Circumventing Group Policy as a Limited User

Active Directory Group Policy settings are widely used to secure Windows systems because they can be customized to target and deploy to specific computers and users in an Active Directory-based network. In a previous blog post I warned that one of the risks of having end-users with local administrative privilege is that they can override group policy settings at will and I promoted limited-user accounts as the secure alternative. However, Windows administrators should be aware that if a user, even one running with a limited account, can execute just one program of their choice that they also can circumvent many group policy settings, including ones aimed specifically at tightening security such as Software Restriction Policies and Internet Explorer Zones.

The vulnerability within many group policy settings is that the applications at which they are directed enforce the settings. For example, Explorer limits execution of certain applications if Group Policy dictates and Internet Explorer implements Zone security. The Windows architecture sets security permissions on a process that allows the owner of the process full control over the process, which you can verify in the Permissions dialog that you access from the properties dialog of a process in Process Explorer: Mark's Sysinternals Blog: Circumventing Group Policy as a Limited User

Linked by shanmuga Monday, 12th December 2005 11:55PM