[gptalk] Re: All Vista users can see your OU structure by default - and download GPO's to their local hard drive

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 15 Sep 2006 09:15:10 -0700

The ability for regular users to read and backup GPOs using GPMC has been
there all along. I actually wrote about this is in the whitepaper I
mentioned (which is now out at
http://www.desktopstandard.com/pdf/wp-How_Secure_Is_Group_Policy.pdf). It is
really hard to get around as well. If a user needs to process a GPO, you
can't really permission SYSVOL to prevent them from reading certain files.
However, it does bring up the point that for certain organizations, it may
be prudent to always remove the Authenticated Users Read ACE from any GPOs
that should not be read by any user, and that can be targeted to a specific
user group. 
I can't speak to the ntbackup issue or the app you mentioned, but I suspect
a lot of apps may either break or require privilege escalation when Vista
ships. I don't think that's necessarily a bad thing. There's so many lousy
apps out there that require you to run as admin that its about time they
were forced to move in the right direction. Having users as local admin is
just a recipe for disaster these days.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Friday, September 15, 2006 8:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] All Vista users can see your OU structure by default - and
download GPO's to their local hard drive


All users able to see your OU structure -


(as mentioned before GPMC.MSC is installed on all Vista clients by default) 


Not only does a user who is only in the "domain user" group have access to
see the structure, I was able to do a backup of GPO's (the option was not
grayed out) to my local hard drive.  The backup included copies of all
scripts used by the GPO.  This means a user can easily find the Executive
Users group OU that you may have configured for Company Board Members,
download their Policies to review (and backup), and look at any scripts to
see what resources they might have access to.  

I hesitate to think about young admin who might put a plain text password in
a script.  I don't work at a large enterprise, and I realize that because of
that my knowledge of proper security procedure might be limited - do you
guys in the larger enterprises go into the sysvol directory and apply
security permissions to directories that contain GPO's for employees and
restrict access to that directory so that only the employees who need access
to that GPO have access? 


Example: By default everyone has read access to the Sysvol directory and its
subfolders.  So if you want to block access from a user who does not need
access to the GPO  at \\domaincontroller\SYSVOL\<my
domain.com>\Policies\{DH3EA850-8HFA-4117-8HEA-3BH59C49A82B}  do you modify
the security tab to allow only those users that need access?  Do you do this
for every GPO - and then you would have to also modify the contents of the
\\domaincontroller\SYSVOL\<my domain.com>\scripts directory to make sure
users are only allowed read access to the scripts they use instead of the
default permissions of being able to read everyone's scripts.  What am I
missing here?


On separate notes-

ntbackup no longer exists on Vista. The new utility "sdclt" does not appear
to support command line parameters, and did not let me save a backup job to
a local volume or local drive, it only gave me options to save on a
writeable DVD or a network share.  This is a bummer for me if Longhorn acts
the same way.  I used to do backups of 1) a web forum database and 2) online
webstore database on a web server once an hour to a local directory on that
webserver.  The purpose was that if something should happen to corrupt the
online sales database or forum, I could return it to the state it was the
previous hour, instead of all the way back to the tape backup the night
before.  I'm sure it may be the same thing for all those people who backup
Exchange with NTBackup  (I use BackupExec personally) 


Also GenControl http://www.gensortium.com/products/gencontrol.html didn't
work on Vista - it remotely installs VNC on a PC and gives you instant
Desktop Control (when your user has proper permissions).   



Mark Mills 


Other related posts: