Category Archives: Myths

Myths #3: Give without giving

no giftOne more mystery for me: how give everything without giving everything. This is exactly the question I see very often in various forums and other places. This is the question I hear personally from time to time. It can be in asked in several forms, the most frequent forms are:

1) How can I give a user local admin rights and be sure that they cannot do <put your own stuff here>?

2) How can I restrict my domain admin from accessing the <your very valuable information>?

Naturally, at this point I start boiling and all that stuff, but let’s look at it again.

Well, granting the user administrative rights in a system is going to give them administrative rights: that’s the point. And any administrative access means that the user can do everything. What it cannot do right now, they can grant themselves rights to do. Period.

In first case you can only audit the user’s actions, that’s all, you can do. Moreover, the audit collection and processing must be done on a remote system, which is not accessible (let alone administered) by the user in question. Any other variant, like granting local admin rights, but denying access to some aspects of the system… It just won’t work.

The second case is a bit more complicated, because system we are discussing are usually more distributed. However, even in such occurrence, you can do not much more then in previous one. Again: strict audit with no chances for the admin to tamper with it. The only exclusion for that rule is if you build the system, which, say, encrypts the data and which is not governed by the domain admin. But this is tricky, especially, considering the fact, that the admin can get the data from the computer of the user which decipher the data to work with it (pass-the-hash, or any other attack is possible if he has administrative access to any part of the “secure system”).

Therefore, really, only audit for critical data, including audit of access to backup and restore system.

Any other ideas?

Myths #2: PKI edition.


Take notice: My new feed address is now Please re-subscribe.


BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not?

Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features.

A good example of it was windows 2003: while you weren’t able export the certificate through GUI you could do this with… some certificates. Furthermore, in Windows 2008 R2 (or Windows 7, as it goes) even some GUI instruments can export such a key. So you cannot restrict your user from exporting and moving the certificate.

Be careful and take care to think if you can trust what you see Winking smile

Myths #1: Number of previous logons to cache

imageYou know, as an IT Pro I often meet some persistent myths about OS, protocols or whatever else. Sometimes these encounters become sooo frequent, that explaining these wrongs just bore  me to death. What’s even more amazing: these wrongs are explained usually on so many blogs, pages and other places that… Well, anyway, probably some people who know people who read my blog don’t read those blogs and pages, therefore I’ll try to show some more of these mistakes.

Let’s begin from the very basic, but one of the most frequent mistakes about Group Policy. Yeah, the one which is in the subject of the post. I saw once a man who was nearly fired because of it. Really. Like always: “the boss comes in and tells an IT guy to restrict number of times his sales managers can logon into their laptops without connecting to the company’s LAN by 15 times”. “No problem” answers the guy, changes the setting to 15 and reports the task is done. Some time later it occurs that it wasn’t and all hell’s broke loose. What’s happened and how to fix it?

First of all, it was a mistake not to check if everything works smoothly after changes (I’ve done some nasty things over it too… Bad memories Winking smile).

Next, the settings is not what many think of it. If we read its description (this is a good thing to do before a change) then we’ll see the following line: “Determines the number of users who can have cached credentials on the computer”. Number of users, not number of logons per user. That’s it. If you have notebook with 15 users using it (wow…), then the setting will help you. But no restriction for the only one.

Third. Bad news here: I don’t know actually the way to do what this boss wants. And I am not sure that it exists while using only built-in means. Still it is not a cause for telling the boss that you’ve done it Smile