Click here to get back home

Applying SAFER policies via GPO, is this the right newsgroup to post in
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Applying SAFER policies via GPO, is this the right newsgroup to post in Edward Ray 03-27-2006
Posted by Edward Ray on March 27, 2006, 2:35 am
Please log in for more thread options
 I have been utilizing some of the ideas presented by Michael Howard at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
and have some questions regarding the application of SAFER policies via GPO.
I have made modifications to the registry settings on my Domain Controllers
(all Windows 2003 SP1 boxes running in Native Windows 2003 forest/domain
mode) to recognize all five user categories: Disallowed, Untrusted,
Restricted, Basic User and Unrestricted.

I then added additional rules to restrict programs like IE, Outlook, WMP,
Real Audio, Outlook Express, Firefox to run as "Basic User."

These rules were added to the computer configuration of all my Windows XP
machines via a GPO so that (presumably) irregardless of whether or not the
user was running as local administrator (which is atypical in my
organization) that the above referenced programs are running in a reduced
privilege mode. I verified this on my XP machines by logging on as an local
administrator and running IE and navigating to the Windows Update site. The
page returned an error stating that I did not have the necessary privileges
to run Windows Update.

My question is this: When I run Group Policy modeling from the GPMC, the
resulting settings do not show the software restrictions even though they
are listed in the GPO itself and appear to be applied on the XP boxes. How
do I get the software restrictions to show up in Group Policy modeling to
verify what I am already seeing on the XP clients?

Thanks in advance.

Edward Ray
CISSP, MCSE+Security, P.E. SANS GCIA Gold, SANS GCIH Gold



Posted by NickvW on March 27, 2006, 5:29 am
Please log in for more thread options
> My question is this: When I run Group Policy modeling from the GPMC, the
> resulting settings do not show the software restrictions even though they
> are listed in the GPO itself and appear to be applied on the XP boxes.
> How do I get the software restrictions to show up in Group Policy modeling
> to verify what I am already seeing on the XP clients?
>
> Thanks in advance.
>
> Edward Ray
> CISSP, MCSE+Security, P.E. SANS GCIA Gold, SANS GCIH Gold
>
Did you try Group Policy Results?



Posted by Edward Ray on March 28, 2006, 2:51 am
Please log in for more thread options
RsoP shows the rules, thanks!!


>
>> My question is this: When I run Group Policy modeling from the GPMC, the
>> resulting settings do not show the software restrictions even though they
>> are listed in the GPO itself and appear to be applied on the XP boxes.
>> How do I get the software restrictions to show up in Group Policy
>> modeling to verify what I am already seeing on the XP clients?
>>
>> Thanks in advance.
>>
>> Edward Ray
>> CISSP, MCSE+Security, P.E. SANS GCIA Gold, SANS GCIH Gold
>>
> Did you try Group Policy Results?
>



Posted by NickvW on March 28, 2006, 9:05 am
Please log in for more thread options
>>> My question is this: When I run Group Policy modeling from the GPMC,
>>> the resulting settings do not show the software restrictions even though
>>> they are listed in the GPO itself and appear to be applied on the XP
>>> boxes. How do I get the software restrictions to show up in Group Policy
>>> modeling to verify what I am already seeing on the XP clients?
>>>
>>> Thanks in advance.
>>>
>>> Edward Ray
>>> CISSP, MCSE+Security, P.E. SANS GCIA Gold, SANS GCIH Gold
>>>
>> Did you try Group Policy Results?
>>
> RsoP shows the rules, thanks!!
>
GP Modelling is a simulation and creates RSoP.

GP Results actually drives the client side policy extensions and creates...
RsoP?

Are you saying that GPR shows these extensions to SAFER but that GPM
doesn't?

Just curious!

Nick



Posted by Edward Ray on March 28, 2006, 2:06 pm
Please log in for more thread options
> Are you saying that GPR shows these extensions to SAFER but that GPM
> doesn't?

Yes!



Similar ThreadsPosted
Applying Windows 2003 policies to Windows XP June 24, 2008, 2:34 pm
where is the Passport newsgroup? January 25, 2006, 5:41 pm
Norton Corporate 10.* tweaking , Might be a more appropiate newsroup to post to. September 30, 2005, 11:05 pm
Free PKI Smart Cards & CSP for Microsoft Newsgroup Participants May 14, 2007, 7:21 am
Re: Previous post should say Grant user right to remotely start stop Service - can anybody help? March 10, 2006, 1:04 pm
Event ID 1202 when applying new GPO June 13, 2006, 3:31 pm
Applying Permissions and Inheriting October 13, 2006, 11:46 am
Applying IPSec Policy April 6, 2007, 12:34 pm
NTFS permissions not applying consistently June 21, 2006, 12:16 pm
Help! Group policy not applying to computer in OU September 30, 2008, 2:15 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap