RE: [Full-disclosure] bypassing Windows Domain Group Policy Objects
Hi all, We needed to do this a new years back and it works. Hope it's useful. I'm pasting a document that was written a while back so didn't try with SP2. Does not know if it still works or not. Registry disable as announce might not even be needed but just added in case. Cheers, -Alan * The views express by me are not the views of my employer * Permanent Hack: Basic steps for WinXP SP1 and Win2K are: 1) Disable WFP (windows file protection) 2) rename gpupdate.exe (WinXP) secedit.exe (Win2K) 3) registry disable GPO Step 1) DISABLING WFP a) Locate the sfc_os.dll file in your System32 folder b) Copy it and rename it to sfc_os.bak c) Edit the sfc_os.bak with any text editor (I used Ultraedit) d) Locate offset E3BB (E3BB hex) in the file (WinXP) Locate offset E2B8 (E2B8 hex) in the file (Win2K) e) at the offset, change the hex values from 8B C6 to 90 90 f) Close and save the file The file sfc_os.dll exists in 2 directories: system32 and system32dllcache (not always) g) copy modified sfc_os.bak to sfc_os.dll Download a tool and install onto the system "wfpadmin". Search google... run "wfadmin" and select c:\windows\system32 then press the button "Deprotect". You can close wfadmin but do not reboot. Afterwards copy your modified sfc_os.bak to system32 and system32\dllcache as sfc_os.dll (replace existing) h) Open regedit. Locate the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NTCurrentVersionWinlogon i) Check if the SFCDisable key exists in the right pane. Otherwise create it (Dword) and name it: SFCDisable j) Double click the SFCDisable key and change the value data to: FF9D Step 2) Rename gpupdate.exe (WinXP) or secedit.exe (Win2K) a) Locate the gpupdate.exe /secedit.exe file (under system32) and rename it to something else. Step 3) Registry disable GPO a) enter the registry (start->run "regedit") b) locate the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System c) Create a new DWORD and name it: disableGPO d) set the new value to 1 to disable GPO. (NB: 0 is the default value means GPO is enabled) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ext Exibar Sent: Thursday, April 27, 2006 11:19 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] bypassing Windows Domain Group Policy Objects I seem to recall a paper on the circumventing of Windows Domain GPO's, but I can't find it anywhere. anyone have any information on preventing GPO's from being applied to a Domain machine? or a link to that paper? thanks! Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
Hejsa Exibar 27. april 2006, 16:18:42, you wrote: E> anyone have any information on preventing GPO's from being applied to a E> Domain machine? or a link to that paper? http://www.sysinternals.com/blog/2005/04/circumventing-group-policy-settings.html -- Best regards/Venlig hilsen Richard Bjerregaard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
On Thu, 2006-04-27 at 10:37 -0400, Michael Holstein wrote: > Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) > through permissions (eg: remove 'localsystem:execute'). Deleting them > will just trigger WFP to replace. gpupdate and secedit are both just applications that interface with the Group Policy engine to make changes to the way in which they operate; the GPE is part of Winlogon, and uses a number of client side extensions to make changes in the file system, registry, etc. I very much doubt if denying access to them would prevent group policy from working. You could attempt to do something with some of the Client Side Extensions, such as scecli.dll, which is the dll which handles security settings, but I can't find anyone having done anything similar online; my guess is that the Group Policy Architecture was designed specifically to prevent this sort of thing from being easily do-able. It might be worthwhile seeing if anyone who spends a lot of time thinking about lots of this sort of thing within the context of Windows (such as some of the guys from rootkit.com) has any ideas if you're particularly interested. To be honest, if you really wanted to kill group policy, the easiest thing to do would probably be to just firewall the host in question in order to prevent any GPOs from being downloaded from the Domain Controller in the first place. I may be wrong however - anyone who knows otherwise, please feel free to enlighten me! "How Core Group Policy Works" http://technet2.microsoft.com/WindowsServer/en/Library/eb0042e3-699b-4c49-abcc-e3526dbecc0e1033.mspx has quite a good overview of how Group Policy functions. - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
Good bit of info to pass on to the entire mailing list... I'm sure tonight you will have few folks checking to see just how well he manages WSUS on your public facing machines. -KF The windows admin here, however, doesn't monitor WSUS, so that fact that my machine hasn't reported in 90 days hasn't registered. Neil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] bypassing Windows Domain Group Policy Objects
Michael Holstein said: > > > > Other possible solution, cripple gpupdate.exe (XP) or > secedit.exe (2K) > > through permissions (eg: remove 'localsystem:execute'). > Deleting them will > > just trigger WFP to replace. > > > > /mike. > > Exibar said: > > >H. sounds like a good plan :-) I'll test that > out! thanks! > > Ex > This does indeed work, but, if the site is using WSUS or similar, then the machine will stick out like a sore thumb. The windows admin here, however, doesn't monitor WSUS, so that fact that my machine hasn't reported in 90 days hasn't registered. Neil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
- Original Message - From: "Michael Holstein" <[EMAIL PROTECTED]> To: Sent: Thursday, April 27, 2006 10:37 AM Subject: Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] Value Name: DisableGPO Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disable group policy) strike that .. production releases ignore this. Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) through permissions (eg: remove 'localsystem:execute'). Deleting them will just trigger WFP to replace. /mike. H. sounds like a good plan :-) I'll test that out! thanks! Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] Value Name: DisableGPO Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disable group policy) strike that .. production releases ignore this. Other possible solution, cripple gpupdate.exe (XP) or secedit.exe (2K) through permissions (eg: remove 'localsystem:execute'). Deleting them will just trigger WFP to replace. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bypassing Windows Domain Group Policy Objects
anyone have any information on preventing GPO's from being applied to a Domain machine? or a link to that paper? System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] Value Name: DisableGPO Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disable group policy) Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] bypassing Windows Domain Group Policy Objects
I seem to recall a paper on the circumventing of Windows Domain GPO's, but I can't find it anywhere. anyone have any information on preventing GPO's from being applied to a Domain machine? or a link to that paper? thanks! Ex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
