Many organizations I speak with put a lot of faith in Active Directory and their GPO policies for security settings. GPO policies can be an excellent way to push security settings, but how do you know that all computers are receiving their updates or are even on the domain. Arellia supports organizations in their efforts to remove end users from the Administrators group, but there are many organizations that cannot do this for political reasons. As we all know, when end users have administrator rights anything goes including leaving the domain and avoiding GPO policies.
The average user may not know how to avoid GPO policies, but it is not difficult. Many GPO policies are targeted to users so the first step to avoid GPO policies is to not login with a domain account. This can be done with a few key steps when the user’s domain account is a member of the local Administrators group:
- User creates a local administrator account
- User uses their local administrator account to logon to the computer
- User changes any local computer settings and avoids GPO changes
- User uses their domain credentials for access to network resources such as Exchange, network folders, etc.
Now one may ask why an end user would care to take these steps when they have to repeatedly authenticate to resources with their domain account. The answer is simple: fewer restrictions on what they can do in their desktop environment. No software restriction policies, no control panel settings enforcement, and no limitations on the desktop environment.
Even when a user avoids logging in with their domain account, there are still the issues of computer targeted GPO policies. Again avoiding these policies is easy:
- User removes their computer from the domain
- User changes any local computer settings and avoids all GPO changes
Avoiding computer policies reaps even less restrictions: no need to change passwords, no complex passwords, and no limitations to security rights. All of these settings are elements of good security, but often hassles to the average user.
The average user may not have the knowledge to do these steps, but the people that do have the knowledge often need to be secured the most. Developers and engineers hate to be controlled and will often avoid being on the domain and yet they have source code, corporate data, and other proprietary information that needs to be protected. Knowledge workers (marketing, sales, accounting, finance, etc.) also have sensitive corporate data and while they may not have the technical sophistication of developers, they have the savvy to figure out the steps.
So your GPOs are key to your security configuration, ask yourself a few key questions:
- Are your clients on the domain?
- Are your users creating local administrator accounts to circumvent GPO controls?
- Is your security being compromised by end users changing their local system settings?
Don’t assume controls which are easy to circumvent are always in place. Arellia Endpoint Security Remediation Suite can be used to identify local administrator accounts, enforce administrator group membership, and measure and remediate local security configuration and keep those valuable security controls in place. Do you still think your GPOs are keeping you safe? Think again.