[9666] in bugtraq
Re: Inherent weaknesses in NT system policies
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Fri Feb 19 16:53:37 1999
Date: Fri, 19 Feb 1999 11:25:14 -0700
Reply-To: Kurt Seifried <listuser@SEIFRIED.ORG>
From: Kurt Seifried <listuser@SEIFRIED.ORG>
X-To: mnemonix <mnemonix@GLOBALNET.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
>There are certain key vulnerabilities in NT's System Policies that allow
>most restrictions to be by-passed. For instance, although Registry Editing
>tools can be disabled this restriction can be avoided with ease, but more
on
>that later.
>
>Consider a restrictive user System Policy where the user's shell is
>Explorer.exe and it only allows the Microsoft Word application
(winword.exe)
>to be run. It is launched from an icon on the desktop. This is the only
icon
>present. So the user can perform their work, write documents and save them,
>they are give write NTFS permissions only to their profile directory. The
>Registry editing tools have been disabled.
>
>This policy can be broken in a matter of minutes:
As any good little MCSE learns:
Give the full pathname to the programs you want to allow them to run. This
makes it a lot safer. There are ways around even this of course. NT is not
secure against a determined user, just boot from a floppy and replace the
registry if you really want to. I haven't looked in depth yet but MSIE 5.0
comes with it's own policy restrictions/etc (quite a few actually), I'm not
100% sure how they interact with NT's user policies/etc, but once I get a
chance to play with it some more I'll post that up.
-seifried, MCSE
https://www.seifried.org/
