A while back, Mark Russinovich (the pre-Microsoft Mark Russinovich!) had blogged about being able to circumvent some Group Policy using a DLL injection method that intercepted calls to the registry keys used by policy. He created a tool at the time called gpdisable that invoked this interception as a regular user. Of course, since Microsoft acquired Winternals, that gpdisable tool was removed from existence. But a couple of weeks ago, someone else created an alternative, called GPCul8r, that uses the same technique to accomplish roughly the same thing.
Essentially what this tool does is intercept a process’s calls to query registry values and, if it sees a query for one of a particular set of policy keys, it basically fakes the response, telling that calling process that the policy key was not found. Neat.
I think its important to know that tools like this exist, but also to keep it in context. For example, if you want to use this tool to block policy for all applications, you would essentially have to be administrator on the workstation to load it into the right registry key to allow this to happen automatically. Otherwise, you have to call this tool each time you launch an application. And if you’re an administrator on a Windows workstation, well, there are much easier ways to disable Group Policy. Also, this tool only intercepts calls to registry policy or any policy that stores itself in the registry–that includes Admin. Templates and Software Restriction Policies and a couple other minor ones like disk quota policy. That means it doesn’t impact things like security policy, folder redirection, etc. And, the current version of this tool, as posted on the site, only intercepts or looks for a small subset of policy keys. Of course, the source code is included with the posting, so if you know C++, it is fairly trivial to include other keys as well.
The bottom line is that this tool can be used with limited effect by the smart user to bypass some policy. Also, it underscores the fact that allowing users to be administrator on their own workstations is effectively saying that you really don’t care whether they receive Group Policy restrictions or not, because the intrepid administrative user can completely foil all policy (not just registry policy).
Finally, it may be worthwhile, given that this tool is floating around in the ether, to create a software restriction policy that specifically prevents this utility in its current form from executing. That’s not to say that other variants may not show up out there. But at least for those that folks are just downloading it as is and trying it out, you can prevent them from getting around your policies!
Tags:
Bypassing Group Policy
Darren Mar-Elia, the GPOGuy, writes about some interesting ways that users can get around the application of Group Policy. None of these I’d been aware of before. There’s a rather compliacted method one can use involving DLL injection and intercepted r…
Seclogon service can block gpdisable and similar tools.
1. Right click on gpdisable.exe
2. Click “Run as…”
3. Flag “Protect computer….” must be set
4. Click ok
Result: Gpdisable.dll is not injected.