Group Policy vs File Protections

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Jul 1, 2009.

  1. One reason why some larger companies stick with Internet Explorer,
    regardless of the better security, standards compliance and other features
    of alternative browsers, is because they can exert fine control over it
    using Windows Group Policy settings
    <http://blogs.zdnet.com/igeneration/?p=1969>.

    Help me understand this. What exactly can you do via Group Policy that you
    cannot do with appropriate setting of Unix protections and ownerships on
    user preference files? For instance, all Firefox user state is in the user's
    ~/.mozilla/firefox directory. In particular, there is a prefs.js file
    containing configuration settings: preload this and make it user-read-only
    (and possibly even owned by root), and that stops the user changing any
    settings. There is even a "chrome" subdirectory which contains CSS
    definitions that let you tweak the user interface. You can hide user
    interface elements, and again, prevent the user from overriding your
    settings.

    So what's the big deal about Group Policy?
     
    Lawrence D'Oliveiro, Jul 1, 2009
    #1
    1. Advertising

  2. On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >One reason why some larger companies stick with Internet Explorer,
    >regardless of the better security, standards compliance and other features
    >of alternative browsers, is because they can exert fine control over it
    >using Windows Group Policy settings
    ><http://blogs.zdnet.com/igeneration/?p=1969>.
    >
    >Help me understand this. What exactly can you do via Group Policy that you
    >cannot do with appropriate setting of Unix protections and ownerships on
    >user preference files? For instance, all Firefox user state is in the user's
    >~/.mozilla/firefox directory. In particular, there is a prefs.js file
    >containing configuration settings: preload this and make it user-read-only
    >(and possibly even owned by root), and that stops the user changing any
    >settings. There is even a "chrome" subdirectory which contains CSS
    >definitions that let you tweak the user interface. You can hide user
    >interface elements, and again, prevent the user from overriding your
    >settings.
    >
    >So what's the big deal about Group Policy?


    Group policy can be applied to all machines in a domain in one go,
    rather than having to set up PCs individually. Personally, I found it
    to be a pernicious nuisance with one company I worked for, as I would
    occasionally run across a web site I needed to get to that would not
    work due to a group policy. So I avoided using IE and used SeaMonkey
    instead.
     
    Stephen Worthington, Jul 1, 2009
    #2
    1. Advertising

  3. Lawrence D'Oliveiro

    Nik Coughlin Guest

    "Lawrence D'Oliveiro" <_zealand> wrote in message
    news:h2eqmd$gpt$...
    > One reason why some larger companies stick with Internet Explorer,
    > regardless of the better security, standards compliance and other features
    > of alternative browsers, is because they can exert fine control over it
    > using Windows Group Policy settings
    > <http://blogs.zdnet.com/igeneration/?p=1969>.
    >
    > Help me understand this. What exactly can you do via Group Policy that you
    > cannot do with appropriate setting of Unix protections and ownerships on
    > user preference files?


    Use it with Windows
     
    Nik Coughlin, Jul 1, 2009
    #3
  4. Lawrence D'Oliveiro

    Alan Guest

    "Lawrence D'Oliveiro" <_zealand> wrote in
    message news:h2eqmd$gpt$...
    > One reason why some larger companies stick with Internet Explorer,
    > regardless of the better security, standards compliance and other
    > features
    > of alternative browsers, is because they can exert fine control over
    > it
    > using Windows Group Policy settings
    > <http://blogs.zdnet.com/igeneration/?p=1969>.
    >
    > Help me understand this. What exactly can you do via Group Policy
    > that you
    > cannot do with appropriate setting of Unix protections and
    > ownerships on
    > user preference files? For instance, all Firefox user state is in
    > the user's
    > ~/.mozilla/firefox directory. In particular, there is a prefs.js
    > file
    > containing configuration settings: preload this and make it
    > user-read-only
    > (and possibly even owned by root), and that stops the user changing
    > any
    > settings. There is even a "chrome" subdirectory which contains CSS
    > definitions that let you tweak the user interface. You can hide user
    > interface elements, and again, prevent the user from overriding your
    > settings.
    >
    > So what's the big deal about Group Policy?
    >


    I've had to do it both ways and GP is much easier (and hence cheaper)
    to manage within a Windows domain as the GP settings can be
    implemented in one place by the admin, and the machines / users (as
    appropriate) pick up their settings as per configuration.

    You can have policies set also that apply or not depending on what
    groups a machine and user are in, so that, for example, you might have
    a policy across all machine, but a subset of users might have an
    override so that if one person uses the machine, they can't do
    something, but if a different person uses it, they can do the same
    thing.

    Also, very easy to maintain due to having the directory groups setup,
    and applying GPs to groups as required. Changes can be made anytime
    without having to directly access the machines too. I believe that
    default settings are for machines to update their settings every two
    hours with a plus or minus thirty minutes randomness (to avoid all
    machines trying at the same time). Both can be changed I think.

    You're probably correct that anything could be done other ways, but
    for most businesses who already have a Windows Server setup, GP is far
    less costly to use than file permissions and other settings.

    Vive la difference!

    Alan.

    --

    The views expressed are my own, not those of my employer or others.
    My unmunged email is: (valid for 30 days
    min probably much longer).
     
    Alan, Jul 1, 2009
    #4
  5. In message <>, Stephen Worthington
    wrote:

    > Group policy can be applied to all machines in a domain in one go,
    > rather than having to set up PCs individually.


    It's easy enough to manage file protections, user privileges, software
    configurations/updates etc in bulk across lots of Unix/Linux machines. Even
    the initial Linux install can be saved for mass use, e.g. KickStart,
    AutoYaST.
     
    Lawrence D'Oliveiro, Jul 1, 2009
    #5
  6. On Wed, 01 Jul 2009 23:20:03 +1200, Collector€NZ
    <> wrote:

    >Stephen Worthington wrote:
    >> On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
    >> <_zealand> wrote:
    >>
    >>> One reason why some larger companies stick with Internet Explorer,
    >>> regardless of the better security, standards compliance and other features
    >>> of alternative browsers, is because they can exert fine control over it
    >>> using Windows Group Policy settings
    >>> <http://blogs.zdnet.com/igeneration/?p=1969>.
    >>>
    >>> Help me understand this. What exactly can you do via Group Policy that you
    >>> cannot do with appropriate setting of Unix protections and ownerships on
    >>> user preference files? For instance, all Firefox user state is in the user's
    >>> ~/.mozilla/firefox directory. In particular, there is a prefs.js file
    >>> containing configuration settings: preload this and make it user-read-only
    >>> (and possibly even owned by root), and that stops the user changing any
    >>> settings. There is even a "chrome" subdirectory which contains CSS
    >>> definitions that let you tweak the user interface. You can hide user
    >>> interface elements, and again, prevent the user from overriding your
    >>> settings.
    >>>
    >>> So what's the big deal about Group Policy?

    >>
    >> Group policy can be applied to all machines in a domain in one go,
    >> rather than having to set up PCs individually. Personally, I found it
    >> to be a pernicious nuisance with one company I worked for, as I would
    >> occasionally run across a web site I needed to get to that would not
    >> work due to a group policy. So I avoided using IE and used SeaMonkey
    >> instead.

    >I am not sure where you are coming from.
    >In my wan/domain you cannot install seamonkey or any other browser, we
    >limit users to MS browser because we protect them at edge level and by
    >enterprise protection systems
    >Domain group policy is god in a domain.


    The company I was with did not lock down developers machines that way
    - developers always need to install tools to do their jobs. So I have
    no idea why they locked down IE as they did - maybe it was unintended.
     
