Sign in with
Sign up | Sign in
Your question

Not Defined vs. Disabled Security Settings

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 21, 2005 12:35:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If security options settings are left as "not defined", how does that differ
from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
access....." is left not defined what state is it in?

If you do not want a setting to be active is it ok to leave it not defined
or should you specifically set it to "disabled"?
Anonymous
a b 8 Security
February 21, 2005 8:56:48 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
> If security options settings are left as "not defined", how does that
differ
> from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
> access....." is left not defined what state is it in?

The default state (in this case unrestricted) OR
the state of any previous GPO which would set it.


> If you do not want a setting to be active is it ok to leave it not defined
> or should you specifically set it to "disabled"?

In other words the difference between "not defined"
and "disable" is QUITE striking since disabled means
this setting will NOT be the case (i.e., the negative
will be the case), but "not defined" says NOTHING
about the state (i.e., it is left unchanged from what it
was before the policy was processed.)

There also are difference in a "No override" policy
since with "not defined" there is nothing to override
and subsequent policies may change this setting (either
way.)

--
Herb Martin
Anonymous
a b 8 Security
February 22, 2005 2:04:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Not defined can be dangerous for security options. There is a default
setting for undefined but if a policy had been previously applied and then
set back to undefined you can have unpredictable results and undefined may
not longer mean the default setting. If you want a security option to be
either enabled or disabled then configure it exactly the way you want it. It
is also a good idea to use the Security Configuration and Analysis mmc
snapin tool to check for security settings against a template such as setup
security.inf to see what it reports with an analysis compared to what you
expect. The various free Microsoft security guides can be very helpful when
looking for information on security options such as the Windows 2000
Security Hardening Guide available at the link below. --- Steve

http://www.microsoft.com/technet/security/prodtech/wind...

"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
> If security options settings are left as "not defined", how does that
> differ
> from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
> access....." is left not defined what state is it in?
>
> If you do not want a setting to be active is it ok to leave it not defined
> or should you specifically set it to "disabled"?
Related resources
Can't find your answer ? Ask !
Anonymous
a b 8 Security
February 22, 2005 2:26:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ubPf#vJGFHA.560@TK2MSFTNGP15.phx.gbl...
> Not defined can be dangerous for security options. There is a default
> setting for undefined but if a policy had been previously applied and then
> set back to undefined you can have unpredictable results and undefined may
> not longer mean the default setting.

While what Steven says it true, 'undefined' may be very
useful too (the vast majority of GPO setting may remained
undefined).

Undefined just means THIS GPO will not make a change
(or enforce a setting) either way.

> If you want a security option to be
> either enabled or disabled then configure it exactly the way you want it.

Exactly, but if you are setting it from another GPO
there is no reason to ALWAYS set the same options
since it is common to divide up GPOs by the general
"purpose" of that GPO and there may be many items
you just don't care about -- or at least not at the "level"
(Site, Domain, OU) or in that GPO.

> It
> is also a good idea to use the Security Configuration and Analysis mmc
> snapin tool to check for security settings against a template such as
setup
> security.inf to see what it reports with an analysis compared to what you
> expect.

Good advice too.

> The various free Microsoft security guides can be very helpful when
> looking for information on security options such as the Windows 2000
> Security Hardening Guide available at the link below. --- Steve

http://www.microsoft.com/technet/security/prodtech/wind...


--
Herb Martin


>
> >
> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
> news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
> > If security options settings are left as "not defined", how does that
> > differ
> > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
> > access....." is left not defined what state is it in?
> >
> > If you do not want a setting to be active is it ok to leave it not
defined
> > or should you specifically set it to "disabled"?
>
>
Anonymous
a b 8 Security
February 22, 2005 4:03:40 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I certainly don't propose that a user needs to define all settings in a
Group Policy. That would be a huge headache to say the least. I was
specifically referring to security options which are mostly defined already
in Local Security Policy and can cause a lot of problems if incompatible
settings are unintentiallly configured. The administrative templates
settings in Group Policy are usually very good about reverting back to what
they are supposed to be as explained in the setting description when set
back to undefined . --- Steve


"Herb Martin" <news@LearnQuick.com> wrote in message
news:o VcAwCKGFHA.2736@TK2MSFTNGP09.phx.gbl...
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ubPf#vJGFHA.560@TK2MSFTNGP15.phx.gbl...
>> Not defined can be dangerous for security options. There is a default
>> setting for undefined but if a policy had been previously applied and
>> then
>> set back to undefined you can have unpredictable results and undefined
>> may
>> not longer mean the default setting.
>
> While what Steven says it true, 'undefined' may be very
> useful too (the vast majority of GPO setting may remained
> undefined).
>
> Undefined just means THIS GPO will not make a change
> (or enforce a setting) either way.
>
>> If you want a security option to be
>> either enabled or disabled then configure it exactly the way you want it.
>
> Exactly, but if you are setting it from another GPO
> there is no reason to ALWAYS set the same options
> since it is common to divide up GPOs by the general
> "purpose" of that GPO and there may be many items
> you just don't care about -- or at least not at the "level"
> (Site, Domain, OU) or in that GPO.
>
>> It
>> is also a good idea to use the Security Configuration and Analysis mmc
>> snapin tool to check for security settings against a template such as
> setup
>> security.inf to see what it reports with an analysis compared to what you
>> expect.
>
> Good advice too.
>
>> The various free Microsoft security guides can be very helpful when
>> looking for information on security options such as the Windows 2000
>> Security Hardening Guide available at the link below. --- Steve
>
> http://www.microsoft.com/technet/security/prodtech/wind...
>
>
> --
> Herb Martin
>
>
>>
>> >
>> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
>> news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
>> > If security options settings are left as "not defined", how does that
>> > differ
>> > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
>> > access....." is left not defined what state is it in?
>> >
>> > If you do not want a setting to be active is it ok to leave it not
> defined
>> > or should you specifically set it to "disabled"?
>>
>>
>
>
Anonymous
a b 8 Security
February 22, 2005 1:38:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:#v1BjyKGFHA.1260@TK2MSFTNGP12.phx.gbl...
> I certainly don't propose that a user needs to define all settings in a
> Group Policy. That would be a huge headache to say the least. I was
> specifically referring to security options which are mostly defined
already
> in Local Security Policy and can cause a lot of problems if incompatible
> settings are unintentiallly configured.

Thus the reason for leaving them undefined
in all but those policies where you are explicitly
changing OR overiding them.
!