Tightening Software Restriction Policies

Group Policy is an excellent tool for controlling various aspects of client computers. However it's not foolproof. Users could circumvent various aspects of Group Policy, such as Software Restriction Policies (SRPs). Doing so is possible as a regular user without the need for administrator-level access, which of course means that you need to be on the lookout for such activity.

Back in early 2004, Kamal Shankar wrote an article (at the first URL below) about ways to bounce specific program function calls to a different function over which the developer has more control. The technique can be used as a way to bypass aspects of Group Policy, including SRPs. Interestingly enough, Shankar's method uses Microsoft's Detours API (at the second URL below), which is meant to let developers extend application functionality.

http://www.codeproject.com/KB/system/KamalDetours01.aspx?df=100&forumid=36696&exp=0&select=1871367

http://research.microsoft.com/sn/detours/

Then in late 2005, Mark Russinovich wrote an entry in his Sysinternals blog (at the URL below) that explains why and how it's possible to bypass aspects of Group Policy. As part of his research on the topic, Russinovich wrote a small tool called Gpdisable that demonstrated the technique. But the tool disappeared sometime after Microsoft bought Russinovich's company.

http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx

In April 2006, Russinovich wrote a bit more about the subject in an article on our Web site at the URL below. Russinovich wrote that "most of the settings in the Windows Components area of the Group Policy Editor's (GPE's) Administrative Templates node can be circumvented in environments in which end users can run arbitrary applications such as Gpdisable. Notably, IE configuration, including security zones, falls into this area, as do Windows Explorer, Windows Media Player (WMP), and Windows Messenger settings." He also pointed out that this isn't a bug in Windows; Windows was intentionally designed this way.

http://www.windowsitpro.com/Article/ArticleID/49166/49166.html

Well Gpdisable isn't available anymore, but last week another tool debuted that can be used to bypass Group Policy and SRPs. Eric Rachner released GPCul8r (at the URL below), which is a ready-to-use compiled executable that comes with two associated DLLs. The tool will undoubtedly be put into action on various corporate networks, so you should keep an eye out for it on your systems.

http://www.rachner.us/blog/?p=15

If you haven't done so already, check into tightening any SRPs you have in place. Microsoft has an article on Technet called "Using Software Restriction Policies to Protect Against Unauthorized Software" that applies to Windows XP, Windows Vista, and Windows Server 2003. The article is a good place to start when looking for ways to minimize the programs that can run on your desktops (at the first URL below). Another helpful reference is the Security Pro VIP article "Stay Safer with Software Restriction Policies" (at the second URL below).

http://technet.microsoft.com/en-us/windowsvista/aa940985.aspx

http://www.securityprovip.com/Article/ArticleID/94876/94876.html