Mark Russinovich of sysinternals fame, an author I have a great deal of time for, has published a fascinating blog describing a proof-of-concept application called GPDisable which, when allowed to run, can circumvent parts of group policy - it even works from a limited user account!

In a managed environment, the IT manager is always looking for ways to ensure users cannot damage computers, breach company policy or run unlicensed software. To help prevent the use of unauthorised or dangerous software they often end up using Group Policy - Software Restriction Policies (SRPs).

SRPs are great for restricting applications, there are two main approaches to using SRPs -

  • Black-list mode is where you specify what software is NOT ALLOWED to run, everything else is ALLOWED 
  • White-list mode is where you specify what software is ALLOWED run and everything else is NOT ALLOWED. 

If your not a developer then it may not make a lot of sense, but it's important to understand that if a user can run a program like GPDisable, then the user can bypass many Group Policy settings.

"What other Group Policy settings are susceptible to this type of attack? System-wide security settings are enforced by core operating system components not accessible to limited users, but most of the settings in the Windows Components area of the Group Policy editor’s Administrative Templates node are ineffective in environments where end-users can run arbitrary applications such as Gpdisable:

Notably, Internet Explorer configuration, including Zones, fall into this area, as do Explorer, Media Player, and Messenger settings. The bottom lines is that full control of an end-user environment is possible only with strict lock-down of the programs users run, something that you can accomplish by using SRP in white-list mode, for example. It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team."

http://www.sysinternals.com/blog/2005/12/circumventing-group-policy-as-limited.html

There is a tradeoff to be made between tight security and a flexible desktop environment. There doesn't seem to be a middle ground, either you want your desktops locked down - and you must be prepared to take whatever steps necessary - or you don't mind, you trust your users and accept that if they wanted to, they could bypass group policy settings.

I think most administrators would choose the latter for business desktops, if you are in charge of public terminals then it's probably the former - but let me know if you disagree.

I'm opening up the debate around white vs. black listing in my next blog, not just for IT security, but as a general principal.