Re: Software Restriction Policy flaw



Jeremy Harrington wrote:
I have deployed a Group Policy for a certain subset of users that
only allows them to use Internet Explorer. To do so, I set Software
Restriction with a default setting of "Deny," with the only
exception being IE. With basic testing, it seems to work perfectly.

However, if you perform the following steps from within IE, you can
run any application, in complete disregard for the GP.

1) Open IE
2) Go to File->Open
3) Click the "Browse" button
4) Change the "Files of Type" drop down to "All Files"
5) Browse to any app that shouldn't run.
6) Hold down CTRL-SHIFT while right clicking the app to bring up
the "Run As" option and click "Run As"
7) Leave the default options (current user with checked box)
selected and click "Ok"

I tried this with multiple applications, and it worked every time.
The fact that 99% of users will never try this is irrelevent. This
makes software restriction security by obscurity, rather than a
tool to be counted on.

Not new. Google on it?

June 2006 article:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-06/msg00243.html

(Including a supposed response from Microsoft concerning the 'issue'...)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


.