Breaking out of a restrictive Group Policy

Dominic White

 
Random Entry: (IN) SECURE Magazine
< NTLM Authorisation Proxy Server | Come on SA >

Breaking out of a restrictive Group Policy

Mark Russinovich from Sysinternals (the guy that broke the Sony rootkit story), has a great entry on how a restricted local user (as opposed to a local administrator) can break out of group policy restrictions. He noted that the restrictions are enforced by the actual application, and since a user has control over that application, it can be modified.

To demonstrate this he developed an app, gpdisable, which intercepts calls to the NtQueryValueKey API, used for registry lookups (the local Group Policy object is stored in the registry) and returns 'corrected' values.

Users don’t have permission to modify keys under HKLM, including the SRP settings, but Gpdisable fools the SRP code by returning an error value, STATUS_OBJECT_NAME_NOT_FOUND, whenever it sees a value named “TransparentEnabled” passed to NtQueryValueKey:

I am currently investigating how to secure user profiles in a group policy situation, however the environment is far less restrictive and this isn't a risk. I am learning that it is important to situate risks to your environment. Just because something is broken, it doesn't mean that it can't be useful.

I think this Software Restriction Policy manual would be great to mop up my cat's pee for example.

Monday, February 20. 2006
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA