I came across an interesting post from Mark Russinovich on his blog recently. The original post was written a couple of years ago and details how a user with limited user rights can circumvent Microsoft group policies being applied by using the Sysinternals tool called gpdisable. What’s amusing, but not particularly surprising, is that now Microsoft own the Sysinternal tools, GPDisable has disappeared!
The post details how using DLL injection techniques, a DLL can be loaded into all processes on the system which the user has access, which can cause the Software Restriction Policy to be disabled. This demonstrates the importance of “white listing” of all executables and binaries as it demonstrates that if arbitrary code is allowed to run, it can be used to circumvent virtually any security restrictions on the client.
