| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Apr 29 01:53:47 2006 From: james.mailing at gmail.com (James Eaton-Lee) Subject: bypassing Windows Domain Group Policy Objects On Thu, 2006-04-27 at 10:37 -0400, Michael Holstein wrote: > Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) > through permissions (eg: remove 'localsystem:execute'). Deleting them > will just trigger WFP to replace. gpupdate and secedit are both just applications that interface with the Group Policy engine to make changes to the way in which they operate; the GPE is part of Winlogon, and uses a number of client side extensions to make changes in the file system, registry, etc. I very much doubt if denying access to them would prevent group policy from working. You could attempt to do something with some of the Client Side Extensions, such as scecli.dll, which is the dll which handles security settings, but I can't find anyone having done anything similar online; my guess is that the Group Policy Architecture was designed specifically to prevent this sort of thing from being easily do-able. It might be worthwhile seeing if anyone who spends a lot of time thinking about lots of this sort of thing within the context of Windows (such as some of the guys from rootkit.com) has any ideas if you're particularly interested. To be honest, if you really wanted to kill group policy, the easiest thing to do would probably be to just firewall the host in question in order to prevent any GPOs from being downloaded from the Domain Controller in the first place. I may be wrong however - anyone who knows otherwise, please feel free to enlighten me! "How Core Group Policy Works" http://technet2.microsoft.com/WindowsServer/en/Library/eb0042e3-699b-4c49-abcc-e3526dbecc0e1033.mspx has quite a good overview of how Group Policy functions. - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1859 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060429/ee1ba63f/smime.bin
Powered by blists - more mailing lists