A while back, Mark Russinovich (the pre-Microsoft Mark Russinovich!) had blogged about being able to circumvent some Group Policy using a DLL injection method that intercepted calls to the registry keys used by policy. He created a tool at the time called gpdisable that invoked this interception as a regular user. Of course, since Microsoft acquired Winternals, that gpdisable tool was removed from existence. But a couple of weeks ago, someone else created an alternative, called GPCul8r, that uses the same technique to accomplish roughly the same thing.
Essentially what this tool does is intercept a process’s calls to query registry values and, if it sees a query for one of a particular set of policy keys, it basically fakes the response, telling that calling process that the policy key was not found. Neat.
I think its important to know that tools like this exist, but also to keep it in context. For example, if you want to use this tool to block policy for all applications, you would essentially have to be administrator on the workstation to load it into the right registry key to allow this to happen automatically. Otherwise, you have to call this tool each time you launch an application. And if you’re an administrator on a Windows workstation, well, there are much easier ways to disable Group Policy. Also, this tool only intercepts calls to registry policy or any policy that stores itself in the registry–that includes Admin. Templates and Software Restriction Policies and a couple other minor ones like disk quota policy. That means it doesn’t impact things like security policy, folder redirection, etc. And, the current version of this tool, as posted on the site, only intercepts or looks for a small subset of policy keys. Of course, the source code is included with the posting, so if you know C++, it is fairly trivial to include other keys as well.
The bottom line is that this tool can be used with limited effect by the smart user to bypass some policy. Also, it underscores the fact that allowing users to be administrator on their own workstations is effectively saying that you really don’t care whether they receive Group Policy restrictions or not, because the intrepid administrative user can completely foil all policy (not just registry policy).
Finally, it may be worthwhile, given that this tool is floating around in the ether, to create a software restriction policy that specifically prevents this utility in its current form from executing. That’s not to say that other variants may not show up out there. But at least for those that folks are just downloading it as is and trying it out, you can prevent them from getting around your policies!
Tags:
Group Policy, GPDisable, GPCul8r,Bypassing Group Policy
DEC
About the Author:
Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.