[THIN] Re: GPO Debate

  • From: "Joe Shonk" <joe.shonk@xxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Sun, 1 Feb 2009 15:27:42 -0700

Well, it should be pretty simple to test.  However, and unplugged server is
the most secure (network wise,  physical access is a different story) of the
all.  I joke with my customers when they go overboard on security I suggest
unplugging it.

 

And just GPO setting are we talking about?  It could be simple enough to
write a script that makes the appropriate registry changes.

 

Joe

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Greg Reese
Sent: Sunday, February 01, 2009 1:02 PM
To: Thin
Subject: [THIN] GPO Debate

 

I admit that as I have been in this career for over 15 years, there may be
some things that I still don't understand, or worse, some things that I
don't understand as well as I think i do.  But keeping an open mind and
being willing to learn something from everyone I meet has served me pretty
well.

currently, I am having a debate over  GPO use with a colleague  (for those
of you in government work, think "IA asshole").

anyway, the debate is that setting a GPO at the domain or OU level does not
properly protect a server because as soon as the the server is unplugged
from the network, the settings disappear leaving the server in an
unprotected state.  So this person nwants us to make all adjustments by hand
with local policies.  As much as my gut tells me this is wrong, I really
don't have anything to back it up with.

I say the settings will stay applied in the absence of the rest of the
domain structure or servers being present.  But the more I thnk about it, I
really don't know how it really works.  I am going to setup a test next week
but figured it was worth throwing out to all of you.

Thanks!

Greg

Other related posts: