Not Defined vs. Disabled Security Settings

Archived from groups: microsoft.public.win2000.security (More info?)

If security options settings are left as "not defined", how does that differ
from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
access....." is left not defined what state is it in?

If you do not want a setting to be active is it ok to leave it not defined
or should you specifically set it to "disabled"?
5 answers Last reply
More about defined disabled security settings
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
    news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
    > If security options settings are left as "not defined", how does that
    differ
    > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
    > access....." is left not defined what state is it in?

    The default state (in this case unrestricted) OR
    the state of any previous GPO which would set it.


    > If you do not want a setting to be active is it ok to leave it not defined
    > or should you specifically set it to "disabled"?

    In other words the difference between "not defined"
    and "disable" is QUITE striking since disabled means
    this setting will NOT be the case (i.e., the negative
    will be the case), but "not defined" says NOTHING
    about the state (i.e., it is left unchanged from what it
    was before the policy was processed.)

    There also are difference in a "No override" policy
    since with "not defined" there is nothing to override
    and subsequent policies may change this setting (either
    way.)

    --
    Herb Martin
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Not defined can be dangerous for security options. There is a default
    setting for undefined but if a policy had been previously applied and then
    set back to undefined you can have unpredictable results and undefined may
    not longer mean the default setting. If you want a security option to be
    either enabled or disabled then configure it exactly the way you want it. It
    is also a good idea to use the Security Configuration and Analysis mmc
    snapin tool to check for security settings against a template such as setup
    security.inf to see what it reports with an analysis compared to what you
    expect. The various free Microsoft security guides can be very helpful when
    looking for information on security options such as the Windows 2000
    Security Hardening Guide available at the link below. --- Steve

    http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx

    "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
    news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
    > If security options settings are left as "not defined", how does that
    > differ
    > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
    > access....." is left not defined what state is it in?
    >
    > If you do not want a setting to be active is it ok to leave it not defined
    > or should you specifically set it to "disabled"?
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:ubPf#vJGFHA.560@TK2MSFTNGP15.phx.gbl...
    > Not defined can be dangerous for security options. There is a default
    > setting for undefined but if a policy had been previously applied and then
    > set back to undefined you can have unpredictable results and undefined may
    > not longer mean the default setting.

    While what Steven says it true, 'undefined' may be very
    useful too (the vast majority of GPO setting may remained
    undefined).

    Undefined just means THIS GPO will not make a change
    (or enforce a setting) either way.

    > If you want a security option to be
    > either enabled or disabled then configure it exactly the way you want it.

    Exactly, but if you are setting it from another GPO
    there is no reason to ALWAYS set the same options
    since it is common to divide up GPOs by the general
    "purpose" of that GPO and there may be many items
    you just don't care about -- or at least not at the "level"
    (Site, Domain, OU) or in that GPO.

    > It
    > is also a good idea to use the Security Configuration and Analysis mmc
    > snapin tool to check for security settings against a template such as
    setup
    > security.inf to see what it reports with an analysis compared to what you
    > expect.

    Good advice too.

    > The various free Microsoft security guides can be very helpful when
    > looking for information on security options such as the Windows 2000
    > Security Hardening Guide available at the link below. --- Steve

    http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx


    --
    Herb Martin


    >
    > >
    > "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
    > news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
    > > If security options settings are left as "not defined", how does that
    > > differ
    > > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
    > > access....." is left not defined what state is it in?
    > >
    > > If you do not want a setting to be active is it ok to leave it not
    defined
    > > or should you specifically set it to "disabled"?
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I certainly don't propose that a user needs to define all settings in a
    Group Policy. That would be a huge headache to say the least. I was
    specifically referring to security options which are mostly defined already
    in Local Security Policy and can cause a lot of problems if incompatible
    settings are unintentiallly configured. The administrative templates
    settings in Group Policy are usually very good about reverting back to what
    they are supposed to be as explained in the setting description when set
    back to undefined . --- Steve


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:OVcAwCKGFHA.2736@TK2MSFTNGP09.phx.gbl...
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:ubPf#vJGFHA.560@TK2MSFTNGP15.phx.gbl...
    >> Not defined can be dangerous for security options. There is a default
    >> setting for undefined but if a policy had been previously applied and
    >> then
    >> set back to undefined you can have unpredictable results and undefined
    >> may
    >> not longer mean the default setting.
    >
    > While what Steven says it true, 'undefined' may be very
    > useful too (the vast majority of GPO setting may remained
    > undefined).
    >
    > Undefined just means THIS GPO will not make a change
    > (or enforce a setting) either way.
    >
    >> If you want a security option to be
    >> either enabled or disabled then configure it exactly the way you want it.
    >
    > Exactly, but if you are setting it from another GPO
    > there is no reason to ALWAYS set the same options
    > since it is common to divide up GPOs by the general
    > "purpose" of that GPO and there may be many items
    > you just don't care about -- or at least not at the "level"
    > (Site, Domain, OU) or in that GPO.
    >
    >> It
    >> is also a good idea to use the Security Configuration and Analysis mmc
    >> snapin tool to check for security settings against a template such as
    > setup
    >> security.inf to see what it reports with an analysis compared to what you
    >> expect.
    >
    > Good advice too.
    >
    >> The various free Microsoft security guides can be very helpful when
    >> looking for information on security options such as the Windows 2000
    >> Security Hardening Guide available at the link below. --- Steve
    >
    > http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> >
    >> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message
    >> news:099DCF17-2866-4E0D-BB85-94760312589B@microsoft.com...
    >> > If security options settings are left as "not defined", how does that
    >> > differ
    >> > from "disabled"? For example, if the setting "Devices: Restrict CD_ROM
    >> > access....." is left not defined what state is it in?
    >> >
    >> > If you do not want a setting to be active is it ok to leave it not
    > defined
    >> > or should you specifically set it to "disabled"?
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:#v1BjyKGFHA.1260@TK2MSFTNGP12.phx.gbl...
    > I certainly don't propose that a user needs to define all settings in a
    > Group Policy. That would be a huge headache to say the least. I was
    > specifically referring to security options which are mostly defined
    already
    > in Local Security Policy and can cause a lot of problems if incompatible
    > settings are unintentiallly configured.

    Thus the reason for leaving them undefined
    in all but those policies where you are explicitly
    changing OR overiding them.
Ask a new question

Read More

Security Microsoft Windows