A Malicious User May Circumvent User Policy (812541)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition

CAUSE

This issue may occur under the following circumstances:
  1. The malicious user has a roaming profile.
  2. The user accesses the Ntuser.dat file in their roaming profile on another computer, and then copies the hive locally.
  3. The user logs on as a user with administrative rights and takes ownership of the keys that determine whether policy has been applied in their registry hive: HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
  4. The user sets permissions so that his or her domain account can modify these keys.
  5. The user then modifies the version information so that Windows Server 2003 behaves as though any new user policies have already been applied to this user.

By doing this, any new policies would not apply to the malicious user. This user can then reverse any other HKCU applied policies in a similar fashion and circumvent all user-based policy.

Note: This will not work unless the malicious user being has administrative rights on the computer from which they access the registry hive.

WORKAROUND

To work around this issue, use one of the following methods:

Method 1: Do Not Use Roaming Profiles

If your network does not need roaming profiles, do not use them. Without a roaming profile, the malicious user described in this article cannot perform the procedures that are outlined in the "Cause" section of this article.

Method 2: Edit Registry Policy Processing Properties

Edit the Group Policy properties to force the local computer to process registry policy each time the user logs on, regardless of whether changes have been made. By default, Windows only re-processes policy if the registry history keys indicate that a policy has been modified.

Note: This workaround may slow the logon process because Windows processes all registry policy each time the user logs on.

To edit the registry policy processing properties, follow these steps:
  1. Click Start, click Run, type Gpedit.exe, and then click OK.
  2. Expand Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy.
  3. In the left pane, under Group Policy, double-click Registry policy processing.
  4. In the Registry policy processing Properties box, click the Settings tab, click Enable, and then click to select the Process even if Group Policy objects have not changed check box.
  5. Click OK, and then close the Group Policy snap-in.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
Modification Type:MajorLast Reviewed:9/24/2003
Keywords:kbnofix kbBug KB812541
©2003 Microsoft Corporation. All rights reserved.