| Author | Messages | |
prankmonkey
Posts:13
 | | 07/28/2009 10:46 AM |
| I am looking at Windows 7 policies and noticed the explanation on some of
the policy options, specifically security options.
For example:
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without
having to log on to Windows.
When this policy is enabled, the Shut Down command is available on the
Windows logon screen.
When this policy is disabled, the option to shut down the computer does not
appear on the Windows logon screen. In this case, users must be able to log
on to the computer successfully and have the Shut down the system user right
before they can perform a system shutdown.
Default:
Enabled on workstations.
Disabled on servers.
Now let's assume I don't configure this policy. Does Default mean that this
setting is by default enabled even when not setting this policy?
| | | |
| jlangerak
Posts:4
| | 07/28/2009 10:53 AM |
| Yes indeed, that is what it means. By default this option is enabled on workstations unless you configure it otherwise. It will in the least contribute to power savings, if someone can shutdown the pc of a co-worker who forgot 
Jake Langerak
Itium ICT BV
Keizersgracht 442
1016 GD AMSTERDAM
The Netherlands
xxxxxxxxxxxxxxxx
www.itiumict.com
T: +31 (0)20 - 620 81 99
F: +31 (0)20 - 623 06 79
M: +31 (0)6 - 41 178 057
Voor supportverzoeken stuurt u een e-mail aan mailto:xxxxxxxxxxxxxxxx.
Dit e-mailbericht en enige bijlage is uitsluitend bestemd voor de geadresseerde(n) en strikt vertrouwelijk of anderszins wettelijk beschermd. Indien u niet de beoogde ontvanger van dit bericht bent, verzoekt Itium ICT BV u dit bericht te verwijderen, eventuele bijlagen niet te openen en wijst Itium ICT BV u op de onrechtmatigheid van het gebruiken, kopiëren of verspreiden van de inhoud van dit bericht.
Itium ICT BV is niet aansprakelijk voor virussen in dit e-mailbericht en/of enige bijlage. Itium ICT BV kan op geen enkele wijze verantwoordelijk of aansprakelijk worden gehouden voor en/of in verband met de gevolgen van en/of schade ontstaan door het onjuist, onvolledig en/of niet-tijdig versturen en ontvangen van de inhoud van dit bericht.
This e-mail message, including any attachment(s), is intended solely for the addressee or addressees and is strictly confidential or otherwise legally protected. If you are not the intended recipient, you are requested by Itium ICT BV to delete the message (with attachments) without opening it and you are notified by Itium ICT BV that any disclosure, copying or distribution of the information contained in the message (with attachments) is strictly prohibited and unlawful.
Itium ICT BV cannot assume any responsibility for the accuracy or reliability of the information contained in these message (including attachments), nor shall the information be construed as constituting any obligation on the part of Itium ICT BV.
-----Oorspronkelijk bericht-----
Van: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] Namens John Everyman
Verzonden: dinsdag 28 juli 2009 11:42
Aan: xxxxxxxxxxxxxxxx
Onderwerp: [gptalk] "Default" value in security options
I am looking at Windows 7 policies and noticed the explanation on some of
the policy options, specifically security options.
For example:
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without
having to log on to Windows.
When this policy is enabled, the Shut Down command is available on the
Windows logon screen.
When this policy is disabled, the option to shut down the computer does not
appear on the Windows logon screen. In this case, users must be able to log
on to the computer successfully and have the Shut down the system user right
before they can perform a system shutdown.
Default:
Enabled on workstations.
Disabled on servers.
Now let's assume I don't configure this policy. Does Default mean that this
setting is by default enabled even when not setting this policy?
| | | |
| prankmonkey
Posts:13
| | 07/28/2009 12:05 PM |
| Hi Jake and thanks for the reply. I probably should have prefaced that the
shutdown policy was an example as most of the security option policies have
similar options.
