=20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, if you set the local computer security settings for "Do not allow = enumeration of SAM accounts and shares" to "No access", you cannot dump = any SAM information via a NULL session, unless you have a specific user = account and password with at least User rights. Since this is going to = be a DMZ machine, set this to "No Access", and you should be fine. = Also, make sure that you have specific port filtering on your DMZ = machine, and also on your firewall. Chris - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On = Behalf Of Ziots, Edward Sent: Friday, February 14, 2003 8:37 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Security Templates issue with Local GPO on Win2k = Standalone.=20 Folks,=20 Thanks to Chris Lynch I found my answer to this. It seems since I dont = have AD, I will-not be able to take advantage of the restricted groups = setting, because the restricted groups setting is not included in the = local GPO of Win2k Workstation/Server. Which is pretty sad, but true.=20 The only way you can do this is to setup a template with the restricted = groups settings, and export a database of the current settings, and then = import the template settings, via script against that database and apply = to the local gpo. ( Dont secedit /refreshpolicy does nothing to help) ( = Making a scheduled task of this would be the best bet.) But what really = sucks is there is not a great way of making a standalone Windows 2K = Bastion Host, IIS/DNS/ISA server not vulnerable from attacks such as = pipeupadmin or getadmin, or LSA Dump, which is something you really = gotta do, before you put a system in your DMZ, unless you want it = compromized really quick.=20 Ed - -----Original Message----- From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx] Sent: Thursday, February 13, 2003 4:41 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Security Templates issue with Local GPO on Win2k = Standalone.=20 To the list,=20 I know this might be a little OT, but here is what I am trying to do, = via Local GPO on a new External DNS Server I need to put out for my = organization.=20 1) I have configured a security template which locks down the undeeded = services, and ACL's them so that only Administrators can disable them if = so desired.=20 2) The security template also, makes use the Restricted Groups = Functionality, in which I have added all the local accounts in which = will only be a member of the administrators group and no others.=20 I validated the Security template and then ran the following command = secedit /configure /db db.sdb /CFG template.inf /overwrite /areas = GROUP_MGMT /log log.log /verbose.=20 I looked at the log everything worked fine.=20 I ran secedit /Refreshpolicy machine_policy /enforce and secedit = /refreshpolicy user_policy /enforce.=20 I then go ahead and add the TSINTERNETUSER via terminal services to the = administrators group, which via local GPO being applied it should be = removed. When I reboot, the account still exists in the local = administrators group.=20 DO any of the GPO guru's have some suggesstions? This is an External = Win2k Standalone system with SP3, and all the needed hotfixes.=20 Thanks in advance,=20 Ed ********************************************************* This Week's Sponsor - RTO Software / TScale TScale increases terminal server capacity.=20 Get 30-40% more users per server to save $$$ and time.=20 Add users now! - not more servers. If you're using Citrix,=20 you must learn about TScale! Free 30-day eval: = http://www.rtosoft.com/Enter.asp?ID=3D79 ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: = http://thethin.net/citrixlist.cfm ********************************************************* This Week's Sponsor - RTO Software / TScale TScale increases terminal server capacity.=20 Get 30-40% more users per server to save $$$ and time.=20 Add users now! - not more servers. If you're using Citrix,=20 you must learn about TScale! Free 30-day eval: = http://www.rtosoft.com/Enter.asp?ID=3D79 ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: = http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: Public PGP key for Chris Lynch iQA/AwUBPlEbRG9fg+xq5T3MEQLFPACfdkQ4TDTz55vLwFI7Q2sX/QKJuQwAnRnI YQP3at44LVRl1ssbMjHOR35F =3D7mFk -----END PGP SIGNATURE----- ********************************************************* This Week's Sponsor - RTO Software / TScale TScale increases terminal server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - not more servers. If you?re using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm