MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 5: Security Limitations

As with any network service, hackers and malicious users can interfere with the application of Group Policy. Also, once Group Policy is applied, it can be circumvented by numerous means because Group Policy is designed to prevent access to user interface features, not to secure base operating system resources.


After you complete this lesson, you will be able to

Estimated lesson time: 10 minutes


Understanding the Role of Group Policy in Network Security

Controlling network configuration is critical to security. When users can configure network settings, they can circumvent new Group Policy completely.

Users can circumvent the application of new Group Policy settings by preventing a client from contacting a domain controller. This can be as simple as unplugging the network cable from the computer and then logging on with a cached profile, for example. When the computer is reconnected, it will have access to the network, but without the new Group Policy settings in place.

Group Policy settings will be applied at the next periodic refresh interval, but that won't occur for at least 90 minutes. Other methods of preventing Group Policy from being applied include changing or interfering with the DNS services necessary to resolve the Group Policy servers, or interfering with the servers themselves.

If users are allowed to configure their own new computers out of the box, they can prevent the application of Group Policy entirely by setting their DNS settings to a public DNS server rather than to the domain DNS servers. They will still be able to join the domain and log on as long as there is a domain controller within their Ethernet broadcast area (the local area network), but the Group Policy client will not be able to determine the address of the domain controller to download GPOs to the client. This will prevent the application of Group Policy, and since the computer is new, it won't have cached settings in place. Do not allow users to configure their own new computers without verifying their DNS settings.

Another way a user can prevent the application of Group Policy is to browse to the server's SYSVOL share, and then open the various Group Policy files in Read-Exclusive mode. The attacker can then log on to another workstation, which prevents the Group Policy settings from being applied to the subsequent logon. This is an esoteric attack that works because of a special type of Read access called Exclusive mode, which prevents other users from opening a file. This mode is intended to prevent other users on the network from opening a document that is already in use and accidentally corrupting it. But because these Group Policy files cannot be read, and users must have Read access to GPOs to download them, the system behaves as if the user does not have Read access to the GPO, and so filters it from being applied to subsequent users.

When you work with Group Policy, it is crucial to remember that Group Policy restrictions are merely surface user interface restrictions that do not remove functionality from the computer or even from the user. For example, while it is possible to remove drive icons from the My Computer window, you can still access those drives through the Search function, from earlier applications, and from the command prompt. Drives also available to scripts or applications written by independent software vendors. For this reason, be certain to test your Group Policy applications against all possible methods of access.

Practice: Circumventing the Security Limitations of Group Policy

In this practice, you go through a small number of steps that allow you to circumvent restrictions put in place by Group Policy, even on a highly restricted machine. This demonstrates that while Group Policy can obscure operating system functionality from users, it is not a true security mechanism in its own right and should not be relied on as the sole means of establishing security on a client computer. File system permissions remain the most important security tool an administrator can use to prevent the exploitation of a client computer.

No matter how well you secure a client computer with Group Policy, if the computer remains useful, it will be subject to user circumvention. For example, even if you've disabled access to local drives, disabled access to desktop icons, and disabled the command prompt, a user can use the following attack to get around all of these restrictions.

This attack works because the command prompt restriction is based on the name of the executable program. Because an earlier version of Cmd.exe called Command.com exists on all Windows computers by default, a user can create a batch file that calls that alternate command prompt to gain command-prompt functionality. From the command line, nearly any administrative function can be performed to further circumvent Group Policy security restrictions. For example, a user could use the ftp program to download an alternative program to edit the registry.

Even when this flaw is patched, other similar flaws will always exist because Group Policy does not truly secure client computers, it only obscures access to functionality through a myriad of configurable settings. It is crucial that security administrators understand the real limitations of Group Policy so that they can plan for events in which Group Policy cannot effectively control user behavior. By circumventing Group Policy, a user can gain wide control on any client computer and create documents anywhere on the network.

To circumvent Group Policy

  1. Open Notepad. If Notepad is not available, open Word or any other word processing or text editing program.

  2. In a new document, type command.

  3. From the File menu, choose Save As.

  4. If a restricted feature dialog box opens, click OK to dismiss it. It will not interfere with saving the document.

  5. Select a location where you have Write access, such as a shared folder or your home directory.

  6. In the Show Files Of Type list, select All Files.

  7. In the Document Name box, type hack.bat, and click Save.

  8. From the File menu, choose Open.

  9. In the Files Of Type list, select All Files.

  10. Right-click the Hack.bat file.

    Notice that nothing happens.

  11. In the Open File dialog box, click View As, and click Thumbnails.

  12. Right-click the thumbnail view of Hack.bat.

    Notice that this time, a shortcut menu appears.

  13. Click Open.

    Windows launches the file, executing the command within the batch file, which launches Command.com. A command prompt appears.

    You can use this command prompt to launch programs, copy files, map network drives, or perform other administrative functions that are not limited by NTFS or share permissions. For example, you could type subst s: c:\ to create an S drive alias for the C drive that will then show up in Windows Explorer.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. What are some of the ways that users could interfere with the application of Group Policy on their computers?

  2. If you disable access to the C drive in a Group Policy, what methods might a user use to regain access to it?

  3. If you limit a client computer to running just a single program, how might a hacker run the program of their choice?

Lesson Summary

Категории