights while being oblivious to the security risks in simple shares and network access.

I am not so worried about a person inside my network that I know so much as the person able to get inside through a firewall. You think there is a difference between windows protection and a Sonicwall firewall?

Like I said, too much local, not enough protection from out there ----->
 
kcnychief said:
First off, kudos on that list. That must have taken you awhile to type, unless you copy and pasted it :rolleyes:

Secondly, only SOME keys are created by GPO. Other times it is modifying a key that is already in place.

Sorry that there isn't such a word as virii, didn't know you were an English professor too.

Didn't take nearly as long to type as it did to create it. Like I say on my site, I literally enabled each setting and found the registry change it made. Its been a while, but if I remember correctly it took about a full week.

The virii thing is a pet peeve of mine.

As far as Microsoft's security, they will err on the side of usability instead of security 100% of the time, that is where their design flaw lies.
 
Should have used windiff, would have been easier.
 
Windiff wouldn't have helped, I just left regedit open and enabled the policy, then seen what was added to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ key, most of the GPO settings are in that key or a subkey of it.
 

Members online

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back