[THIN] Re: Security Templates issue with Local GPO on Win2k Standalone.
- From: "Chris Lynch" <lynch00@xxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 17 Feb 2003 09:26:28 -0800
=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, if you set the local computer security settings for "Do not allow =
enumeration of SAM accounts and shares" to "No access", you cannot dump =
any SAM information via a NULL session, unless you have a specific user =
account and password with at least User rights. Since this is going to =
be a DMZ machine, set this to "No Access", and you should be fine. =
Also, make sure that you have specific port filtering on your DMZ =
machine, and also on your firewall.
Chris
- -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On =
Behalf Of Ziots, Edward
Sent: Friday, February 14, 2003 8:37 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Security Templates issue with Local GPO on Win2k =
Standalone.=20
Folks,=20
Thanks to Chris Lynch I found my answer to this. It seems since I dont =
have AD, I will-not be able to take advantage of the restricted groups =
setting, because the restricted groups setting is not included in the =
local GPO of Win2k Workstation/Server. Which is pretty sad, but true.=20
The only way you can do this is to setup a template with the restricted =
groups settings, and export a database of the current settings, and then =
import the template settings, via script against that database and apply =
to the local gpo. ( Dont secedit /refreshpolicy does nothing to help) ( =
Making a scheduled task of this would be the best bet.) But what really =
sucks is there is not a great way of making a standalone Windows 2K =
Bastion Host, IIS/DNS/ISA server not vulnerable from attacks such as =
pipeupadmin or getadmin, or LSA Dump, which is something you really =
gotta do, before you put a system in your DMZ, unless you want it =
compromized really quick.=20
Ed
- -----Original Message-----
From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx]
Sent: Thursday, February 13, 2003 4:41 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Security Templates issue with Local GPO on Win2k =
Standalone.=20
To the list,=20
I know this might be a little OT, but here is what I am trying to do, =
via Local GPO on a new External DNS Server I need to put out for my =
organization.=20
1) I have configured a security template which locks down the undeeded =
services, and ACL's them so that only Administrators can disable them if =
so desired.=20
2) The security template also, makes use the Restricted Groups =
Functionality, in which I have added all the local accounts in which =
will only be a member of the administrators group and no others.=20
I validated the Security template and then ran the following command =
secedit /configure /db db.sdb /CFG template.inf /overwrite /areas =
GROUP_MGMT /log log.log /verbose.=20
I looked at the log everything worked fine.=20
I ran secedit /Refreshpolicy machine_policy /enforce and secedit =
/refreshpolicy user_policy /enforce.=20
I then go ahead and add the TSINTERNETUSER via terminal services to the =
administrators group, which via local GPO being applied it should be =
removed. When I reboot, the account still exists in the local =
administrators group.=20
DO any of the GPO guru's have some suggesstions? This is an External =
Win2k Standalone system with SP3, and all the needed hotfixes.=20
Thanks in advance,=20
Ed
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.=20
Get 30-40% more users per server to save $$$ and time.=20
Add users now! - not more servers. If you're using Citrix,=20
you must learn about TScale! Free 30-day eval: =
http://www.rtosoft.com/Enter.asp?ID=3D79
**********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link: =
http://thethin.net/citrixlist.cfm
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.=20
Get 30-40% more users per server to save $$$ and time.=20
Add users now! - not more servers. If you're using Citrix,=20
you must learn about TScale! Free 30-day eval: =
http://www.rtosoft.com/Enter.asp?ID=3D79
**********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link: =
http://thethin.net/citrixlist.cfm
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch
iQA/AwUBPlEbRG9fg+xq5T3MEQLFPACfdkQ4TDTz55vLwFI7Q2sX/QKJuQwAnRnI
YQP3at44LVRl1ssbMjHOR35F
=3D7mFk
-----END PGP SIGNATURE-----
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.
Get 30-40% more users per server to save $$$ and time.
Add users now! - not more servers. If you?re using Citrix,
you must learn about TScale! Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
