[9699] in bugtraq
Re: [NTSEC] Inherent weaknesses in NT System Policies
daemon@ATHENA.MIT.EDU (Collin Chaffin)
Sun Feb 21 19:12:14 1999
Date: Fri, 19 Feb 1999 20:48:55 -0600
Reply-To: Collin Chaffin <cmchaff@EXECPC.COM>
From: Collin Chaffin <cmchaff@EXECPC.COM>
X-To: mnemonix <mnemonix@globalnet.co.uk>,
ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <001001be4fc6$eca99c10$216610ac@mercury>
David Litchfield Wrote:
>This policy can be broken in a matter of minutes:
>On running MS Word a user clicks on File on the Menu Bar, and goes down
>to Open. They are shown a list of directories and files. The user could
>try to right click on a folder and go down to Explore but the right-
>click menu has been disabled; So instead they drag a folder to the Start
>Button on the Taskbar and release. .....
---------
This can be avoided by selecting a custom start menu location from the
network where they do not have write access. This also aids in overall
remote desktop management.
---------
>This will place a shortcut to that folder on the Start Menu. This
>shortcut will be stored in their profile directory. On clicking on it,
>Explorer is opened up, which not normally have direct (ie non-shell)
>access to. The default WINNT directory has been hidden from view by the
>system policy - however, by clicking on Tools on the Explorer Menu Bar
---------
The "tools" and "view" can be restricted via policies as well. End of that
particular scenario.
---------
>Even if .reg has be dis-associated from Regedit.exe, by default a normal
>user has the relevant permissions to re-associate it. This is done from
>the Folder Options option found under View on the Explorer Menu Bar.
---------
The "view" can be restricted via policies as well.
---------
>To stop this from happening the Administrator should only give Admins
>access to regedit.exe and regedt32.exe using NTFS file permissions and
>deny access to everyone else.
---------
I agree.
---------
>As can be seen, even a restrictive but at least useable System Policy
>can thus be broken. It is not simply enough to create a policy. A lot
>more work needs to go into this if Admins wish to limit and restrict what
>their users can and cannot do.
---------
I disagree, a well designed policy can very effectively restrict typical
end-users. It will be very difficult to successfully manage Windows2000
without intimate knowledge of system policies.
---------
Collin Chaffin
