[Dshield] OT: Discussion forums for spyware, adwareandmalware in general?

John Holmblad jholmblad at aol.com
Fri Dec 5 00:41:16 GMT 2003


to Bert's comments regarding GPO I would add that even in a Microsoft 
network (a so-called  workgroup) implemented without Active Directory it 
is possible to exert fine grained control on security policy on a 
Windows 2000/XP/2003  machine through the use of a number of built in 
tools including  the "Local Security Policy" GUI based tool. These tools 
require admin privilege level in order to use. Of course without AD this 
must be done on a system by system basis and therefore does not scale 
well at all.

Microsoft and others (e.g. the NSA, see  http://nsa2.www.conxion.com/) 
have developed pre-configured security templates (.inf files) for 
various versions of Windows and various target configurations (e.g. 
workstation, server, domain controller, etc)  that can be downloaded and 
applied to individual systems or to multiple systems via Active 
Directory + GPO. Before using such templates always make sure you 
understand what they are configured to do beforehand so you don't 
inadvertently disable needed services/features on your systems. For 
better or for worse there is no single click "undo" button  to easily 
reverse all the changes (e.g. to the Windows registry including Access 
Controls (ACL's), file permissions, etc.) that these templates can make 
depending upon their specific configuration. Although both Windows XP 
and Server 2003 support the Windows System Restore feature, which can be 
used to roll back the OS state to a previously established restore 
point, including, in particular, rollback of  the windows registry,  I 
don't think this feature will,   for example, "undo" file permissions 
that may be  implemented by a particular template. In such cases then it 
may be necessary, after running System Restore,  to manually re-edit 
certain changes to complete the restoration of the system  to the 
previous (pre-template invocation) state.

With respect to Group Policy Objects,  it is possible to define such 
objects for computers as well as for users, sites (groups of computers 
connected typically by high speed links),  Organization Units, and Domains.

If you want to learn more about using Group Policy in a non-AD Windows 
environment, there is a text  called "Configuring Windows 2000 Without 
Active Directory"  that  devotes almost a full chapter to implementing 
Local  Group Policy on Windows 2000. In addition Microsoft has published 
its own similar text for Windows XP called "Windows XP Inside and Out" 
most of whose content is applicable to non-AD as well as AD environments..

Best Regards,


John Holmblad


Televerage International


(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388


www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net


text email address:         jholmblad at vtext.com

More information about the list mailing list