Wednesday, December 05, 2007

Disabling (bypassing) Group Policy

Group Policy settings - including Software Restriction Policies - can easily be disabled - even by a standard user. Terrible! Read the full story in Security UPDATE from WindowsITPro magazine this week. The article sums up the story so far and contain links to other relevant articles.

Some of those articles require an account to read, so if you want to get to the hard facts right away, see the GPCul8r tool. I exteacted this from the readme.txt -

============
How it works
============

In order to do its thing, GPCul8r.dll needs to be loaded into the process space of whatever program needs to bypass group policy.  Once loaded, GPCul8r works by detouring calls to the ZwQueryValueKey function to see if the program is querying one of the keys related to a group policy setting we want to bypass.  If so, GPCul8r returns STATUS_OBJECT_NOT_FOUND, thereby tricking the caller into thinking the key doesn't exist.

GPCul8r being a quick & dirty little tool is not configurable.  The targeted key names are hard-coded in the source.  They are:

- TransparentEnabled (controls software restriction policy settings)
- ProxySettingsPerUser (controls access to the IE proxy settings dialog)
- DisableRegistryTools (duh)
- DisableTaskMgr (duh)

For more on the technique that GPCul8r uses, see Mark Russinovich's original article on the subject:
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx

The consequence: Everything below User Settings\Administrative Templates - e.q. every policy user level (as compared to kernel level or system level) code pulls out of the registry can be bypassed! If you want to counter this - read Mark's comment -

The bottom lines is that full control of an end-user environment is possible only with strict lock-down of the programs users run, something that you can accomplish by using SRP in white-list mode, for example. It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team.

I do not know, whether Vista improves this - but I certainly hope!

1 comment:

Anonymous said...

I tested it and I can say that the tool can succesfully run restricted applications. Instead I had no luck in disabling GPOs: even if the dll appears to be correctly loaded into the process space the tool can't disable proxy restrictions.