Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NTSEC] Inherent weaknesses in NT System Policies

From: cmchaff () EXECPC COM (Collin Chaffin)
Date: Fri, 19 Feb 1999 20:48:55 -0600

David Litchfield Wrote:


This policy can be broken in a matter of minutes:
On running MS Word a user clicks on File on the Menu Bar, and goes down
to Open. They are shown a list of directories and files. The user could
try to right click on a folder and go down to Explore but the right-
click menu has been disabled; So instead they drag a folder to the Start
Button on the Taskbar and release. .....


---------
This can be avoided by selecting a custom start menu location from the
network where they do not have write access.  This also aids in overall
remote desktop management.
---------


This will place a shortcut to that folder on the Start Menu. This
shortcut will be stored in their profile directory. On clicking on it,
Explorer is opened up, which not normally have direct (ie non-shell)
access to. The default WINNT directory has been hidden from view by the
system policy - however, by clicking on Tools on the Explorer Menu Bar


---------
The "tools" and "view" can be restricted via policies as well.  End of that
particular scenario.
---------


Even if .reg has be dis-associated from Regedit.exe, by default a normal
user has the relevant permissions to re-associate it. This is done from
the Folder Options option found under View on the Explorer Menu Bar.


---------
The "view" can be restricted via policies as well.
---------


To stop this from happening the Administrator should only give Admins
access to regedit.exe and regedt32.exe using NTFS file permissions and
deny access to everyone else.


---------
I agree.
---------


As can be seen, even a restrictive but at least useable System Policy
can thus be broken. It is not simply enough to create a policy. A lot
more work needs to go into this if Admins wish to limit and restrict what
their users can and cannot do.


---------
I disagree, a well designed policy can very effectively restrict typical
end-users.  It will be very difficult to successfully manage Windows2000
without intimate knowledge of system policies.
---------


Collin Chaffin
Previous By Date Next
Previous By Thread Next

Current thread: