On Wed, 3 Feb 1999, mnemonix wrote: > There are certain key vulnerabilities in NT's System Policies that allow > most restrictions to be by-passed. For instance, although Registry Editing > tools can be disabled this restriction can be avoided with ease, but more on > that later. > > This policy can be broken in a matter of minutes: [snip] I concur that policies are not the only thing an admin must set up if he wants to secure his workstation. I have some recent experience myself doing this from when I went to help my college on a similar project in November. Firstly, if you are going to be setting up workstations to be this restrictive... a) the user should have a read-only profile (there's a term for this, I can't remember what NT calls it). This prevents them being able to put anything in the Start Menu. b) registry ACLs should be altered so as not to include anything beyond Query/Enumerate/Read for the World SID. This breaks some applications, and it takes some tuning once you have the registry locked down to get everything completely functional. Corel Wordperfect and Netscape were a real pain in this respect, and have rather insecure dependencies on some regkeys being Full Control for the World SID. c) in the %systemroot% directory, we removed execute permissions for World, and added them back to the bare minimum utilities (which didn not include cmd.exe =]). We also looked for miscellaneous executables in the application installs that were not part of the main application that would not get run during normal use. d) in the TEMP dir (whatever that is defined to be on your system), set the directory permissions to be Create for World, and Read/Write/Delete for Owner (and Full Control for System and Administrator, of course). This hypothetically prevents people from creating file with executable permissions. However, Owners of objects intrinsically have Change Permissions access. I think there is a way to disable this, but I don't remember how we did it. So, if the admin setting up the workstation (I would assume for public use by the needs inferred), policies alone will not do. And even with file and registry permissions, someone clever could still get around it; it's just a little more difficult. ----------------------------------------- Matt Hargett http://www.cityscape.net/~hargett mattat_private if you see me walkin in the garden, don't ever ask me for an autograph and if you ever catch me in the arcade, don't even stop me for a photograph
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:21 PDT