 DEF CON 12 is pleased to present Darrell Highland, IT industry veteran in a number of fields, CIS admin, net admin, etc., my apologies. Without further ado, DEF CON 12 presents Darrell Highland. Hope everyone's been having a good time. How many people here has been had to get bailed out of jail this weekend? I don't see any hands. You're slacking. The name of this presentation is the New Secure Workstation. Can't overemphasize, this is not on Microsoft. This presentation is going to be an informative look at Microsoft, group policy security issues in today's workplace, and the way we as security professional system designers and implementers have poorly deployed group policies as a security solution. Group public is designed to control system and security. We will be focusing on the security part of this or the lack of the security. Areas of discussion on today's presentation, where policies are used, what policies control them, and why policies are used. And then of course we're going to show some exploiting of these weak policies. And in conclusion, we're going to touch a couple of bases and hopefully give you some reasons or things to change to improve your security. Over the last decade, Microsoft operating systems have inundated the manufacturing environment as industrial control systems. These systems were manufacturing equipment and they used data gathering systems. In the two forms I see them used as some kiosk style systems within the industry and on Citrix farms. Dealing with industrial control systems, it's very critical that security is maintained at a high level. Downtime within these manufacturing environments costs the corporation tens of thousands of dollars. And I've actually experienced some systems that they came down could actually cause loss of land or life. The second area is standard business desktops. These are your typical desktop systems that you see set in any office environment. Probably from a group policy view, this is probably where I see group policies used most effectively. In these environments we don't typically try to lock down and tighten these boxes and make them so secure that they can't do anything. What we try to do in these environments here is basically form a desktop structure that works good for that business environment. We might limit a few applications but we mainly want to create a structural display for the business person to do their job. The third area is public access terminals. This is a very interesting area. I've talked to several friends that work in the school industry asking them about group policies and they basically said, yeah, we use group policies so I prompt them with a couple questions and they're pretty much doing what everyone else is doing in lack of security. Library systems. I actually went over to a couple libraries where I live at and seen what I could do in the library systems. Their security is no better than anyone else's. It's obvious. Chaos systems. This one needs a little more research. I did not have time to put a lot of work into chaos systems. Chaos systems be the systems you see as an example. Target grocery stores or Target department stores use to put in resumes applications. They're used for gift registers. They're used for photograph imaging type systems where you can put your little memory cards in and do something with your photographs. These type of systems, I'm not sure exactly what they're using for security but I wouldn't be surprised if group policies are part of that security. What to secure, restrict applications. You want to restrict access to configuration tools within your group policies. If you don't, don't bother restricting anything. If the guy can go in there and change everything, there's no point. Restrict functionality of certain applications. If you have an application that lends itself real well to being configured and manipulated with registry entries, these can be rolled into group policies very effectively. An example that would be Internet Explorer which is built into the group policies within Microsoft. You can turn a lot of functions off and a lot of functions on and you can manipulate the way the thing looks. The other item here is prevent users from running certain applications. Group policies has a function where you can say a list that you can add applications to that the users can only run those applications. I've yet to see anyone actually use this and even if you do, all you have to do is rename your hacking application to one on the list and it'll run. File system security with group policies. Hide your drive icons, prevent file system browsing. This is purely smoke and mirrors. This does nothing for you. As I show in my demonstration, you'll be able to with the high drive icons hidden and system browsing shut off you'll be able to get access to any application run on your system. The only way to properly handle this is with actually NTFS file system rights. If you don't want to use your access in the file system, prevent it with file system rights. Don't try to do it with group policies. So why do we secure and restrict with group policies? Probably one of the biggest ones, we want to prevent users from screwing up the workstation. Even with group policies in place, I've seen this over and over again. Users going into the system and poking and playing around until they find a way around group policies and basically destroying the system anyways. Prevent users from accessing something. From my perspective, where we see this most is trying to prevent users from getting access to the internet with a web browser. Employees out surfing porn. I don't think group policies is the place to configure this at. I have yet to find a system where that's been done where I couldn't go in and hack the registry on the box and redirect the whole thing to another out port. This should be done on your network. Stop hackers. I have a little different definition of a hacker. I work in a manufacturing environment for a Fortune 500 company. And the hackers we see as any employee that has a keyboard and a mouse and spare time on his hand become a hacker. As an example, I had one system administrator at one of our factories after talking to him about how he was securing his, in this environment was a Citrix farm. He was using group policies as secure and a few other applications for securing it. And about every other day, he had to go down and he'd find out the guys had reconfigured the box and they were getting internet access and they were surfing porn. He'd go down the next day and they'd have all these games running in these boxes. These are industrial control systems used for pulling data off the processing systems. They're very critical systems. He could not figure out as a system administrator how they were doing this. So what he did was he ended up shadowing and he found out what they were doing. So he went down and asked them how they figured out how to do that. Well, they said they sat down and actually went through every possible key combination on the keyboard until they found a way around all this stuff. And the final statement in this page right here is if you're really not sure what you're securing then maybe it doesn't. Again, I have system administrators that say I want this locked down. I want it secured. I don't want to be able to do anything. I want to stop them. They go through all this effort and spend all this time, all these man hours trying to secure something and then I usually take about 30 seconds and show them how I can defeat everything they did. At that point, they say, well, what's the point? I don't need to secure it. It's not important. And I say, well, why are we spending all the man hours? That costs money to the company to restrict this and it's really not needed. So you need to ask this question on everything. If you're really not sure why it needs to secure then maybe it doesn't. These statements here are statements that I've actually had come from system administrator and implementers on our network that have deployed group policies. One of them actually said, if I can't get around it, it must be secure. I said, well, what did you do to try to get around it? Well, I tried clicking on a few things. Well, let's be real. We're putting these out in people's hands that basically stand all day looking at this machine reading the numbers off of it in the manufacturing environment. What are they going to do? They're going to try every key combination until they get around it. So, yeah, they can get around it. The other one is they aren't hackers. They won't figure a way around it. Usually what it is, after I show them how to get around their group policy securities, I had this statement given to me. They aren't hackers like you, Darrell. They won't find a way around this. Well, then I usually re-informed them what they said to me the day before that they ended up with 15 or 20 systems of basic guys that hacked into, added game applications, brought down Citrix farms, adding applications. Yes, they are hackers. You give them a mouse and keyboard in time and they're hackers. The third one there, so they break out of it, that doesn't matter. There's nothing important there. That's what I have to jump back to the previous slide. If you're really not sure why it needs to be secured, then maybe it doesn't. If you're going to say that, then it probably doesn't need security. Group policies work. Group policies work in the right environment. What are you trying to do? Are you trying to make this your security structure around group policies? Then no, it doesn't work. If group policies are going to be deployed to manipulate the desktop, to create a user environment for your users to be able to do their job, then yes, it does work. You guys are going to have to answer this question for yourself. Now let's start getting into some of the fun stuff. Hackers don't need fancy tools or scripts to get around group policies. Let's use the tools right in front of you. I've never had to bring a tool outside the box to actually take over the box. Use the tools like a right in front of you, Internet Explorer, Notepad, your help screens, command line, FTP. I'll be showing some of these in a minute on how these can be used to get around some of these security settings. Give a resourceful man any application and he will rule your system. I guarantee you. He has time and he has the desire he will get around your security. Again, know your environment. Know the OS file structure. You can't exploit it if you can't find it. You can't protect it if you can't find it. If you don't know what's there, how can you secure the system? Know your OS command line tools. These can get you around almost anything when it comes to group policies. It doesn't matter what the operating system version is, XP 2000, 2003, even when it's 95. If you know your system, you can use it to exploit the system. One of the slides is missing off here. The slide deals with Microsoft's group policy and some known vulnerabilities. I wish I had it up, but I don't. I'll go ahead and go over it. It deals specifically with group policy delivery to the workstation. There's three known vulnerabilities. One of the vulnerabilities basically says when I log into my box and authenticate to my active directory, I'll also authenticate off to my group policy server which will deliver the group policy down to my workstation. If you disconnect the cable and authenticate locally, you can put off actually getting new group policy changes. This is a minimal risk, but it does work. And then you can reattach the network and based on what the timeout is, it defaults 90 minutes, you can actually delay getting those group policy updates for 90 minutes on the system. The second one deals with DNS, the resolution of your group policy server. If you mess with the DNS, you prevent that box from resolving to the server, you will not get group policies. You'll still log into active directory. You'll still get your file systems, but if you screw with the DNS on your box, you can prevent it from getting group policies. The third one deals with exclusive read functions. If I go to a machine, I log in to the network group policy, go out to the group policy server, go down to the list there, find my group policy object associated to me, go ahead and open an exclusive read mode, walk over to another box that I've never logged into, log in to active directory. It'll authenticate me to active directory, giving me my file system, but I won't get the group policies. Now I have a system that has no lockdowns on it. Cheap pet tricks to torment and frustrate group policy designers. And all these complements of Microsoft built right in, most of them, help screens. If you can get a help screen up, sometimes you can get Internet Explorer up running from a help screen. You can get Notepad up. You can even get diagnostic tools running from a help screen. The second one is loopback. If that box has any shares available to it, and you have the local file system blocked with, you can't get to the icons, you can't browse the file system, I've been able to use this to basically redirect myself back through the loopback and get the entire file system. One of our designers actually deployed a system. It was a thin client running Embedded XP and they protected the Citrix server they were connecting to, but they didn't protect the local box. So with the local box, they decided, well, for us to get this thing to work, they put group policies on it, but they made the user administrative of the box. A real smart one there. It didn't take me long to find out. All I did was a loopback to see dollars. Got the full file system, was able to get applications up and running, was able to hack the registry, redirect the box out to the Internet, was able to go anywhere I wanted to go at that point. USB memory drives. This is a big item. Security people need to think real hard about these. If you're going to allow them on your networks or you're going to allow them on machines that you're trying to restrict some kind of security on, if you really want security on that box, turn this off, if you can. Older versions of applications. Microsoft group policy in a lot of cases, when you set up a policy to protect you from running a certain application, if someone gets an older version of the application, there's a good chance it'll run. And if you're smart, you'll put it on a USB and plug it in and do it. Trigger errors. This is another example I had with that same thing client after they reconfigured it and brought it back to me. The user was no longer an administrator. They failed to turn off the debug mode. So basically what I did was when I got Internet Explorer up and running, I did a cross-site scripting on one of our internal servers that caused IE to crash. Within the debug mode, debug program came up and I was able to get access to the file system and launched certain applications. Security alert pop-ups. As an example, not able to get to the file system. You have Internet Explorer. I've used this one to exploit a system where I went to a site where the key wasn't signed by a known authority. So I get the pop-up box. I was able to save the file to the file system. In this case, I saved it to the desktop. Even though there was no applications, the only thing I had access in this box was the desktop in Internet Explorer. So what I did, there was no icons on the desktop. I saved this to the desktop. They failed to lock down the desktop completely. Now I got a file sitting on my desktop. I instantly renamed the extension in that file and then did the one right below it, a non-associated extension attack that I just launched that. Microsoft pops up and says, I don't know what to open this with. Pick an application. There is a group policy tricks. I thought I missed that. We'll skip that one. Now we're going to get into some examples. I think we're going to have some fun here. We're going to go ahead and split the screen here. I thought I was putting this demonstration together. I was trying to weave some interesting tail around this. This is Bob's computer. But knowing that Bob's uncle's company likes Bob, they don't trust him. They think he's a hacker. They know he subscribes to 2600. He goes DEF CON every year. So what they decided to do was give me a worthless desktop. At least they thought it was worthless. So they locked him down. So they decided to give Bob a clock so he knows what time it is so he can go home. He can't do nothing with it. They didn't give him any applications. He's a hacker. He'd be dangerous with an application. I could do that. They don't lie to him to do that either. They don't lie to him to do that either. Sorry about that. Maybe I should have done that before I set the demonstration up. We're going to be off the bar here in a second. Don't worry. I was just showing real quick that basically there's no applications. Bob can weave a clock so he can go home. He can log off and he can shut down his box. Rather than that, they don't want him doing anything. Of course the system minister missed one key feature. He forgot to shut off the Windows key. So Bob knows if he takes the Windows key, he can probably hit several different keys and get some kind of action. In this case, Bob figured he would go ahead and bring up the help center. And if we all know the help center is nothing but a fancy web browser, Bob knows he can click through here and get several applications up and running, but he's going to go for Internet Explorer. The right-hand side of this screen here, this is basically a web browser. I believe the extension on these are CHMs, usually written in HTML or Java. Bob knows unless the system administrator has specifically gone into group policies and said, do not open a new window, all he needs to do is find the link on the right-hand side, hold down the shift key, and click on it. He can have Internet Explorer up and running. But just in case that doesn't work, there's other ways of doing it. In this particular configuration of this box, Bob's going to go ahead and try going to print. When he gets to print, he's going to go ahead and print to a file. Go ahead and save it as test. Yeah, we'll go at it. Something's happening. Oh, there we go. Microsoft Office Document Imaging. We can probably find a lot of ways around things in here, but Bob's looking for Internet Explorer. So if you go to Send To and a lot of applications, you'll find all kinds of interesting things. Here we go, recipient using Internet Fact Service. Well, he's not listed in any fact services, so Microsoft's nice enough to tell him, well, if you click OK to open a page in your web browser where you can choose a provider, there you go. Shell folder vulnerabilities. There was a bug track that came out in October 2003 dealing with shell folder exploit. It was kind of a remote exploit using shell folders and shell folder traversal. It was an interesting exploit, but I took it and thought, well, this shell folder thing is kind of intriguing. What can I do with it? Can I get around lockdowns and security on a workstation using the shell folder vulnerabilities? Well, what I found out was, oh, yes, you can. Using shell folder vulnerability, I can actually traverse my file system to another file system. We'll go ahead and give an example of that, using a USB. Of course, this USB is considered a local file system and we had this box locked down so you can't browse the local file system and you can't see the icons for it. If you want to do a traversal on an XP using a shell folder, you need to join it with a plus symbol. Yeah, of course, I want to open it. Take a good look at that date. This is Windows 3.5.1 Command-Comm, running on an XP. There's your backward compatibility. You can open applications from here. When you're using an older version, one thing you can't do, don't try to change directories. They don't like it. You can read directories if you want them to send you applications from here. But if you try to change directories, don't like it. When you're dealing with a Command-Comm or Command.exe you can lock it down in Group Policies. In the Group Policies, if you don't want the Command-Comm to function, you need to shut down Command-Prompt scripting also when you shut down the Command-Comm. If you don't, Command-Comm will work. So there's a way to stop that. Okay, dealing with Reg EXE. This box has RegEdit locked down. Apparently, don't like that, does it? Trust me, RegEdit is locked down. You can't run it on this box. But Microsoft is nice enough to give you a Command-Tool Reg EXE. From here you can export and import registry. I haven't found anywhere in Group Policies where you can explicitly shut that down. Now we have Command-Comm up. Type in Reg. Here's the actual syntax for it. Playing around with some of the registry hacks in these locked down systems where the user is just a user. The HKEY current user, there's a lot of functions that you can screw with. This is where you can actually hack IE and change the proxies if it's locked down. Even though everything's secured, a lot of these features you can modify in the range that the user is running at that point. There you go. We just dumped the registry of the HKEY current user. There you go. You can dump all the registries out. If you're dealing with KIA style systems that ought to log in, go through there in front of the password to use them. Another research, this one was kind of fun. FTP. What can you do with FTP? Well, you know you can show out. But, you know, it won't let me show out. Yeah, it will. If you pass it to the shell and then pass your commands to the shell, it will execute. Again, if they shut down the command scripting process, this won't work. But I have yet to see someone shut it down. Non-associated extensions. You can also execute programs from here fairly effectively. Let's go ahead and give that a try. We're going to go ahead and create a file. We're going to call it Fred. Here we go. We're going to put a non-extension on it. A weird one. MNB. I hope that ain't an extension. Sounds like one. Let's change it. That sounds good. Boom. Okay, now from here, if we go ahead and let's just execute it. Thank you. So there we go through and look at the different applications. Also, if your file system is set up so you can browse your file system and you can't see the icons and you go to browse and try to get somewhere it's going to go ahead and freak out on you. Oh, let's me see that drive. That's the DVD. Okay. Let's see. There you go. Administrator Lockout. Ain't going to let you do anything. But I'm not going to give you an example here. You're going to have to trust me on it. You go to that. If you type in the full path to the file, it will add it to the list for you. As you can see, I've already did the command calm and some of the other ones. But since I didn't want Bob opening anything, I'm going to go ahead and open Word. So what have we done so far? Basically, we get Internet Explorer up. Notepad. We can hack the registry and we can run Microsoft Word. There you go. Another big one. Program Manager. If all else fails, this will work in a lot of cases. Program Manager. Run. Command Line. If they have turned off Command Line scripting, you can still execute DOS commands. But be aware, if they display within a DOS window, you better have quick vision. This doesn't handle pipes and it doesn't handle redirects. That's the biggest problem with it. But you can execute commands. As an example, here we have substitution. Now, as I mentioned, the local file system is not accessible. In a normal environment, you would typically have a hard lockdown like this. The user would at least have a network file system that he could write his applications to to use it. He can access the local file system and he can use group policies to shut that down. If he's smart enough to do substitution, he can redirect the local file system to a network drive letter. You should do that just to make sure. See, it flashes up there pretty quick. I bring the desktop up and look at my computer. Now I've created an S drive. There's your C drive. Some other methods and tools. The only application they give you happens to be a processor or Microsoft Word or something like that. Microsoft Word has a neat function. Insert hyperlink. From here you can insert. Where's notepad at? Anyone remember? Send system. Let's try it here if we fail. What the heck? You create links in here. Basically hold down the control key and click on those. And it's not in that folder. So you can use that to get access to almost any application, but you obviously need to know where it's at and how to spell it. Restrictions on certain programs? The question was, if you have a note that's not in the loud applications, I do not believe it will. But if you can get access to rename it, it will. Just rename it to a loud application name. What's that? You can restrict by hash application. You can run signed applications only. So I guess you can get a little tighter restriction on those applications. Okay, in conclusion, let's take a closer look at why we're using policies and their purpose. Before you go put a lot of effort into locking things down with policies, you need to take a good hard look at what you're doing. You're trying to lock them down because you have hackers that are actually weekend warriors or board employees. That are solutions. Inept users, if they have two sticks to rub them together, they poke their eye out with one of them, that's probably one. If you don't want users running applications, remove them from the workstation. If you lock out to Commingixie, don't forget to command.com and you lock that out using the disabled command prompt scripting process. And of course, if you don't want users to do that, don't forget to lock out or remove the reg.exe. And again, let's take a closer look at these USB devices. If you're trying to get security on a machine, these probably need to be taken off or disabled. If you don't want users accessing the file system, secure with the NTSS file system rights. Don't try to use the group policies as a method. It's purely smoke and mirrors. Can't overemphasize. Better security starts with correctly securing the file system. And when policies do fall short of what you're trying to do and they don't work, look at some third party applications. I'm not going to give you any names here. If someone wants to email me, I'll give you my opinion on a couple of them. You want solutions that prevent any applications not installed by administrator from running. And I've seen some that did do that. And you want a solution that gives you the ability to drill down. If you truly want to be able to control the system to that level, you need an application that will let you do that. I have a little quote here. It came out of Microsoft's training material. It is crucial that security administrators understand the limitations of group policies so that they can plan for events in which group policies cannot effectively control user behavior. Group policies is not designed to fully secure client computers. It should not be relied on exclusively for that purpose. That's right for Microsoft. Any questions? There should be a way through group policies or through the registry actually to go ahead and globally disable the file association dialogue box as an example so that you would not be able to under any circumstances or from anywhere get that box. I'm pretty sure there probably is a way to effectively do that. I've never seen anyone do it because as group policy implementers were constantly failing in this area. And that's one of the things I was trying to point out. I do not know. I couldn't tell you where to go to do that or where the registry would be to do that. There's a lot of these I don't know to that level. And I could go find them. So if anyone has any questions for me or right from here I probably couldn't give you a tell you right to go or where to go in the registry or where to go within group policies to shut down specifically things. One of the biggest rules I've played in this thing is not an implementer of the group policies but a security tester of group policies. When they've tried to implement these things my responsibility has been to go in and say hey if your goal is to have this level of security this isn't working and here it is and your goal has been to go back and fix it and bring it back to me if that was the plan. But I can't find any of that information if anyone has any questions just shoot me an email on that. Yes I can. Any other questions? Shoot me an email and I'll try to find something to get that to you on ADM files. Excuse me? No I'm sorry.