Group policy setting to restrict user access to change registry

Discussion in 'Computer Security' started by Also None, Mar 30, 2006.

  1. Also None

    Also None Guest

    Hi all,

    I checked google on this subject and can't seem to find a simple
    article on what to set.

    I want to set policy to stop the registry from being changed while
    users are logged on. (Mainly to restrict installs while my teenagers
    are logged on) Any other suggestions are appreciated.

    The setting for "always install with elevated privileges" is
    confusing. Should it be disabled or enabled to prevent them from

    Hope you can help me to regain my sanity.

    Also None, Mar 30, 2006
    1. Advertisements

  2. Changes to anything but HKCU cannot be made with restricted rights. If
    you want a HKCU that is discarded after usage, you should use the Guest
    There is nothing confusing about it. When enable, MSI installer runs
    with evelated privileges (means: more privileges than the user has) to
    install things that need administrative access. You should leave it
    Sebastian Gottschalk, Mar 31, 2006
    1. Advertisements

  3. Also None

    Also None Guest

    Thanks for your reply,
    If I understand the guest account, everything that is entered into
    HKCU will dissappear including trojan entries.

    Is there any way to completely shut off the installer for the user or
    the guest? I tested this from a user account and some things accually
    installed even though there was a warning that it might not work

    I am interested in shutting out things like kaaza, etc.

    Thanks again,
    Also None, Mar 31, 2006
  4. Also None

    nemo_outis Guest

    If someone has direct access to the computer (i.e., is an unobserved user)
    it is child's play to elevate privileges and subvert/bypass any
    restrictions whatsoever on the local machine, including restrictive group
    policy settings.

    As one throwaway example a process run as a child of "task scheduler" runs
    with system privileges.


    PS Just run task scheduler for some time in the future (1 minute?) with
    the process you wish to execute at higher privilege.

    There are, of course, more elaborate ways, but this demonstrates how
    trivial the problem is on most Windows boxes.
    nemo_outis, Mar 31, 2006
  5. It will disappear after logoff from such an account.
    Since Windows XP you can use Software Restriction Policies to create a
    whitelist for executables.
    Did you mean KaZaA? "kaaza" is the japanese word for "mother".

    Well, for network related stuff you might use a proxy for the relevant
    Sebastian Gottschalk, Mar 31, 2006
  6. Also None

    Also None Guest

    Thank you,
    Sebastian for President or PM, whichever is appropriate.

    Thanks again

    Also None, Mar 31, 2006
  7. Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever
    you think being easier.
    This has been fixed on SP4 for Windows 2000, SP2 for Windows XP and SP1
    for Windows Server 2003. Actually this was only true for "AT" tasks,
    which need admin rights to add anyway. Normal "Task Scheduler" tasks
    were not supsctible to that problem, as they were always started with
    CreateProcessAsUser() with the supplied credentials.
    | # sudo net start schedule
    | Password:
    | The Task Scheduler service is starting.
    | The Task Scheduler service was started successfully.
    | # time /t
    | 03:34
    | # schtasks /create /SC ONCE /TR "%systemroot%\system32\cmd.exe /k /t
    4f" /ST
    | 03:35 /IT /TN foo
    | The task will be created under current logged-on user name
    | ("LAPTOP\work").
    | Please enter the run as password for LAPTOP\work:
    | New task "foo" created.
    | # schtasks /create /ru "SYSTEM" /SC ONCE /TR
    | "%systemroot%\system32\cmd.exe /c copy \x \y" /ST 03:35 /TN bar
    | Error: Access is denied
    | # at 03:35 "cmd /k"
    | Access is denied

    Short time later, in a white-red box (4f):

    | # whoami
    | LAPTOP\work
    So far the biggest problems are third-party services running with the
    SE_CHANGE_CONFIG flag, executing programs through WinExec() without
    quotation marks or running with SE_INTERACTIVE and receiving WM_TIMER at
    I've also seen some stupid drivers and especially a lot of so-called
    security software leaving registry keys or even files world-writeable.

    However, this is easily detected and fixed.
    That's why I'm pretty sure that even my Windows installation has no
    privilege escalation path through either misconfiguration or generic
    program errors (w.r.t. the NT security model).
    Sebastian Gottschalk, Mar 31, 2006
  8. Also None

    nemo_outis Guest

    You say your Windows box is hard. Maybe it is. But pride goeth before a
    fall. And pride in a "fully hard" Windows box is folly: "secure Windows"
    is an epitomic oxymoron!

    However, putting your box and your ego aside for the moment and speaking
    more generally, an overwhelming number of user boxes out there are XP or
    under - and it's child's play to root them if one has access.


