How do I get Restricted Groups to be real time?

[Todd]

Archived from groups: microsoft.public.win2000.security (More info?)

I have a question regarding Restricted Groups...

I am trying to make the changes that I've set for Restricted Groups to be as
close to real time as possible. We had another user created today and the
user was added to the built in administrators group by a ghost admin...refer
to an alternate post for the whole story if you're interested...titled
"Security Breach in AD" from 02/07/05

Anyway...In about 5 minutes the user was removed from the built in admin
group as I have configured with Restricted Groups. Trying to make it real
time security, I have changed the default domain policy, the default domain
controller policy, and the local machine policy all to reflect the following
changes trying to make this a real time restriction:
I have enabled the... refresh interval for computers to 0, refresh interval
for domain controllers to 0 for the computer group policies
as well as the refresh interval for users to 0 for the user group policies.
I obviously do not know what I am doing since I don't know what Group policy
to apply and on what interface to get my desired results.

Please help!

thanks

Todd

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Todd" <Todd@discussions.microsoft.com> wrote in message
news:4AEED882-8244-4C22-9D1A-EC4879A0EFF0@microsoft.com...
> I have a question regarding Restricted Groups...
>
> I am trying to make the changes that I've set for Restricted Groups to be
as
> close to real time as possible. We had another user created today and the
> user was added to the built in administrators group by a ghost
admin...refer
> to an alternate post for the whole story if you're interested...titled
> "Security Breach in AD" from 02/07/05


> Anyway...In about 5 minutes the user was removed from the built in admin
> group as I have configured with Restricted Groups. Trying to make it real
> time security,

You cannot to my knowledge. It is based on GPO security
updates -- and you seem to already have it set as low as it
goes.

> I have changed the default domain policy, the default domain
> controller policy, and the local machine policy all to reflect the
following
> changes trying to make this a real time restriction:

> I have enabled the... refresh interval for computers to 0, refresh
interval
> for domain controllers to 0 for the computer group policies
> as well as the refresh interval for users to 0 for the user group
policies.
> I obviously do not know what I am doing since I don't know what Group
policy
> to apply and on what interface to get my desired results.

It gets updated on machines periodically (90 minutes for regular
machines).

You really don't want it set TOO OFTEN so you may be fighting
the wrong battle.

While Restricted Groups solve most of this problem, taking
away the privileges of an admin who abuses them may make
MORE SENSE.

--
Herb Martin


"Todd" <Todd@discussions.microsoft.com> wrote in message
news:4AEED882-8244-4C22-9D1A-EC4879A0EFF0@microsoft.com...
> I have a question regarding Restricted Groups...
>
> I am trying to make the changes that I've set for Restricted Groups to be
as
> close to real time as possible. We had another user created today and the
> user was added to the built in administrators group by a ghost
admin...refer
> to an alternate post for the whole story if you're interested...titled
> "Security Breach in AD" from 02/07/05
>
> Anyway...In about 5 minutes the user was removed from the built in admin
> group as I have configured with Restricted Groups. Trying to make it real
> time security, I have changed the default domain policy, the default
domain
> controller policy, and the local machine policy all to reflect the
following
> changes trying to make this a real time restriction:
> I have enabled the... refresh interval for computers to 0, refresh
interval
> for domain controllers to 0 for the computer group policies
> as well as the refresh interval for users to 0 for the user group
policies.
> I obviously do not know what I am doing since I don't know what Group
policy
> to apply and on what interface to get my desired results.
>
> Please help!
>
> thanks
>
> Todd
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

It is the Computer policy refresh that applies the Restricted group defs.
If all of your DCs are, as I assume from what was said of environment
in other thread, are local at one location, setting the domain refresh
interval down to some amount lower than the predefined 5 minutes
would probably not hurt while you are fighting this way (but I assume
that you have not many GPOs that apply to Domain and/or Domain
Controllers). I have never heard of setting refresh to 0 so am not sure
how that gets interpreted. At best try a lower positive number and
keep an eye on the work caused (probably barely noticable for all
LAN local DCs situation).

Are you monitoring all inbound and outbound traffic (that is, all that
passes to from the outside world) ? and not just to the DCs by the
way as any domain member would make an effective point from
which to manipulate AD definitions like user objects, group members.

Is this forest a single domain ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Todd" <Todd@discussions.microsoft.com> wrote in message
news:4AEED882-8244-4C22-9D1A-EC4879A0EFF0@microsoft.com...
> I have a question regarding Restricted Groups...
>
> I am trying to make the changes that I've set for Restricted Groups to be
as
> close to real time as possible. We had another user created today and the
> user was added to the built in administrators group by a ghost
admin...refer
> to an alternate post for the whole story if you're interested...titled
> "Security Breach in AD" from 02/07/05
>
> Anyway...In about 5 minutes the user was removed from the built in admin
> group as I have configured with Restricted Groups. Trying to make it real
> time security, I have changed the default domain policy, the default
domain
> controller policy, and the local machine policy all to reflect the
following
> changes trying to make this a real time restriction:
> I have enabled the... refresh interval for computers to 0, refresh
interval
> for domain controllers to 0 for the computer group policies
> as well as the refresh interval for users to 0 for the user group
policies.
> I obviously do not know what I am doing since I don't know what Group
policy
> to apply and on what interface to get my desired results.
>
> Please help!
>
> thanks
>
> Todd
>

 

[Todd]

Archived from groups: microsoft.public.win2000.security (More info?)

I found the solution...kinda.

I went to computer configuration, administrative templates, system, group
policy...
Then I changed the Group Policy refresh interval for computers and the Group
Policy refresh interval for domain controllers both to 0.
Then I enabled Scripts policy processing and marked the box next to "process
even if the group policy objects have not changed"
This was done in both the local security policy as well as the default
domain controllers policy.

This has set my GPO's to refresh about every 7 seconds at most. This was
the temporary solution I was trying to obtain.

This forest has 2 domains...the other one isn't having any trouble.

Thanks for your help!

Todd

 

[Todd]

Archived from groups: microsoft.public.win2000.security (More info?)

I found the solution...kinda.

I went to computer configuration, administrative templates, system, group
policy...
Then I changed the Group Policy refresh interval for computers and the Group
Policy refresh interval for domain controllers both to 0.
Then I enabled Scripts policy processing and marked the box next to "process
even if the group policy objects have not changed"
This was done in both the local security policy as well as the default
domain controllers policy.

This has set my GPO's to refresh about every 7 seconds at most. This was
the temporary solution I was trying to obtain.

If someone makes a reference to another post, then please read it before
making a comment like this:

> While Restricted Groups solve most of this problem, taking
> away the privileges of an admin who abuses them may make
> MORE SENSE.

I am working with a breached system and was trying to take away privledges
of a hacker-with admin rights.

Thanks anyway,

Todd

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Todd" <Todd@discussions.microsoft.com> wrote in message
news:B232F46E-03B6-4532-931A-D87B5A45CC8E@microsoft.com...
> I found the solution...kinda.
>
> I went to computer configuration, administrative templates, system, group
> policy...
> Then I changed the Group Policy refresh interval for computers and the
Group
> Policy refresh interval for domain controllers both to 0.
> Then I enabled Scripts policy processing and marked the box next to
"process
> even if the group policy objects have not changed"
> This was done in both the local security policy as well as the default
> domain controllers policy.
>
> This has set my GPO's to refresh about every 7 seconds at most. This was
> the temporary solution I was trying to obtain.
>
> If someone makes a reference to another post, then please read it before
> making a comment like this:
>
> > While Restricted Groups solve most of this problem, taking
> > away the privileges of an admin who abuses them may make
> > MORE SENSE.
>
> I am working with a breached system and was trying to take away privledges
> of a hacker-with admin rights.
>
>

Note that if they has code implanted running as System you control
over Administrators, Domain Admins, Enterprise Admins is not
going to cut them off, assuming they can get the packets they want
to delivered to their implanted code. System is a hidden, always
present member of Administrators.

--
Roger Abell
Microsoft MVP (Windows Security)