Re: Inherent weaknesses in NT system policies

[hargett () WINTERMUTE CITYSCAPE NET (Matt Hargett)]

On Wed, 3 Feb 1999, mnemonix wrote:

> There are certain key vulnerabilities in NT's System Policies that allow
> most restrictions to be by-passed. For instance, although Registry Editing
> tools can be disabled this restriction can be avoided with ease, but more on
> that later.
>
> This policy can be broken in a matter of minutes:
[snip]


I concur that policies are not the only thing an admin must set up if he
wants to secure his workstation. I have some recent experience myself
doing this from when I went to help my college on a similar project in
November. Firstly, if you are going to be setting up workstations to be
this restrictive...

a) the user should have a read-only profile (there's a term for this, I
can't remember what NT calls it). This prevents them being able to put
anything in the Start Menu.

b) registry ACLs should be altered so as not to include anything beyond
Query/Enumerate/Read for the World SID. This breaks some applications, and
it takes some tuning once you have the registry locked down to get
everything completely functional. Corel Wordperfect and Netscape were a
real pain in this respect, and have rather insecure dependencies on some
regkeys being Full Control for the World SID.

c) in the %systemroot% directory, we removed execute permissions for
World, and added them back to the bare minimum utilities (which didn not
include cmd.exe =]). We also looked for miscellaneous executables in the
application installs that were not part of the main application that would
not get run during normal use.

d) in the TEMP dir (whatever that is defined to be on your system), set
the directory permissions to be Create for World, and Read/Write/Delete
for Owner (and Full Control for System and Administrator, of course). This
hypothetically prevents people from creating file with executable
permissions. However, Owners of objects intrinsically have Change
Permissions access. I think there is a way to disable this, but I don't
remember how we did it.

So, if the admin setting up the workstation (I would assume for public use
by the needs inferred), policies alone will not do. And even with file and
registry permissions, someone clever could still get around it; it's just
a little more difficult.


-----------------------------------------
Matt Hargett
http://www.cityscape.net/~hargett
matt () use net

if you see me walkin in the garden,
don't ever ask me for an autograph
and if you ever catch me in the arcade,
don't even stop me for a photograph