    PS Every trick has a lifespan. The throwaway one I described is coming
    to the end of its cycle (although it still works on many boxes). But as
    older ones fade, new ones arise.

    As an example of a "mid-life" hack I've had excellent results using dma to
    bypass the cpu and inject direct to memory. Yes, usb can be closed off,
    but very few boxes do so.

    And I have a few "early-life" tricks that I expect to be useful
    sufficiently long that I'm not eager to disclose them yet.

    PPS FreeBSD, I'll concede, is much more difficult, and OpenBSD even more
    so (and they're not my metier). But Windows? Bah!
    nemo_outis, Mar 31, 2006
  9. Piece of cake. Boot to an alternate media, null passwords, enjoy. BSD,
    *nix, Win2X/XP..... all irrelevant if you have physical access and a few
    minutes alone.
    George Orwell, Mar 31, 2006
  10. Also None

    lgr_joly Guest

    George Orwell:
    Hi George,

    Can't you in the example of this thread boot and then install the
    software without resetting the password? That would be more stealth.

    Kind regards
    Ludovic Joly
    lgr_joly, Mar 31, 2006
  11. Also None

    lgr_joly Guest

    Please if one day you are in the mood feel free to email me some of
    them, you are sure to get a thank you message in return.
    lgr_joly, Mar 31, 2006
  12. Then I wonder why Windows 2000 achieved both NSA C2 and CC EAL4+.
    Windows NT's architecture is very secure, if you can use it correctly.
    This is because most users are running with admin rights or, if running
    as restricted users, don't know how to effectively handle and audit
    security settings.
    The only hardware that allows DMA without driver invocation is FireWire,
    and that's where is disabled Busmaster/DMA even before the connector got
    Sebastian Gottschalk, Mar 31, 2006
  13. You'll need the BIOS password or scram out the harddisk.
    That would change the checksums of SAM (and my bootloader sitting on a
    SD card would easily notice).
    Which I'll take care to not give you.
    Sebastian Gottschalk, Mar 31, 2006
  14. Also None

    nemo_outis Guest

    An OS alone does not achieve C2 certification, a complete platform
    including specific requirements on hardware does. Moreover, Windows
    2000 could only be configured as C2 **if it was not attached to a
    network!** Doesn't sound like Also None's situation to me (or that of
    very many others).

    You say Windows NT's architecture is very secure, if you can use it
    correctly. If your aunt had balls, she'd be your uncle - "if" is a very
    big word. Windows can only be fully secured if its utility is crippled
    to near non-functionality or if it is used for only the narrowest of
    applications (e.g., a server). And even then it takes extraordinary in-
    depth knowledge and inordinate effort. So while there may be a way to
    secure Windows fully, and while you may be the fellow who has found it,
    there are literally thousands of ways of configuring Windows so it isn't

    As an "existence proof" of how difficult and uncommon it is to achieve a
    secure but still productive Windows system (especially a general use
    system as opposed to a one-trick-pony server with limited apps) consider
    the thousands (millions?) of boxes and systems which have been hacked.
    Oh yes, you can wail and bemoan that they didn't take advantage of
    Windows' marvellous security features, but I have a counter-proposition
    for you: an OS that no one ever manages to configure securely (except
    you, of course) is an insecure OS!

    Even as we speak there is yet another *unpatched* vulnerability floating
    around in Windows (its IE adjunct) which allows arbitrary code to run
    (i.,e., the box is fully cracked). Yes, there are workarounds and third-
    party patches, but this is hardly an isolated incident. For Windows this
    is the norm, not the exception.

    My original post was a warning to Also None that securing a Windows box
    where others have extended periods of uninterrupted use, control and
    custody of it is a losing proposition. I stand by that assertion. In
    fact I reiterate it with even greater force.

    I have no wish to get in a pissing contest with you, or a spy versus spy
    recounting of attacks and countermeasures. Perhaps you have indeed
    managed to square the circle and achieve a secure Windows box, but that
    doesn't detract one whit from the accuracy of my warning to Also None.

    nemo_outis, Mar 31, 2006
  15. Jumpers.... shorted/removed batteries.... trivial to get around.
    Then you've changed the scenario the poster was asking about, and
    demolished your own argument in the process.
    George Orwell, Mar 31, 2006
  16. Right. However, for C2 certification you need security mechanisms that
    fulfill the demands of C2. Got the point?
    Wrong. It was only certified for such a configuration. I guess it could
    have achieved the same with a network, but that would be way more
    complicated. Networks are generally complicated.
    Wrong, and C2 is already a pretty high level of security that is usually
    not needed for a pretty high demands. F.e. it's usually not a problem to
    allow users to shutdown the workstation.
    Not true either, pretty much can be accomblished by automation.
    May I state that you can already achieve a lot by using restricted user
    Conter-count-proposition: Most people just don't know about these
    security mechanisms.
    Who cares? One should use IE only as a Windows Update client and not
    misuse it as a webbrowser. Doing so is provably unsafe.
    It's for IE and all its ancestors, which I consider as addons, not as
    parts of Windows.
    Sebastian Gottschalk, Mar 31, 2006
  17. Well, try that with me sitting at your side and not noticing it.

