GPO security

[ExAdmin]

Hi,
I'd like to find out as much as I can regarding the security around GPO's.
Namely, Active Directory can modify the registry, what is preventing other
remote users from hacking it as well. Any whitepapers or technical articles
would be fantastic. Or, if you know this off-hand too...

Thanks,
Daniel

 

[Steven L Umbach]

Two things could prevent remote hacking - lack of access and lack of credentials,
hardly a unique situation. Someone with access and administrator credentials could do
a lot more damage than change a registry setting affecting user settings on a
computer. Anyhow a firewall to prevent access from untrusted networks and a
account/password policy that requires complex passwords, an account lockout policy,
and enabling of account logon and logon auditing will go a long way to protect GPO's
just like any other network resource. --- Steve

 

[Roger Abell]

Basically, the entire design of the OS security subsystem
exists to prevent this when not desired but allow it when
it is desired. The basic thing to note is, you have asked,

what is preventing other remote users from hacking it as well.

but as Steve has indicated, remote people are not remote users
unless they can authenticate or control an authenticated process.
They are not users until the system sees them as users, and then
they are only allowed to do what is defined as permitted for that user.

That is a quick, hand waving sort of response, but a complete
one would be a book covering most of the operation system,
since anything that has a name has security exercised over it.