Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

A Malicious User May Circumvent User Policy


View products that this article applies to.

Cause

This issue may occur under the following circumstances:
  1. The malicious user has a roaming profile.
  2. The user accesses the Ntuser.dat file in their roaming profile on another computer, and then copies the hive locally.
  3. The user logs on as a user with administrative rights and takes ownership of the keys that determine whether policy has been applied in their registry hive:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
  4. The user sets permissions so that his or her domain account can modify these keys.
  5. The user then modifies the version information so that Windows Server 2003 behaves as though any new user policies have already been applied to this user.

By doing this, any new policies would not apply to the malicious user. This user can then reverse any other HKCU applied policies in a similar fashion and circumvent all user-based policy.

Note: This will not work unless the malicious user being has administrative rights on the computer from which they access the registry hive.

↑ Back to the top


Workaround

To work around this issue, use one of the following methods:

Method 1: Do Not Use Roaming Profiles

If your network does not need roaming profiles, do not use them. Without a roaming profile, the malicious user described in this article cannot perform the procedures that are outlined in the "Cause" section of this article.

Method 2: Edit Registry Policy Processing Properties

Edit the Group Policy properties to force the local computer to process registry policy each time the user logs on, regardless of whether changes have been made. By default, Windows only re-processes policy if the registry history keys indicate that a policy has been modified.

Note: This workaround may slow the logon process because Windows processes all registry policy each time the user logs on.

To edit the registry policy processing properties, follow these steps:
  1. Click Start, click Run, type Gpedit.exe, and then click OK.
  2. Expand Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy.
  3. In the left pane, under Group Policy, double-click Registry policy processing.
  4. In the Registry policy processing Properties box, click the Settings tab, click Enable, and then click to select the Process even if Group Policy objects have not changed check box.
  5. Click OK, and then close the Group Policy snap-in.

↑ Back to the top


Status

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


Keywords: KB812541, kbbug, kbnofix, kbarchive, kbnosurvey

↑ Back to the top

Article Info
Article ID : 812541
Revision : 7
Created on : 2/27/2014
Published on : 2/27/2014
Exists online : False
Views : 203