[Dshield] OT: Discussion forums for spyware, adwareandmalware in general?
jholmblad at aol.com
Fri Dec 5 00:41:16 GMT 2003
to Bert's comments regarding GPO I would add that even in a Microsoft
network (a so-called workgroup) implemented without Active Directory it
is possible to exert fine grained control on security policy on a
Windows 2000/XP/2003 machine through the use of a number of built in
tools including the "Local Security Policy" GUI based tool. These tools
require admin privilege level in order to use. Of course without AD this
must be done on a system by system basis and therefore does not scale
well at all.
Microsoft and others (e.g. the NSA, see http://nsa2.www.conxion.com/)
have developed pre-configured security templates (.inf files) for
various versions of Windows and various target configurations (e.g.
workstation, server, domain controller, etc) that can be downloaded and
applied to individual systems or to multiple systems via Active
Directory + GPO. Before using such templates always make sure you
understand what they are configured to do beforehand so you don't
inadvertently disable needed services/features on your systems. For
better or for worse there is no single click "undo" button to easily
reverse all the changes (e.g. to the Windows registry including Access
Controls (ACL's), file permissions, etc.) that these templates can make
depending upon their specific configuration. Although both Windows XP
and Server 2003 support the Windows System Restore feature, which can be
used to roll back the OS state to a previously established restore
point, including, in particular, rollback of the windows registry, I
don't think this feature will, for example, "undo" file permissions
that may be implemented by a particular template. In such cases then it
may be necessary, after running System Restore, to manually re-edit
certain changes to complete the restoration of the system to the
previous (pre-template invocation) state.
With respect to Group Policy Objects, it is possible to define such
objects for computers as well as for users, sites (groups of computers
connected typically by high speed links), Organization Units, and Domains.
If you want to learn more about using Group Policy in a non-AD Windows
environment, there is a text called "Configuring Windows 2000 Without
Active Directory" that devotes almost a full chapter to implementing
Local Group Policy on Windows 2000. In addition Microsoft has published
its own similar text for Windows XP called "Windows XP Inside and Out"
most of whose content is applicable to non-AD as well as AD environments..
(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388
www page: www.vtext.com/users/jholmblad
primary email address: jholmblad at aol.com
backup email address: jholmblad at verizon.net
text email address: jholmblad at vtext.com
More information about the list