Click here to get back home

GPO for trusted root CA certs
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
GPO for trusted root CA certs =?ISO-8859-1?Q?Michael_Str=F6d 11-07-2006
Posted by =?ISO-8859-1?Q?Michael_Str=F6d on November 7, 2006, 8:12 am
Please log in for more thread options
 HI!

I'd like to know how GPOs are protected against being forged. In my case
I'd have the task to design a GPO for trusted root CA certs which
obviously should be secured somehow.

I also read about certificate trust lists signed by the enterprise
admin. But there's off course some hen-and-egg-problem since at the end
the signature has to be validated against the root CA cert.

Thanks in advance.

Ciao, Michael.

Posted by Brian Delaney [MSFT] on November 7, 2006, 1:03 pm
Please log in for more thread options
 Hi Michael,

The SYSVOL where GPOs are stored is protected by Access Control Lists
preventing regular users from placing new GPO in this directory. By
default only members of the Administrators group have full control over
this directory. Group Policy Creator Owners group has the ability to
create new policies but not modifying existing GPOs and not the ability to
link a policy.

So, I guess you could say that it secured in two ways. First of all you
have to have permissions to write to the SYSVOL\Policies folder to
create/modify a GPO and secondly you have to have permissions to the gplink
and gpoptions attribute at the level you wish to link the policy.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Date: Tue, 07 Nov 2006 14:12:39 +0100
>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13)
Gecko/20060417
>X-Accept-Language: en-us, en
>MIME-Version: 1.0
>Newsgroups: microsoft.public.windows.server.security
>Subject: GPO for trusted root CA certs
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>HI!
>
>I'd like to know how GPOs are protected against being forged. In my case
>I'd have the task to design a GPO for trusted root CA certs which
>obviously should be secured somehow.
>
>I also read about certificate trust lists signed by the enterprise
>admin. But there's off course some hen-and-egg-problem since at the end
>the signature has to be validated against the root CA cert.
>
>Thanks in advance.
>
>Ciao, Michael.
>


Posted by =?ISO-8859-1?Q?Michael_Str=F6d on November 7, 2006, 6:49 pm
Please log in for more thread options
Brian,

thanks for your quick answer.

Brian Delaney [MSFT] wrote:
>
> So, I guess you could say that it secured in two ways. First of all you
> have to have permissions to write to the SYSVOL\Policies folder to
> create/modify a GPO and secondly you have to have permissions to the gplink
> and gpoptions attribute at the level you wish to link the policy.

And how about protection of the network transport of GPO?

Ciao, Michael.

Posted by Brian Delaney [MSFT] on November 8, 2006, 10:03 am
Please log in for more thread options
Hi Michael,

>And how about protection of the network transport of GPO?

Are you referring to the application of a GPO over the network or
modifying? As far as I know by default all that is done to secure both is
SMB signing is required on Windows Server 2003 SP1 (possibly RTM as well)
and can be set to required on Windows 2000. SMB signing helps to prevent
an SMB session from being highjacked once established.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Date: Wed, 08 Nov 2006 00:49:21 +0100
>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13)
Gecko/20060417
>X-Accept-Language: en-us, en
>MIME-Version: 1.0
>Newsgroups: microsoft.public.windows.server.security
>Subject: Re: GPO for trusted root CA certs
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>Brian,
>
>thanks for your quick answer.
>
>Brian Delaney [MSFT] wrote:
>>
>> So, I guess you could say that it secured in two ways. First of all you
>> have to have permissions to write to the SYSVOL\Policies folder to
>> create/modify a GPO and secondly you have to have permissions to the
gplink
>> and gpoptions attribute at the level you wish to link the policy.
>
>And how about protection of the network transport of GPO?
>
>Ciao, Michael.
>


Posted by =?ISO-8859-1?Q?Michael_Str=F6d on November 9, 2006, 6:05 pm
Please log in for more thread options
Brian Delaney [MSFT] wrote:
>Michael Ströder wrote:
>>
>>And how about protection of the network transport of GPO?
>
> Are you referring to the application of a GPO over the network or
> modifying?

Application of a GPO over the network.

> As far as I know by default all that is done to secure both is
> SMB signing is required on Windows Server 2003 SP1 (possibly RTM as well)
> and can be set to required on Windows 2000. SMB signing helps to prevent
> an SMB session from being highjacked once established.

With which key is SMB signed?
With the server's RSA key from its server certificate?

Ciao, Michael.

Similar ThreadsPosted
Enterprise Root Certification Authority not trusted February 16, 2006, 2:07 pm
Demote Root CA to subordinate - lose existing certs? February 26, 2008, 11:28 pm
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm
Problem with Machine Certs being used as User Certs June 15, 2005, 7:06 am
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Stans-alone root CA or Enterprise root CA August 31, 2006, 6:32 pm
Cannot Add zone to trusted zones on DC August 18, 2006, 5:05 pm
Server 2003 SP1 Trusted Sites November 16, 2005, 9:02 am
Accessing resources between non-trusted domains September 12, 2006, 9:53 am
Code Signing Cert not trusted? October 19, 2007, 1:33 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap