Microsoft KB Archive/812541

= A Malicious User May Circumvent User Policy =

Article ID: 812541

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-



CAUSE
This issue may occur under the following circumstances:
 * 1) The malicious user has a roaming profile.
 * 2) The user accesses the Ntuser.dat file in their roaming profile on another computer, and then copies the hive locally.
 * 3) The user logs on as a user with administrative rights and takes ownership of the keys that determine whether policy has been applied in their registry hive:  
 * 4) The user sets permissions so that his or her domain account can modify these keys.
 * 5) The user then modifies the version information so that Windows Server 2003 behaves as though any new user policies have already been applied to this user.

By doing this, any new policies would not apply to the malicious user. This user can then reverse any other HKCU applied policies in a similar fashion and circumvent all user-based policy.

Note: This will not work unless the malicious user being has administrative rights on the computer from which they access the registry hive.



WORKAROUND
To work around this issue, use one of the following methods:

Method 1: Do Not Use Roaming Profiles
If your network does not need roaming profiles, do not use them. Without a roaming profile, the malicious user described in this article cannot perform the procedures that are outlined in the &quot;Cause&quot; section of this article.

Method 2: Edit Registry Policy Processing Properties
Edit the Group Policy properties to force the local computer to process registry policy each time the user logs on, regardless of whether changes have been made. By default, Windows only re-processes policy if the registry history keys indicate that a policy has been modified.

Note: This workaround may slow the logon process because Windows processes all registry policy each time the user logs on.

To edit the registry policy processing properties, follow these steps:
 * 1) Click Start, click Run, type Gpedit.exe, and then click OK.
 * 2) Expand Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy.
 * 3) In the left pane, under Group Policy, double-click Registry policy processing.
 * 4) In the Registry policy processing Properties box, click the Settings tab, click Enable, and then click to select the Process even if Group Policy objects have not changed check box.
 * 5) Click OK, and then close the Group Policy snap-in.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

Keywords: kbnofix kbbug KB812541

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.