    Stephen Worthington, Jul 1, 2009
    #6
  7. Lawrence D'Oliveiro

    Alan Guest

    "Stephen Worthington" <34.nz56.remove_numbers> wrote
    in message news:...
    > On Wed, 01 Jul 2009 23:20:03 +1200, Collector?NZ
    > <> wrote:
    >
    >>Stephen Worthington wrote:
    >>> On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
    >>> <_zealand> wrote:
    >>>
    >>>> One reason why some larger companies stick with Internet
    >>>> Explorer,
    >>>> regardless of the better security, standards compliance and other
    >>>> features
    >>>> of alternative browsers, is because they can exert fine control
    >>>> over it
    >>>> using Windows Group Policy settings
    >>>> <http://blogs.zdnet.com/igeneration/?p=1969>.
    >>>>
    >>>> Help me understand this. What exactly can you do via Group Policy
    >>>> that you
    >>>> cannot do with appropriate setting of Unix protections and
    >>>> ownerships on
    >>>> user preference files? For instance, all Firefox user state is in
    >>>> the user's
    >>>> ~/.mozilla/firefox directory. In particular, there is a prefs.js
    >>>> file
    >>>> containing configuration settings: preload this and make it
    >>>> user-read-only
    >>>> (and possibly even owned by root), and that stops the user
    >>>> changing any
    >>>> settings. There is even a "chrome" subdirectory which contains
    >>>> CSS
    >>>> definitions that let you tweak the user interface. You can hide
    >>>> user
    >>>> interface elements, and again, prevent the user from overriding
    >>>> your
    >>>> settings.
    >>>>
    >>>> So what's the big deal about Group Policy?
    >>>
    >>> Group policy can be applied to all machines in a domain in one go,
    >>> rather than having to set up PCs individually. Personally, I
    >>> found it
    >>> to be a pernicious nuisance with one company I worked for, as I
    >>> would
    >>> occasionally run across a web site I needed to get to that would
    >>> not
    >>> work due to a group policy. So I avoided using IE and used
    >>> SeaMonkey
    >>> instead.

    >>I am not sure where you are coming from.
    >>In my wan/domain you cannot install seamonkey or any other browser,
    >>we
    >>limit users to MS browser because we protect them at edge level and
    >>by
    >>enterprise protection systems
    >>Domain group policy is god in a domain.

    >
    > The company I was with did not lock down developers machines that
    > way
    > - developers always need to install tools to do their jobs. So I
    > have
    > no idea why they locked down IE as they did - maybe it was
    > unintended.


    Sounds like poor administration / usage of the tools.

    If they wanted developers to have more freedom, they should have put
    them into a separate group, and granted you permissions to do whatever
    you needed to do (whether in IE or any other app).

    Normal, default setup should be for all users to be created using a
    LUA template, with no rights to change system settings (beyond the
    purely cosmetic) and definitely no rights to install or update
    software.

    Similarly, they should be setup with limited rights in IE and other
    apps so that they cannot get infected no matter where they go or what
    they do.

    All of that is very easy to do via GP etc, and if there are any apps
    that requires some specific higher level of access (say, to a folder
    on the local machine), then grant that access specifically - it really
    isn't difficult.

    Alan.

    --

    The views expressed are my own, not those of my employer or others.
    My unmunged email is: (valid for 30 days
    min probably much longer).
     
    Alan, Jul 1, 2009
    #7
  8. Lawrence D'Oliveiro

    Alan Guest

    "Collector€NZ" <> wrote in message
    news:4a4b4b92$...
    > Nik Coughlin wrote:
    >> "Lawrence D'Oliveiro" <_zealand> wrote in
    >> message news:h2eqmd$gpt$...
    >>> One reason why some larger companies stick with Internet Explorer,
    >>> regardless of the better security, standards compliance and other
    >>> features
    >>> of alternative browsers, is because they can exert fine control
    >>> over it
    >>> using Windows Group Policy settings
    >>> <http://blogs.zdnet.com/igeneration/?p=1969>.
    >>>
    >>> Help me understand this. What exactly can you do via Group Policy
    >>> that you
    >>> cannot do with appropriate setting of Unix protections and
    >>> ownerships on
    >>> user preference files?

    >>
    >> Use it with Windows

    > Despite it being a lost cause MS rules in Business because it works,
    > I would have Linus Server tommorow if we where not an MS house, but
    > Iwould at this stage not have linux desktops, we cannot manage it
    > with the level of control we get with MS enterprise. ergo big PEBKAC


    LOL!