    BTW, this is also true for companies - install a lock at the case, have
    other works being able to note if someone is trying to break it, camera

    But there isn't much more security from software than a running system
    protecting itself
    That's why it is on a SD-card instead of the harddisk.
    The scenario was only about software configuration measures, not
    physical security. Physical access is much broader than just normal
    account login, either physicalls sitting on the workstation or remote.
    Sebastian Gottschalk, Mar 31, 2006
  18. And NetBSD even more hard than FreeBSD or OpenBSD as a default install, if
    I'm not mistaken. I believe NetBSD 3.0 is the ONLY consumer operating
    system at this time with no known security issues. Ever.

    Of course a huge number of vulnerabilities are attributable to third party
    packages, which at least in this respect makes almost all *nix variations
    and clones pretty much equal. Which is still light years beyond anything
    even a moderately well maintained Windows installation can offer in the
    way of "hardness". :(
    George Orwell, Mar 31, 2006
  19. Also None

    nemo_outis Guest

    Your weaseling and backpedalling is duly noted. C2 is a certification -
    that certification only applied to a standalone platform, not a networked
    one. Any application to a networked box is only "C2-ish" - a gross
    extension and even grosser misinterpretation of the certification Win2000
    actually got. Maybe you want to soften your claim to just saying that
    Windows can be made "secure-ish"?

    It was you who brought up C2 - now you're eager to back away from it.
    Make up your mind.

    See below!

    Amazing! Here you directly contradict yourself and corroborate the point
    I made above: without in-depth knowledge, extraordinary effort, and
    gutting of the scope of the OS and its uses, Windows can not be made
    secure by and for the ordinary mortals who use it.

    A general-purpose OS for mainstream public consumption which, after a
    decade and more of use, is still widely and regularly misconfigured to
    leave gaping security holes and which has had a steady stream of security
    breaches and patches, is not secure. That one or two gurus may -
    allegedly! - have succeeded where everyone else fails (largely by gutting
    the OS and restricting it as you now blatantly admit) does not weaken
    this point.

    You have invented your own highly-restrictive definition of what the
    Windows OS comprises - a definition no one else shares. IE is a bundled,
    integrated part of the Windows OS - so bundled that that Microsoft has
    been involved in worldwide litigation to unbundle it!

    It doesn't matter a fig what you consider - you are attempting to define
    the real world problem away. This gutting of the question under
    discussion is apparently equivalent to how you gut the scope and
    application of the OS in actual use to falsely declare it secure. It's at
    best an unrealistically narrow strategy, at worst a dishonest one.

    No, despite your protestations, the question is far more general than
    considering only a gutted OS performing highly limited and constrained
    functions under the constant care and vigilance of an expert who has
    studied the OS in depth and who devotes inordinate effort, care and
    attention to maintaining it.

    Once again, with feeling:

    My original post was a warning to Also None that securing a Windows box
    where others have extended periods of uninterrupted use, control and
    custody of it is a losing proposition. I stand by that assertion. In
    fact, I reiterate it with even greater force.


    PS Let me direct you once again to the original context, to the
    questions that Also None originally posed. Now try to tell me with a
    straight face that, from the tone and tenor of his postings, you think he
    has the knowldege and ability to fully secure a Windows box, even with
    kibbitzing and coaching here.
    nemo_outis, Mar 31, 2006
  20. The correct term is "C2 security mechanism".
    C2 is a claim that the mechanisms are already much beyond what you'll
    need, f.e. extensive logging.
    No. If you know about out, you can handle it pretty well. F.e.
    permission inheritance helps a lot.
    The OS itself is secure, the default configuration is not. And yes, you
    should blame Microsoft for that. But with Vista they're also showing
    that they really understand the issue.
    And still the problem is using IE on the intarweb. This is even
    documented to be wrong.
    No. Windows is the kernel, the API, the GUI and the core services.
    It's an extensive and hard-to-accomblish, but not impossible task.
    Sebastian Gottschalk, Mar 31, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.