United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

How Hackers Evade Windows Group Policy

By Corey Nachreiner, Network Security Analyst, WatchGuard Technologies

During the 29 years of its Federal operation, Alcatraz epitomized the notion of "maximum-security prison." Cramped into tiny 5x9 cells composed of thick cement and iron bars, in an island fortress surrounded by San Francisco Bay riptides, prisoners had little hope of escaping the Rock. Yet Frank Morris and the Anglin brothers did just that. After tunneling through their cement cells using spoons, mysteriously unscrewing tight bolts without any apparent tools, and artfully masking their escape using fake heads, these three infamous inmates disappeared into the bay on a humble raft made from prison-issued, rubber raincoats.

While geeking out to this Alcatraz escape story on Mythbusters, I realized how perfectly this caper illustrates the ingenuity of our species. Hackers demonstrate similar ingenuity when they break past our network defenses, which is why we employ defense in depth -- numerous preventive countermeasures.

For example, most admins view Windows Group Policy as the tool that can prevent users from going where you don't want them to go. But as Deral Heiland revealed in "The Insecure Workstation" at Defcon 12, clever tricks can cleave through Group Policy restrictions like a +10 vorpal sword slicing through butter. This article shows how users can break out of Group Policy restrictions, and concludes with some tips on how to strengthen Group Policy.

The power of Windows Group Policy

Window's Group Policy (GP) technologies for Windows 2000 and Windows Server 2003 allow administrators to remotely manage the desktop environment of all their Active Directory users.

With GP's management facilities you can configure your users' workstation security settings, restrict them from accessing files, programs, or configuration tools, and even adjust their Internet Explorer options. Many administrators also use GP to deploy the latest patches throughout their networks. In short, GP simplifies the job of controlling what each of your users can and can't do when logged into your organization's Windows PCs.

"Powerful" doesn't mean "perfect"

Group Policy (GP) offers administrators some powerful and useful features, but don't mistake "powerful" for "perfect." Heiland's presentation disclosed many techniques that bypass GP's protections.

Imagine that you hired some temps to perform rote data entry. You assign them Windows machines with a data entry client and limited access to your database server. They need WordPad and the Calculator, but you want to restrict everything else: no Internet browsing, games, or file access allowed. Group Policy helps you create this type of kiosk workstation, a computer configured to perform a few specific tasks and nothing else. Microsoft offers a downloadable example of a kiosk Group Policy Object (GPO), and many other common GP scenarios.

So you set up your restricted workstations and meet your temps. Among them rolls in Tad, a young twenty-something wearing a Che Guevara t-shirt and a constant sneer. Tad doesn't seem to like authority, making you glad that you set up your restricted Group Policy. Unbeknownst to you, Tad also reads 2600.

Viva la Revolucion

After finishing his first pile of work far before his peers, Tad feels bored and restless. He starts exploring his PC and quickly learns that that jerk administrator (read: you) has locked him out of everything. Most of the programs usually found under the Start bar seem missing. He can't find the Run option, either. On a hunch, he presses CTRL-ALT-DEL and clicks Task Manager. Using the New Task button, he tries running iexplore.exe to load IE. Instead, he gets some sort of, "this operation cancelled due to restrictions..." message. No luck there. The same thing happens when he tries cmd.exe (the Windows CLI).

About to give up, Tad remembers that Microsoft bases their entire Help system on HTML. The Help system requires IE to work. Knowing this, he quickly opens one of the few programs available to him, the Calculator, and clicks Help => Help Topics. To the untrained eye, Help windows don't resemble Web browsers, but Tad knows better. Right-clicking on the window's title bar, he chooses Jump to URL... Next, he types http://www.google.com into the dialog box and hits Enter. Score! Just like that, he's on the Web [download video example of this sequence].

Tad now ditches his desire to surf the Net. He'd rather step up to the challenge of beating that draconian administrator.

Tad knows Microsoft has hooked IE's claws deep into the Windows OS, giving the browser more power than many think it should have. For example, IE supports many obscure URL handlers. In Windows, URL handlers are sections of the registry that tell the OS and browser exactly how to process URLs with different protocols. For instance, when Windows sees the http: part of http://www.google.com, it consults the registry for the http: URL handler to see what it should do. Since Window's http: URL handler usually points to iexplore.exe in the registry, Windows opens www.google.com using IE. To see an example of this in action, click Start => Run in Windows and enter your favorite Web site (be sure to include http://). Because of the http: URL handler, Windows knows to automatically open IE and display your site.

However, the http: handler is just a drop in the bucket. Windows ships with many powerful, yet often insecure, URL handlers, and even allows you to create your own. (To learn which URL handlers your system recognizes, you can search its registry for all instances of "URL Protocol"). One of Tad's favorites URL handlers is shell:. I've never read a good description of shell:'s intended purpose but I do know hackers and researchers have discovered many techniques to misuse this particular handler. Using the Help system trick, Tad does a Jump to URL... and enters "shell:system". Suddenly the calculator's Help screen lists all the files in the Windows system directory. Wait, didn't you lock Tad out of the file system? Wow, Help is quite helpful indeed.

Using directory traversal techniques, Tad could exploit this hole even further and gain access to any directory on the system. However, something in the system folder catches his eye. He sees an application called command.com. Tad already knows from previous Task Manager exploration that the administrator has restricted access to cmd.exe. But what about command.com? What the heck, costs nothing to try. He double-clicks the icon and, voila! -- instant command prompt [download video example of this sequence].

To ensure backward compatibility, Windows retains many outdated applications that have been replaced with newer versions. Command.com is the older version of the new Windows CLI application, cmd.exe. Another common example: While both Regedit.exe and regedt32.exe are well-known registry editing applications, most admins forget about the command-line based editor, reg.exe. Forgetting to restrict your users from these older applications leaves a back door for hackers to enter.

Game Over? Not if you follow four rules

Tad's scenario shows just a glimpse of the Group Policy bypassing techniques Heiland's presentation revealed. Continuing along these lines of attack, Tad eventually would have gained complete control of his work PC and gained a key stepping-stone into the local network. However, you can defeat your "Tads" by following four simple rules:

  • Use the right tool for the job. Despite some imperfections, Microsoft's Group Policy does offer administrators some fantastic management features. However, it's not the best tool for totally locking down a local workstation. Many third parties offer better solutions.
  • Layer your defenses. Bullet-proof defenses don't exist, because ingenious hackers always find bigger bullets. However, layering defenses together allows one defense to take over when another fails. You can reinforce Group Policy restrictions by using a third party's workstation lockdown, or an internal firewall that isolates a department.
  • Careful configuration is key. If you plan on creating a restrictive Group Policy, be sure to think like a hacker and cover all the bases. Small mistakes in your configuration, such as forgetting to restrict older applications, might uncover the thread a hacker needs to unravel your carefully-crafted security tapestry.
  • Publish an Organizational Security Policy. When your technical policy enforcements fail, your written policy saves the day. If the temps had signed policies describing acceptable computer use, you could've fired Tad as soon as you caught him breaking the rules.

After spending so much time and energy trying to defend your network, you might feel demoralized when you learn of a new technique that beats your favorite defense. When this happens, remember that clever and persistent (mis)users sometimes weasel their way out of even the most well-designed security measures. Sometimes it takes a crafty inmate escaping our Alcatraz to teach us the next level of defense. As long as you're not getting fooled by the same trick twice, take some pride in all the attacks you successfully defeated, and keep going.