Security

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What good is Group Policy set on the domain controller when a client with domain user (default) access can have the
policy violated by the security vulnerabilities of Microsoft Internet Explorer? I don't understand this these issues have
existed from day 1 of Modern NT and I am sure they're continuing.

--
George Hester
_________________________________
8 answers Last reply
More about security
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    What vulnerabilities in particular are you referring to? I am not aware of
    any IE security holes that will allow Group Policy to be overridden, could
    you flesh this out with some more detail?

    "George Hester" <hesterloli@hotmail.com> wrote in message
    news:%23OnnxIdCFHA.464@TK2MSFTNGP15.phx.gbl...
    What good is Group Policy set on the domain controller when a client with
    domain user (default) access can have the
    policy violated by the security vulnerabilities of Microsoft Internet
    Explorer? I don't understand this these issues have
    existed from day 1 of Modern NT and I am sure they're continuing.

    --
    George Hester
    _________________________________
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Simon Geary" <simon_geary@hotmail.com> said

    > What vulnerabilities in particular are you referring to? I am not aware of
    > any IE security holes that will allow Group Policy to be overridden, could
    > you flesh this out with some more detail?
    >

    He's just a whinger compaining that a web page can overwrite the homepage
    setting defined in a GPO. He's complained about this before.
    news://uX5IdVlBFHA.2316@TK2MSFTNGP15.phx.gbl

    Doesn't want a solution. Just wants to vent a little I guess.


    --

    Andy.
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Not exactly. It's easy enough to call me a whiner when security fails. What would you like for me to show that although
    I may be whinning the issue still occurs or is for you "whinning" the be all and end all of the issue?

    I had set Group Policy on the domain controller so that the client could not change their homepage. Obviously that
    worked for changing the homepage on the client was unavailable. Now you tell me what more I could have done?
    Changing the homepage on the client was UNAVAILABLE. GREYED OUT. NOT POSSIBLE TO CHANGE THE
    HOME PAGE ON THE CL:IENT. Please tell me what more I could have done?

    The client while connected to the domain controller visited a page on the net that used IE vulernabilities to change the
    home page. The new homepage was UNAVAILABLE on the client to change. GREYED OUT. NOT POSSIBLE
    TO CHANGE THE HOME PAGE ON THE CLIENT.

    I had to remove the Group Policy so that I could restore the client's homepage AND clean out the registry entries that
    were changed. The client had no access to the registry but the IE security issues sure did. Whinning OK. These
    security issues will never be fixed if that is all you consider is important here. I think it is IE security issues and you think
    it is "whinning." No wonder these issues persist.

    --
    George Hester
    _________________________________
    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message news:Xns95F2F252F6846AA12F32EDB83F@207.46.248.16...
    > "Simon Geary" <simon_geary@hotmail.com> said
    >
    > > What vulnerabilities in particular are you referring to? I am not aware of
    > > any IE security holes that will allow Group Policy to be overridden, could
    > > you flesh this out with some more detail?
    > >
    >
    > He's just a whinger compaining that a web page can overwrite the homepage
    > setting defined in a GPO. He's complained about this before.
    > news://uX5IdVlBFHA.2316@TK2MSFTNGP15.phx.gbl
    >
    > Doesn't want a solution. Just wants to vent a little I guess.
    >
    >
    > --
    >
    > Andy.
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "George Hester" <hesterloli@hotmail.com> said

    > Not exactly. It's easy enough to call me a whiner when security fails.
    > What would you like for me to show that although I may be whinning the
    > issue still occurs or is for you "whinning" the be all and end all of
    > the issue?
    >
    > I had set Group Policy on the domain controller so that the client could
    > not change their homepage. Obviously that worked for changing the
    > homepage on the client was unavailable. Now you tell me what more I
    > could have done? Changing the homepage on the client was UNAVAILABLE.
    > GREYED OUT. NOT POSSIBLE TO CHANGE THE HOME PAGE ON THE CL:IENT.
    > Please tell me what more I could have done?

    I don't know. You haven't provided anywhere near enough information.

