Monday, December 12, 2005

Yet Another Way to Subvert Windows Security

Once again Mark Russinovich of has dove deeply into Windows internals and found something disturbing. Certain Group Policy settings can be circumvented by Limited Users. Go read Mark's article, I'll wait. Back? I was designing AD forests on Windows 2000 back in my sys admin days, always thought Group Policies were one of those killer features for admins. Deploy settings to whole batches of machines, lock down users to what apps they could run, and how they could run them. Frankly, I am surprised that it has taken nearly 6 years since Active Directory and Group Policies were publicly released for the Software Restriction Policies (SRP) to get cracked. This always seemed like a juicy target. There probably isn't a lot of immediate exposure to corporate networks. As with most digital protection mechanisms, the bar doesn't have to be to high to stop the normal user. But there will be those intermediate to advanced users that have been restricted using application blacklists instead of whitelist that will want to subvert the SRP blacklist through a proxy application. If any media that normal users might read, PC Magazine comes to mind, start to pick up on this, it may be a big deal. Of course, this all depends on how many corporations are using SRP. When I was deploying AD back in the day, I only betaed SRP, never implemented, nobody wanted to do ongoing management of it, no one wanted to become the application police.