A lot of people in IT complain about Windows being unstable and insecure, but they probably aren’t running the system in a correct and secure fashion. I found a perfect example of this while I was working for a major PC manufacturer not too long ago. I had a workstation that was locked down with the absolute worst policy settings. Obviously some admin just went nuts with the policy editor, while having no clue about actual Windows security.
First off, the ‘Run’ menu was disabled. I hate when people do this because I honestly use the Run box for launching everything in Windows…even Word. Let me tell you now…disabling the ‘Run’ menu does nothing for security at all. You have to secure the system by properly restricting a user’s access so that their commands can’t do anything harmful. Disabling the box they use to launch the commands provides no security at all. There’s a million other ways to get the system to execute commands.
Getting around it on my workstation was as easy as launching CMD.EXE from a shortcut and using the ‘start’ command (which works almost exactly like the Run box).
The second useless policy was the one that wouldn’t let me open my C: or C:\Windows folder by double-clicking them from Explorer. Yes you read right, the admin didn’t secure the disk/file/folder permissions, he just set the policy which prevents people from opening them directly under the “My Computer” icon.
So I could still use commands like “explorer /root,C:\”, which would cause Explorer to happily display the hard disk contents in a new window (more info on Explorer’s command line options is available here). Of course I could also freely manipulate the files from CMD.EXE or any application’s open dialog as well.
The only setting which was an actual hurdle was the policy setting which prevented me from running the system registry editor. There was no clever built-in hack that I could use to bypass this setting. I was still able to easily get around it however. I simply downloaded a third party registry editor which didn’t acknowledge the policy setting.
In fact, there are many available stand-alone Windows applications which can replace the Windows functionality that the above policies had disabled. If you browse a site like Shell Extension City, you’ll find software that would adequately bypass all of them.
I guess the point of this post is to show how easy it is to get around on Windows when it’s not secured properly. Windows policies can be very powerful when used correctly…but they should never be the first and only line of defense on your systems!