Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

XP SP2 and Group Policy

from [Cenk KULACOGLU] Network Security [Permanent Link]
Subject: XP SP2 and Group Policy
Date: Fri, 13 Aug 2004 14:22:05 +0300 
Hi Russ,

I thought I should share this...

Cheers
Cenk

  _____


If you expect to have any user with administrator rights ever view or edit
group polices from an XP SP2 based system they need this fix.



The first groups generally to use a new service pack or operating system is
the IT staff so in my opinion this fix should be deployed proactively as
soon as the customer is able to.



You should be aware that this is already documented in the Windows XP SP2
release notes but you should be proactive in case your customer may have XP
SP2 users testing the platform.





The issue



With the RTM of XP SP2 (and the tremendous number of new policy settings it
makes available) Mark and I wanted to alert you to an important issue around
the use of the .adm files that we ship with this service pack. To cut to the
chase, the .adm files in XP SP2 will not load correctly on older versions of
GPEdit and require fixes to be applied.



By default, when viewing or editing a GPO in GPEdit, the timestamps of the
.adm files in the GPO (stored in Sysvol) are compared with those on the
administrative workstation (see KB 816662 for details). This means that the
mere act of viewing an existing GPO from an XP SP2 machine will result in
the new .adm files being uploaded to Sysvol - eventually used by any other
administrative workstation (whether XP SP2 or not). Without fixes we are in
the process of releasing, this will produce error messages in older versions
of GPEdit. This scenario is described in full in the following KB article
which has just gone online:



The KB http://support.microsoft.com/default.aspx?kbid=842933
<http://support.microsoft.com/default.aspx?kbid=842933>  will continue to be
updated with the latest information.



NOTE: This issue does not impact the application of group policies rather it
only impacts the ability to modify and view them.



The fix



Hotfixes are available today for Windows 2003 and Windows XP SP1.  In
addition for Windows 2000 SP3 and SP4 systems a fix is downloadable from
Microsoft.com.  The intention is to have all versions of the fix available
from Microsoft.com.



To obtain the XP and 2003 fix send your customer the fix for KB 842933.



For Windows 2000 download it from
http://www.microsoft.com/downloads/details.aspx?FamilyId=BA478B46-3AF7-4EAF-
9CE6-E34EA2C74FAF
<http://www.microsoft.com/downloads/details.aspx?FamilyId=BA478B46-3AF7-4EAF
-9CE6-E34EA2C74FAF&displaylang=en> &displaylang=en



This fix goes on any system where you may need to use group policy editor.
This includes all Windows 2000 servers, Windows 2003 servers, and XP SP1
systems used for domain administrative tasks.  To be on the safe side I
would simply roll it our company wide as you would a security fix as this
could even be seen editing local polices.



The only platform not affected by this issue is Windows XP SP2 as it already
includes the fix.




-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Further Info: Removal of Windows Messenger / Windows Media Player, Byrne Ghavalas
Next by Date:  Re: XPSP2 Load Experience, Young, Keith
Previous by Thread:  Further Info: Removal of Windows Messenger / Windows Media Player, Byrne Ghavalas
Next by Thread:  Re: XP SP2 and Group Policy, Russ
Indexes:  [Date] [Thread] [Top] [All Lists]