Re: [NTSEC] Inherent weaknesses in NT System Policies

From: Collin Chaffin (cmchaffat_private)
Date: Fri Feb 19 1999 - 18:48:55 PST

Next message: brian j pardy: "Re: [HERT] Advisory #002 Buffer overflow in lsof"

Previous message: tqbf: "Re: OT: Copyright on Security advisories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Litchfield Wrote:

>This policy can be broken in a matter of minutes:
>On running MS Word a user clicks on File on the Menu Bar, and goes down
>to Open. They are shown a list of directories and files. The user could
>try to right click on a folder and go down to Explore but the right-
>click menu has been disabled; So instead they drag a folder to the Start
>Button on the Taskbar and release. .....

---------
This can be avoided by selecting a custom start menu location from the
network where they do not have write access.  This also aids in overall
remote desktop management.
---------

>This will place a shortcut to that folder on the Start Menu. This
>shortcut will be stored in their profile directory. On clicking on it,
>Explorer is opened up, which not normally have direct (ie non-shell)
>access to. The default WINNT directory has been hidden from view by the
>system policy - however, by clicking on Tools on the Explorer Menu Bar

---------
The "tools" and "view" can be restricted via policies as well.  End of that
particular scenario.
---------

>Even if .reg has be dis-associated from Regedit.exe, by default a normal
>user has the relevant permissions to re-associate it. This is done from
>the Folder Options option found under View on the Explorer Menu Bar.

---------
The "view" can be restricted via policies as well.
---------

>To stop this from happening the Administrator should only give Admins
>access to regedit.exe and regedt32.exe using NTFS file permissions and
>deny access to everyone else.

---------
I agree.
---------

>As can be seen, even a restrictive but at least useable System Policy
>can thus be broken. It is not simply enough to create a policy. A lot
>more work needs to go into this if Admins wish to limit and restrict what
>their users can and cannot do.

---------
I disagree, a well designed policy can very effectively restrict typical
end-users.  It will be very difficult to successfully manage Windows2000
without intimate knowledge of system policies.
---------


Collin Chaffin

Next message: brian j pardy: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Previous message: tqbf: "Re: OT: Copyright on Security advisories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:30 PDT