    Change user logon settings to only be able to logon betwen 0245 and
    0246.

    Bingo! No more PEBKAC!

    Alan.

    --

    The views expressed are my own, not those of my employer or others.
    My unmunged email is: (valid for 30 days
    min probably much longer).
     
    Alan, Jul 1, 2009
    #8
  9. Lawrence D'Oliveiro

    thingy Guest

    On Jul 1, 8:26 pm, Lawrence D'Oliveiro <l...@geek-
    central.gen.new_zealand> wrote:
    > In message <>, Stephen Worthington
    > wrote:
    >
    > > Group policy can be applied to all machines in a domain in one go,
    > > rather than having to set up PCs individually.

    >
    > It's easy enough to manage file protections, user privileges, software
    > configurations/updates etc in bulk across lots of Unix/Linux machines. Even
    > the initial Linux install can be saved for mass use, e.g. KickStart,
    > AutoYaST.


    So GP is windows way to achieve this....and AD and GPs is certainly a
    good and easy way to manage users.

    regards

    Thing
     
    thingy, Jul 1, 2009
    #9
  10. Lawrence D'Oliveiro

    thingy Guest

    On Jul 1, 11:25 pm, Collector€NZ <> wrote:
    > Nik Coughlin wrote:
    > > "Lawrence D'Oliveiro" <_zealand> wrote in
    > > messagenews:h2eqmd$gpt$...
    > >> One reason why some larger companies stick with Internet Explorer,
    > >> regardless of the better security, standards compliance and other
    > >> features
    > >> of alternative browsers, is because they can exert fine control over it
    > >> using Windows Group Policy settings
    > >> <http://blogs.zdnet.com/igeneration/?p=1969>.

    >
    > >> Help me understand this. What exactly can you do via Group Policy that
    > >> you
    > >> cannot do with appropriate setting of Unix protections and ownerships on
    > >> user preference files?

    >
    > > Use it with Windows

    >
    > Despite it being a lost cause MS rules in Business because it works, I
    > would have Linus Server tommorow if we where not an MS house, but Iwould
    > at this stage not have linux desktops, we cannot manage it with the
    > level of control we get with MS enterprise. ergo big PEBKAC


    There are equivs of AD, but the cost is way out of proportion to
    AD's...which is basically free, and has the granularity and ease of
    use that is impressive....yes it a bit questionable on performance and
    connectability from non-MS, which is a huge pity...anyway try looking
    at say Sun's, Novells, or Oracle's IdM/LDAP and not have your eyes
    water at the cost and effort needed.

    regards

    Thing
     
    thingy, Jul 1, 2009
    #10
  11. In message <4a4b4b92$>, Collector€NZ wrote:

    > ... Iwould at this stage not have linux desktops, we cannot manage it with
    > the level of control we get with MS enterprise.


    Your Linux desktops can give you finer granularity of control than any
    Windows setup can possibly manage. For instance, filesystem namespaces can
    be controlled on a per-process basis--different processes running on the
    same machine can be differently constrained in what objects they see
    <http://www.ibm.com/developerworks/linux/library/l-mount-namespaces.html>.
     
    Lawrence D'Oliveiro, Jul 1, 2009
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZGpzdGVp?=

    Custom .adm file for Group Policy

    =?Utf-8?B?ZGpzdGVp?=, Jul 14, 2005, in forum: MCSE
    Replies:
    0
    Views:
    503
    =?Utf-8?B?ZGpzdGVp?=
    Jul 14, 2005
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,632
    Tyler Cobb
    Oct 19, 2005
  3. Ndoki
    Replies:
    0
    Views:
    3,385
    Ndoki
    Aug 11, 2006
  4. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    510
    Jack \(MVP-Networking\).
    Mar 15, 2007
  5. Tyler Cobb
    Replies:
    1
    Views:
    734
    dawnad
    Oct 9, 2005
Loading...

Share This Page