    >
    > The client while connected to the domain controller visited a page on
    > the net that used IE vulernabilities to change the home page. The new
    > homepage was UNAVAILABLE on the client to change. GREYED OUT. NOT
    > POSSIBLE TO CHANGE THE HOME PAGE ON THE CLIENT.
    >
    > I had to remove the Group Policy

    You don't need to remove the GPO. Just temporarily move the user to an OU
    that's not affected by it.

    > so that I could restore the client's
    > homepage AND clean out the registry entries that were changed.

    Which registry keys were changed?

    > The
    > client had no access to the registry but the IE security issues sure
    > did.

    IE runs in the context of the user. It cannot alter keys that the user has
    no permissions to alter. Preventing regedit from running does not protect
    the registry. It just stops regedit from running. There are a number of
    other ways of altering the registry.

    > Whinning OK. These security issues will never be fixed if that is
    > all you consider is important here. I think it is IE security issues
    > and you think it is "whinning." No wonder these issues persist.
    >

    So instead of just stating that it happened, why don't you tell us exactly
    what happened (which reg keys were altered etc.) so that someone can come
    up with a solution?

    So far all you have done is made very vague posts stating that the users
    homepage setting was altered despite settings you have set in a GPO. You
    made no request for assistance and didn't ask for any opinions on how to
    prevent this via other settings or patches.

    --

    Andy.
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    As a further follow up, George, you need to remember that we're not
    Microsoft in the newsgroup (ok, a few people are, but the majority of us
    aren't). We're almost all common folk with a few troubles here and there,
    and others who may have a little more experience and be able to offer their
    personal expertise on the subject.

    Sure, I'm not happy when a user's homepage deviates from my gpo, but is the
    change in a homepage really showing a lack of security? It tends to happen
    on computers here where my users have local admin rights and have little
    pieces (ok, sometimes BIG pieces) of spyware on their computer. There may
    be a larger problem you have to worry about. But if you don't like your
    users going to that webpage, utilize a proxy server or firewall to disallow
    connections to that specific website. The users will call and complain the
    internet is down, as it tells them "Page not found"

    Have a good weekend

    Ken

    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    news:Xns95F3D2F06F1A1AA12F32EDB83F@207.46.248.16...
    > "George Hester" <hesterloli@hotmail.com> said
    >
    >> Not exactly. It's easy enough to call me a whiner when security fails.
    >> What would you like for me to show that although I may be whinning the
    >> issue still occurs or is for you "whinning" the be all and end all of
    >> the issue?
    >>
    >> I had set Group Policy on the domain controller so that the client could
    >> not change their homepage. Obviously that worked for changing the
    >> homepage on the client was unavailable. Now you tell me what more I
    >> could have done? Changing the homepage on the client was UNAVAILABLE.
    >> GREYED OUT. NOT POSSIBLE TO CHANGE THE HOME PAGE ON THE CL:IENT.
    >> Please tell me what more I could have done?
    >
    > I don't know. You haven't provided anywhere near enough information.
    >
    >>
    >> The client while connected to the domain controller visited a page on
    >> the net that used IE vulernabilities to change the home page. The new
    >> homepage was UNAVAILABLE on the client to change. GREYED OUT. NOT
    >> POSSIBLE TO CHANGE THE HOME PAGE ON THE CLIENT.
    >>
    >> I had to remove the Group Policy
    >
    > You don't need to remove the GPO. Just temporarily move the user to an OU
    > that's not affected by it.
    >
    >> so that I could restore the client's
    >> homepage AND clean out the registry entries that were changed.
    >
    > Which registry keys were changed?
    >
    >> The
    >> client had no access to the registry but the IE security issues sure
    >> did.
    >
    > IE runs in the context of the user. It cannot alter keys that the user has
    > no permissions to alter. Preventing regedit from running does not protect
    > the registry. It just stops regedit from running. There are a number of
    > other ways of altering the registry.
    >
    >> Whinning OK. These security issues will never be fixed if that is
    >> all you consider is important here. I think it is IE security issues
    >> and you think it is "whinning." No wonder these issues persist.
    >>
    >
    > So instead of just stating that it happened, why don't you tell us exactly
    > what happened (which reg keys were altered etc.) so that someone can come
    > up with a solution?
    >
    > So far all you have done is made very vague posts stating that the users
    > homepage setting was altered despite settings you have set in a GPO. You
    > made no request for assistance and didn't ask for any opinions on how to
    > prevent this via other settings or patches.
    >
    > --
    >
    > Andy.
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I don't know if I can provide anymore information than that which I have provided. The user did have admin rights that was signed on at the time. That's true and was a mstake. That won't happen again. But the GPO was still violated and it was not changed. In other words the GPO was still active.

