Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Domain logon without network connection + group policies

from [Ghetti, Tim] Network Security [Permanent Link]
Subject: RE: Domain logon without network connection + group policies
Date: Mon, 31 Jan 2005 18:06:28 -0500 
 comments inline...


-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net] 
Sent: Saturday, January 29, 2005 2:24 PM
To: Ghetti, Tim; 'Manuel Sousa'; focus-ms@securityfocus.com
Subject: RE: Domain logon without network connection + group policies



Through group policy, you can forbid logon without DC 

authentication.

Actually, the setting to which I believe you refer is for 
*unlocking* machines, not logging into them in the first place.


Actually, this is the setting I'm talking about.
(Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Number of previous logons to cache)


(Computer Configuration\Windows Settings\Security 
Settings\Local Policies\Security Options\Interactive logon: 
Require Domain Controller authentication to unlock workstation)

Additionally, one can be authenticated by a DC without 
pulling down policies. Tricky timing, but authentication and 
group policy processing are separate processes


This is true, but if you set the following, in addition, windows waits
for all GP's before even giving the user the option to log in.
(Computer Configuration\Administrative Templates\System\logon\Always
wait for the network at computer startup and logon)
Not to mention, I belienve 200 pro, processes all gp's before logon


Under Security in GP "Number of previous logons to cache" 
Change this to 0.


See above.


*****word of warning though,
if you have any laptop users, you will run into a rather 

big problem.

They will not be able to use their system off the network.
Another option if forcing a group policy refresh. The 

normal operation 

is that every 90-120 minutes GP refreshes, but only if the version 
number has changed (you've made a policy change). You can 

force GP to 

refresh every X minutes regardless. Under GP go to --- Computer 
Configuration --> Administrative Templates --> System --> Group 
Policy, and configure it there.


As the OP mentioned, this won't work if they've never gotten 
the policy in the first place.


Laura


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  RE: Domain logon without network connection + group policies, Laura A. Robinson
Next by Thread:  RE: Domain logon without network connection + group policies, Laura A. Robinson
Indexes:  [Date] [Thread] [Top] [All Lists]