Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects

from [James Eaton-Lee] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
Date: Sat, 29 Apr 2006 01:54:26 +0100 
On Thu, 2006-04-27 at 10:37 -0400, Michael Holstein wrote:

Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) 
through permissions (eg: remove 'localsystem:execute'). Deleting them 
will just trigger WFP to replace.


gpupdate and secedit are both just applications that interface with the
Group Policy engine to make changes to the way in which they operate;
the GPE is part of Winlogon, and uses a number of client side extensions
to make changes in the file system, registry, etc. I very much doubt if
denying access to them would prevent group policy from working.

You could attempt to do something with some of the Client Side
Extensions, such as scecli.dll, which is the dll which handles security
settings, but I can't find anyone having done anything similar online;
my guess is that the Group Policy Architecture was designed specifically
to prevent this sort of thing from being easily do-able. 

It might be worthwhile seeing if anyone who spends a lot of time
thinking about lots of this sort of thing within the context of Windows
(such as some of the guys from rootkit.com) has any ideas if you're
particularly interested.

To be honest, if you really wanted to kill group policy, the easiest
thing to do would probably be to just firewall the host in question in
order to prevent any GPOs from being downloaded from the Domain
Controller in the first place.

I may be wrong however - anyone who knows otherwise, please feel free to
enlighten me!

"How Core Group Policy Works"
http://technet2.microsoft.com/WindowsServer/en/Library/eb0042e3-699b-4c49-abcc-e3526dbecc0e1033.mspx
 has quite a good overview of how Group Policy functions.

 - James.

-- 
  James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org
  Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)

sites: https://www.bsrf.org.uk ~ http://www.security-forums.com
   ca: https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] NISCC DNS Protocol Vulnerability, Markus Jansson
Next by Date:  Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects, Richard Bjerregaard
Previous by Thread:  Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects, Exibar
Next by Thread:  Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects, Richard Bjerregaard
Indexes:  [Date] [Thread] [Top] [All Lists]