    I cannot suggest all the excuses of why the GPO may have been violated. I just know it was set and was violated. I also know that it was not possible for anyone to reset the homepage from Windows GUI for that purpose. Admin or no admin. The Internet nasty used IE vulnerabilities to reset the homepage in the registry. Where? Obviosly:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    or

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    not sure which I had to go into to fix the issue.

    But in any case if we set GPO so that policies are obtained is it too much to ask that they do hold? How am I going to set a GPO for the client when the user signed in has Admin rights? Would their not being Domain admin or Ennterprise Admin rights be sufficient to stop these IE vulnerabilities from changing this GPO? If so I'll take them out of it. The trouble is I don't want to run into Installation issues.

    Thanks.

    --
    George Hester
    _________________________________
    "Ken B" <none@microsoft.com> wrote in message news:uluwHswCFHA.4020@TK2MSFTNGP14.phx.gbl...
    > As a further follow up, George, you need to remember that we're not
    > Microsoft in the newsgroup (ok, a few people are, but the majority of us
    > aren't). We're almost all common folk with a few troubles here and there,
    > and others who may have a little more experience and be able to offer their
    > personal expertise on the subject.
    >
    > Sure, I'm not happy when a user's homepage deviates from my gpo, but is the
    > change in a homepage really showing a lack of security? It tends to happen
    > on computers here where my users have local admin rights and have little
    > pieces (ok, sometimes BIG pieces) of spyware on their computer. There may
    > be a larger problem you have to worry about. But if you don't like your
    > users going to that webpage, utilize a proxy server or firewall to disallow
    > connections to that specific website. The users will call and complain the
    > internet is down, as it tells them "Page not found"
    >
    > Have a good weekend
    >
    > Ken
    >
    > "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    > news:Xns95F3D2F06F1A1AA12F32EDB83F@207.46.248.16...
    > > "George Hester" <hesterloli@hotmail.com> said
    > >
    > >> Not exactly. It's easy enough to call me a whiner when security fails.
    > >> What would you like for me to show that although I may be whinning the
    > >> issue still occurs or is for you "whinning" the be all and end all of
    > >> the issue?
    > >>
    > >> I had set Group Policy on the domain controller so that the client could
    > >> not change their homepage. Obviously that worked for changing the
    > >> homepage on the client was unavailable. Now you tell me what more I
    > >> could have done? Changing the homepage on the client was UNAVAILABLE.
    > >> GREYED OUT. NOT POSSIBLE TO CHANGE THE HOME PAGE ON THE CL:IENT.
    > >> Please tell me what more I could have done?
    > >
    > > I don't know. You haven't provided anywhere near enough information.
    > >
    > >>
    > >> The client while connected to the domain controller visited a page on
    > >> the net that used IE vulernabilities to change the home page. The new
    > >> homepage was UNAVAILABLE on the client to change. GREYED OUT. NOT
    > >> POSSIBLE TO CHANGE THE HOME PAGE ON THE CLIENT.
    > >>
    > >> I had to remove the Group Policy
    > >
    > > You don't need to remove the GPO. Just temporarily move the user to an OU
    > > that's not affected by it.
    > >
    > >> so that I could restore the client's
    > >> homepage AND clean out the registry entries that were changed.
    > >
    > > Which registry keys were changed?
    > >
    > >> The
    > >> client had no access to the registry but the IE security issues sure
    > >> did.
    > >
    > > IE runs in the context of the user. It cannot alter keys that the user has
    > > no permissions to alter. Preventing regedit from running does not protect
    > > the registry. It just stops regedit from running. There are a number of
    > > other ways of altering the registry.
    > >
    > >> Whinning OK. These security issues will never be fixed if that is
    > >> all you consider is important here. I think it is IE security issues
    > >> and you think it is "whinning." No wonder these issues persist.
    > >>
    > >
    > > So instead of just stating that it happened, why don't you tell us exactly
    > > what happened (which reg keys were altered etc.) so that someone can come
    > > up with a solution?
    > >
    > > So far all you have done is made very vague posts stating that the users
    > > homepage setting was altered despite settings you have set in a GPO. You
    > > made no request for assistance and didn't ask for any opinions on how to
    > > prevent this via other settings or patches.
    > >
    > > --
    > >
    > > Andy.
    >
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "George Hester" <hesterloli@hotmail.com> said

