mailing list archives
RE: Spying in a corporate environment
From: "Mario DeBono" <mario.debono () global net mt>
Date: Thu, 22 Nov 2007 20:13:20 +0100
Yep, could be possible, but if you apply the policies on a pc level not user
level, than that is some thing different.
Another way is to apply frequent policy updates depending on the lan/wan you
administer. This can be done through login as well.
OR but I highly don't suggest to do is to
Amend files at local security level removing access to local administrators
and grant only access to domain admins but you have to be sure of what u are
doing else you might end making a mess.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ansgar -59cobalt- Wiechers
Sent: 22 November 2007 16:48
To: security-basics () securityfocus com
Subject: Re: Spying in a corporate environment
On 2007-11-22 Mario DeBono wrote:
If you have a 2003 domain enforce group policies and restrict access
to certain windows components. I presume even if a user has admin
rights on a pc, he should not be able to over right the group
policies, if he is not so keen to remove the policies from the pc
You're mistaken. A local admin can override policies (at the very least
for a short while until they are reapplied), and even if that wasn't
possible (s)he can always log on locally, in which case domain policies
don't apply at all. The only way to control users with local admin
privileges is to revoke their local admin privileges. Everything else
are futile efforts.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
Re: Spying in a corporate environment Emilio Casbas (Nov 21)
Re: Spying in a corporate environment p1g (Nov 26)
Re: Spying in a corporate environment Chris Barber (Nov 27)