If the setting says enabled by default on say workstations, is there really
a need to set the policy then if you want it enable. I can only see two
reasons to set it:
A - you want it disabled
B - you want it enforced
Cheers
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Jake Langerak
Sent: Tuesday, 28 July 2009 7:51 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] "Default" value in security options
Yes indeed, that is what it means. By default this option is enabled on
workstations unless you configure it otherwise. It will in the least
contribute to power savings, if someone can shutdown the pc of a co-worker
who forgot
Jake Langerak
Itium ICT BV
Keizersgracht 442
1016 GD AMSTERDAM
The Netherlands
xxxxxxxxxxxxxxxx
www.itiumict.com
T: +31 (0)20 - 620 81 99
F: +31 (0)20 - 623 06 79
M: +31 (0)6 - 41 178 057
Voor supportverzoeken stuurt u een e-mail aan mailto:xxxxxxxxxxxxxxxx.
Dit e-mailbericht en enige bijlage is uitsluitend bestemd voor de
geadresseerde(n) en strikt vertrouwelijk of anderszins wettelijk beschermd.
Indien u niet de beoogde ontvanger van dit bericht bent, verzoekt Itium ICT
BV u dit bericht te verwijderen, eventuele bijlagen niet te openen en wijst
Itium ICT BV u op de onrechtmatigheid van het gebruiken, kopiëren of
verspreiden van de inhoud van dit bericht.
Itium ICT BV is niet aansprakelijk voor virussen in dit e-mailbericht en/of
enige bijlage. Itium ICT BV kan op geen enkele wijze verantwoordelijk of
aansprakelijk worden gehouden voor en/of in verband met de gevolgen van
en/of schade ontstaan door het onjuist, onvolledig en/of niet-tijdig
versturen en ontvangen van de inhoud van dit bericht.
This e-mail message, including any attachment(s), is intended solely for the
addressee or addressees and is strictly confidential or otherwise legally
protected. If you are not the intended recipient, you are requested by Itium
ICT BV to delete the message (with attachments) without opening it and you
are notified by Itium ICT BV that any disclosure, copying or distribution of
the information contained in the message (with attachments) is strictly
prohibited and unlawful.
Itium ICT BV cannot assume any responsibility for the accuracy or
reliability of the information contained in these message (including
attachments), nor shall the information be construed as constituting any
obligation on the part of Itium ICT BV.
-----Oorspronkelijk bericht-----
Van: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
Namens John Everyman
Verzonden: dinsdag 28 juli 2009 11:42
Aan: xxxxxxxxxxxxxxxx
Onderwerp: [gptalk] "Default" value in security options
I am looking at Windows 7 policies and noticed the explanation on some of
the policy options, specifically security options.
For example:
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without
having to log on to Windows.
When this policy is enabled, the Shut Down command is available on the
Windows logon screen.
When this policy is disabled, the option to shut down the computer does not
appear on the Windows logon screen. In this case, users must be able to log
on to the computer successfully and have the Shut down the system user right
before they can perform a system shutdown.
Default:
Enabled on workstations.
Disabled on servers.
Now let's assume I don't configure this policy. Does Default mean that this
setting is by default enabled even when not setting this policy?
| | | |
| jeromelcruz
Posts:120
| | 09/27/2009 12:10 PM |
| John,
There's another aspect you might want to take into account. So this would be option
C - You want the setting visible and auditable using a single methodology
This is the 'especially' applicable for server and infrastructure systems. If an auditor were to name any of the 'Security' settings and ask you what the current value/state is, how would you answer? You'd have to go to the system in question, look up the value (could be set locally, could be set by GPO, might not be defined and then you have to look up the expected behavior when not defined--see the 'Notes' section below).
Once you look up the answer the very next question from the auditor is typically, "Okay, is that the correct value/state it is 'supposed' to be in and what system is keeping them set in-place without alteration?" Ummm... Hmmm... Okay, go to the system and try to find out 'what' is configuring the value/state and then find something that documents the behavior that's expected for the system in question.
These are time consuming questions and the values can vary per machine. [If you have to deal with many servers (we have thousands), well, you see the point.] For this reason, we have chosen to go ahead and explicitly define most of the settings the auditors care about using GPOs targeted at the systems. We choose to explicitly configure the settings even when the 'desired state' is the one the system 'already has' in place. Then all we need to do to answer an auditor's question is run an RSoP report to show the auditors the current values/states and then compare them to a baseline report (run earlier) to establish that the settings have not been altered. The areas we avoid doing this are those that require the re-application of permissions (which can take a long time to re-apply and can affect performance of critical server systems--usually high-transaction systems). For these systems, we have our SAs re-apply permission settings during their server's regularly scheduled maintenance windows.
