[THIN] Re: Security Templates issue with Local GPO on Win2k Standalone.
- From: "Ziots, Edward" <EZiots@xxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 14 Feb 2003 11:37:05 -0500
Folks,
Thanks to Chris Lynch I found my answer to this. It seems since I dont have
AD, I will-not be able to take advantage of the restricted groups setting,
because the restricted groups setting is not included in the local GPO of
Win2k Workstation/Server. Which is pretty sad, but true.
The only way you can do this is to setup a template with the restricted
groups settings, and export a database of the current settings, and then
import the template settings, via script against that database and apply to
the local gpo. ( Dont secedit /refreshpolicy does nothing to help) ( Making
a scheduled task of this would be the best bet.) But what really sucks is
there is not a great way of making a standalone Windows 2K Bastion Host,
IIS/DNS/ISA server not vulnerable from attacks such as pipeupadmin or
getadmin, or LSA Dump, which is something you really gotta do, before you
put a system in your DMZ, unless you want it compromized really quick.
Ed
-----Original Message-----
From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx]
Sent: Thursday, February 13, 2003 4:41 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Security Templates issue with Local GPO on Win2k
Standalone.
To the list,
I know this might be a little OT, but here is what I am trying to do, via
Local GPO on a new External DNS Server I need to put out for my
organization.
1) I have configured a security template which locks down the undeeded
services, and ACL's them so that only Administrators can disable them if so
desired.
2) The security template also, makes use the Restricted Groups
Functionality, in which I have added all the local accounts in which will
only be a member of the administrators group and no others.
I validated the Security template and then ran the following command secedit
/configure /db db.sdb /CFG template.inf /overwrite /areas GROUP_MGMT /log
log.log /verbose.
I looked at the log everything worked fine.
I ran secedit /Refreshpolicy machine_policy /enforce and secedit
/refreshpolicy user_policy /enforce.
I then go ahead and add the TSINTERNETUSER via terminal services to the
administrators group, which via local GPO being applied it should be
removed. When I reboot, the account still exists in the local administrators
group.
DO any of the GPO guru's have some suggesstions? This is an External Win2k
Standalone system with SP3, and all the needed hotfixes.
Thanks in advance,
Ed
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.
Get 30-40% more users per server to save $$$ and time.
Add users now! - not more servers. If you're using Citrix,
you must learn about TScale! Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.
Get 30-40% more users per server to save $$$ and time.
Add users now! - not more servers. If you?re using Citrix,
you must learn about TScale! Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