    > I don't know if I can provide anymore information than that which I have
    > provided. The user did have admin rights that was signed on at the
    > time. That's true and was a mstake. That won't happen again. But the
    > GPO was still violated and it was not changed.

    The GPO was not 'violated'. The GPO is intended to prevent users using the
    IE GUI (Tools/Options etc....) to change the homepage. From what you have
    stated, the user in question downloaded a program or script which changed
    the Homepage. They did not use the IE GUI to achieve this. The GPO worked
    as designed.

    > In other words the GPO
    > was still active.
    >
    > I cannot suggest all the excuses of why the GPO may have been violated.
    > I just know it was set and was violated. I also know that it was not
    > possible for anyone to reset the homepage from Windows GUI for that
    > purpose. Admin or no admin. The Internet nasty used IE vulnerabilities
    > to reset the homepage in the registry. Where? Obviosly:
    >
    > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    >
    > or
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    >
    > not sure which I had to go into to fix the issue.
    >
    > But in any case if we set GPO so that policies are obtained is it too
    > much to ask that they do hold?

    George,
    The GPO only locks down the client application - In this case IE.
    If the user downloads another program to bypass IE or uses another method
    to directly access the registry your GPO will not help. This is not a flaw.
    The only way to achieve what you appear to want is by setting appropriate
    permissions on the relevant registry key.

    > How am I going to set a GPO for the
    > client when the user signed in has Admin rights?

    Use ACL's on the registry key. Prevent the user from changing it.

    > Would their not being
    > Domain admin or Ennterprise Admin rights be sufficient to stop these IE
    > vulnerabilities from changing this GPO?

    Generally speaking, users should never be members of the local
    administrators group.

    > If so I'll take them out of it.
    > The trouble is I don't want to run into Installation issues.

    If you use msi packages for your software installation you can use GPO's to
    deploy the apps. This will allow for non-admin users to install the
    applications you allow.


    --

    Andy.
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you set a DACL on the registry keys, you can prevent any user from
    changing them. It won't matter how (IE GUI or any other method) they just
    won't have any permission.

    The policy that you set did what it claimed to do - the GUI is not avaiable.
    But any program that runs in a user context that has permission to write to
    those keys, can change the value.

    "George Hester" <hesterloli@hotmail.com> wrote in message
    news:eJ#8#NzCFHA.464@TK2MSFTNGP15.phx.gbl...
    I don't know if I can provide anymore information than that which I have
    provided. The user did have admin rights that was signed on at the time.
    That's true and was a mstake. That won't happen again. But the GPO was
    still violated and it was not changed. In other words the GPO was still
    active.

    I cannot suggest all the excuses of why the GPO may have been violated. I
    just know it was set and was violated. I also know that it was not possible
    for anyone to reset the homepage from Windows GUI for that purpose. Admin
    or no admin. The Internet nasty used IE vulnerabilities to reset the
    homepage in the registry. Where? Obviosly:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    or

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    not sure which I had to go into to fix the issue.

