XP/2000 group policy access controls

Posted on 2004-11-21
Medium Priority
Last Modified: 2013-12-04
A previous collegue who handled windows XP/2000 security at our location has now left. He used three batch files as admin which control the permissions on registry.pol in the user and machine sub directories of group policy, and also the gpt.ini file. These batch files altered the permissions on these files (enabling/disabling the group permissions settings I believe), the third allowed editing of the group policy, but only while it was open. All made use of cacls to contol the permissions. Has anyone heard of a scheme like this, and could either write or direct me to an explanation of how it works and how to implement it. Also, does this method provide any real security advantages over the standard windows setup.

Many thanks.
Question by:fennyrules
  • 2

Accepted Solution

TJworld earned 600 total points
ID: 12638835
See these documents:

"Recovering a Customer from an Active Directory 'Denial of Service'" http://www.microsoft.com/technet/archive/community/columns/security/askus/auasadds.mspx

"Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available" http://support.microsoft.com/default.aspx?scid=kb;en-us;320454

"Support WebCast: Microsoft Baseline Security Analyzer Version 1.1" http://support.microsoft.com/default.aspx?scid=kb;en-us;812920

As you can see from the first article, regular permissions on the group policy templates could allow a compromised account to cause a lot of damage.

The batch files your colleague used would simply automate the relaxing and restoring of strong NTFS DACL permissions on the vital files.

In normal operation the files would be read-only to everyone including Administrators.

When a change is to be made the relevant batch file would be run to temporarily provide Full Control to the policy template, automatically launch the Group Policy Editor, and once it had been closed restore the Read-Only state of the templates.

Expert Comment

ID: 12644143
if you can provide content of batch file and we can find out it is secure or not..

NOTE: while posting it here.. make sure to change the "user-id" and other sensitive info into generic...

Expert Comment

ID: 12644591
I think thats a bit of work for you; part of the job!

Take a look at "Undocumented CACLS: Group Permissions Capabilities"


"How to Use CACLS.EXE in a Batch File"


Author Comment

ID: 12673444
Thanks guys! Now I know it's worthwhile I can just go through them myself.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question