Notes - How many ways can Security Settings get configured?
=============================================================
1) - Hardcoded behavior (If not defined anywhere else, what's the behavior?)
2) - The application of built-in security templates at the time the OS is built
3) - The application of custom security templates (applied at any later time)
4) - The application of custom registry entries (manual or scripted)
5) - Manual alterations of the Local Security Policy by an Admin
6) - The application of Group Policy settings (these always "Win")
Jerry Cruz | Group Policies Product Manager | Boeing IT
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, July 29, 2009 8:37 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] "Default" value in security options
John
That's pretty much correct. In many cases, these settings are not easily exposed to the user so policy ends up being the only way to make a configuration change (outside of trolling around in the registry directly).
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of John Everyman
Sent: Tuesday, July 28, 2009 4:04 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] "Default" value in security options
Hi Jake and thanks for the reply. I probably should have prefaced that the shutdown policy was an example as most of the security option policies have similar options.
If the setting says enabled by default on say workstations, is there really a need to set the policy then if you want it enable. I can only see two reasons to set it:
A - you want it disabled
B - you want it enforced
Cheers
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Jake Langerak
Sent: Tuesday, 28 July 2009 7:51 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] "Default" value in security options
Yes indeed, that is what it means. By default this option is enabled on workstations unless you configure it otherwise. It will in the least contribute to power savings, if someone can shutdown the pc of a co-worker who forgot
Jake Langerak
Itium ICT BV
Keizersgracht 442
1016 GD AMSTERDAM
The Netherlands
xxxxxxxxxxxxxxxx
www.itiumict.com
T: +31 (0)20 - 620 81 99
F: +31 (0)20 - 623 06 79
M: +31 (0)6 - 41 178 057
Voor supportverzoeken stuurt u een e-mail aan mailto:xxxxxxxxxxxxxxxx.
Dit e-mailbericht en enige bijlage is uitsluitend bestemd voor de
geadresseerde(n) en strikt vertrouwelijk of anderszins wettelijk beschermd.
Indien u niet de beoogde ontvanger van dit bericht bent, verzoekt Itium ICT BV u dit bericht te verwijderen, eventuele bijlagen niet te openen en wijst Itium ICT BV u op de onrechtmatigheid van het gebruiken, kopiëren of verspreiden van de inhoud van dit bericht.
Itium ICT BV is niet aansprakelijk voor virussen in dit e-mailbericht en/of enige bijlage. Itium ICT BV kan op geen enkele wijze verantwoordelijk of aansprakelijk worden gehouden voor en/of in verband met de gevolgen van en/of schade ontstaan door het onjuist, onvolledig en/of niet-tijdig versturen en ontvangen van de inhoud van dit bericht.
This e-mail message, including any attachment(s), is intended solely for the addressee or addressees and is strictly confidential or otherwise legally protected. If you are not the intended recipient, you are requested by Itium ICT BV to delete the message (with attachments) without opening it and you are notified by Itium ICT BV that any disclosure, copying or distribution of the information contained in the message (with attachments) is strictly prohibited and unlawful.
Itium ICT BV cannot assume any responsibility for the accuracy or reliability of the information contained in these message (including attachments), nor shall the information be construed as constituting any obligation on the part of Itium ICT BV.
-----Oorspronkelijk bericht-----
Van: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
Namens John Everyman
Verzonden: dinsdag 28 juli 2009 11:42
Aan: xxxxxxxxxxxxxxxx
Onderwerp: [gptalk] "Default" value in security options
I am looking at Windows 7 policies and noticed the explanation on some of the policy options, specifically security options.
For example:
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
When this policy is enabled, the Shut Down command is available on the Windows logon screen.
When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
Default:
Enabled on workstations.
Disabled on servers.
Now let's assume I don't configure this policy. Does Default mean that this setting is by default enabled even when not setting this policy?
| | | |
|
|