Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: security policy 'not specified' option

from [Alexander Suhovey] Network Security [Permanent Link]
Subject: RE: security policy 'not specified' option
Date: Fri, 21 Oct 2005 12:51:02 +0400 
-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com]
Sent: Friday, October 21, 2005 12:57 AM
To: focus-ms@securityfocus.com
Subject: security policy 'not specified' option

Some time back I used a security policy editor that had 3 options:
enabled, disabled, and 'unset'. By not setting it either way, the
machine inherited the domain settings. 


Actually, group policy precedence works opposite way. The principle called
LSDOU which stands for "Local > Site > Domain-wide > OU" [1]. Domain
policies have higher priority since they are applied later. So if particular
policy is defined on any of domain levels it will take precedence over local
policy. On that note, you don't _have_ to configure local policies on domain
computers since you could always use domain policies which are much easier
to manage.


Unfortunately the standard
system policy editors shipped with 2K/2K3/XP don't appear to have that
3rd option which means now I've got all kinds of machine running with
who knows what setting and ignoring the domain policy. And once you've
selected en/disabled via the radio box, there isn't a way to unset it.
How do I dig myself out of this?


For this you can use Security Templates MMC snap-in to create a policy
template (inf file). You can also export current policy using secedit.exe
command line tool. Then distribute it to your client computers. You can:
- import template using secpol.msc MMC snap-in
- apply template using Security Configuration and Analysis snap-in
- apply template using secedit.exe

For more information on this please refer to built-in Windows help [2].


References (watch for line wraps):

[1] "Windows 2000 Security Policies Overview"
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/win2
kpol/w2kadm02.mspx

[2]"Automating security configuration tasks"
Start > Run > hh.exe
ms-its:%windr%\Help\secedit.chm::/sag_SECedittopnode.htm


--
Al



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: security policy 'not specified' option, Slawek
Next by Date:  Change Password, Cristian Brolin
Previous by Thread:  Re: security policy 'not specified' option, Thor (Hammer of God)
Next by Thread:  Re: security policy 'not specified' option, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]