    But in any case if we set GPO so that policies are obtained is it too much
    to ask that they do hold? How am I going to set a GPO for the client when
    the user signed in has Admin rights? Would their not being Domain admin or
    Ennterprise Admin rights be sufficient to stop these IE vulnerabilities from
    changing this GPO? If so I'll take them out of it. The trouble is I don't
    want to run into Installation issues.

    Thanks.

    --
    George Hester
    _________________________________
    "Ken B" <none@microsoft.com> wrote in message
    news:uluwHswCFHA.4020@TK2MSFTNGP14.phx.gbl...
    > As a further follow up, George, you need to remember that we're not
    > Microsoft in the newsgroup (ok, a few people are, but the majority of us
    > aren't). We're almost all common folk with a few troubles here and there,
    > and others who may have a little more experience and be able to offer
    their
    > personal expertise on the subject.
    >
    > Sure, I'm not happy when a user's homepage deviates from my gpo, but is
    the
    > change in a homepage really showing a lack of security? It tends to
    happen
    > on computers here where my users have local admin rights and have little
    > pieces (ok, sometimes BIG pieces) of spyware on their computer. There may
    > be a larger problem you have to worry about. But if you don't like your
    > users going to that webpage, utilize a proxy server or firewall to
    disallow
    > connections to that specific website. The users will call and complain
    the
    > internet is down, as it tells them "Page not found"
    >
    > Have a good weekend
    >
    > Ken
    >
    > "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    > news:Xns95F3D2F06F1A1AA12F32EDB83F@207.46.248.16...
    > > "George Hester" <hesterloli@hotmail.com> said
    > >
    > >> Not exactly. It's easy enough to call me a whiner when security fails.
    > >> What would you like for me to show that although I may be whinning the
    > >> issue still occurs or is for you "whinning" the be all and end all of
    > >> the issue?
    > >>
    > >> I had set Group Policy on the domain controller so that the client
    could
    > >> not change their homepage. Obviously that worked for changing the
    > >> homepage on the client was unavailable. Now you tell me what more I
    > >> could have done? Changing the homepage on the client was UNAVAILABLE.
    > >> GREYED OUT. NOT POSSIBLE TO CHANGE THE HOME PAGE ON THE CL:IENT.
    > >> Please tell me what more I could have done?
    > >
    > > I don't know. You haven't provided anywhere near enough information.
    > >
    > >>
    > >> The client while connected to the domain controller visited a page on
    > >> the net that used IE vulernabilities to change the home page. The new
    > >> homepage was UNAVAILABLE on the client to change. GREYED OUT. NOT
    > >> POSSIBLE TO CHANGE THE HOME PAGE ON THE CLIENT.
    > >>
    > >> I had to remove the Group Policy
    > >
    > > You don't need to remove the GPO. Just temporarily move the user to an
    OU
    > > that's not affected by it.
    > >
    > >> so that I could restore the client's
    > >> homepage AND clean out the registry entries that were changed.
    > >
    > > Which registry keys were changed?
    > >
    > >> The
    > >> client had no access to the registry but the IE security issues sure
    > >> did.
    > >
    > > IE runs in the context of the user. It cannot alter keys that the user
    has
    > > no permissions to alter. Preventing regedit from running does not
    protect
    > > the registry. It just stops regedit from running. There are a number of
    > > other ways of altering the registry.
    > >
    > >> Whinning OK. These security issues will never be fixed if that is
    > >> all you consider is important here. I think it is IE security issues
    > >> and you think it is "whinning." No wonder these issues persist.
    > >>
    > >
    > > So instead of just stating that it happened, why don't you tell us
    exactly
    > > what happened (which reg keys were altered etc.) so that someone can
    come
    > > up with a solution?
    > >
    > > So far all you have done is made very vague posts stating that the users
    > > homepage setting was altered despite settings you have set in a GPO. You
    > > made no request for assistance and didn't ask for any opinions on how to
    > > prevent this via other settings or patches.
    > >
    > > --
    > >
    > > Andy.
    >
    >
Ask a new question

Read More

Policy Security Microsoft Windows