COMMAND

    Any browser (but still IE with more potential danger)

SYSTEMS AFFECTED

    Win95, NT

PROBLEM

    Following  info  is  based  on  Mike  Metzger's "Basic Information
    regarding  bypass  of  Policy  Using  a  Web Browser".  The system
    policy editor  is a  system-administration tool  included with  NT
    Server 4.0 and is  also on all the  Resource Kits (NT Server,  WS,
    95,  etc.)  It  allows  a  system  administrator  to  set  what  a
    user/machine  can  or  cannot  do  by  changing permissions in the
    registry.  Just  as editing the  registry can be  dangerous to the
    operation of your machine, using System Policy editor can be  just
    as dangerous.  Repeat: Use With Caution!   The policy editor is  a
    template  driven  system  that  allows  you to define user/machine
    permissions  based  on  the  template.   It  is  a point-and-click
    interface that defines a permission and has one of three options -
    gray, white,  and checked.   Gray means  leave setting  as it  is.
    White is "do the opposite" of the setting.  Checked means  enforce
    the setting.   It is  important to  note that  Policy settings are
    stored in the winnt/profiles/policy  directory on a local  machine
    (under NT),  so they  cannot be  bypassed if  the domain cannot be
    reached for some  reason.  Please  note that to  reverse settings,
    you must explicitly reverse a  policy, not just delete it.   Okay,
    that basic info said, here's some info regarding web browsers  and
    policy.

    One major  thing lab  administrators try  to do  is keep  a common
    desktop between all  their computers.   Under 95, this  is easy by
    just making  the registry  be re-copied  on reboot.   Under NT, it
    won't work that easily.  System  Policy is your answer.  You  just
    open the desktop  "book" and choose  the background you  want, and
    don't allow users to change it.  You even store the background  on
    a network  drive where  users don't  have write  permissions so it
    can't be changed.  All set right?  Wrong.  Someone may right-click
    on  an  image  in  Netscape  and  say  set as Wallpaper.  Netscape
    will  overwrite  the  registry  and  create a file called Netscape
    Wallpaper.bmp (for IE Internet Explorer Wallpaper.bmp).

    What about the   command prompt?   Have you ever  tried to run  an
    executable from the address line of IE/NS?  You often pop up  with
    a dialog box asking if you want to open it or save it.  You choose
    save and create a file somewhere on your drive.  Big deal.  Choose
    open, and the file runs most of the time (and if it's an Office 97
    app, it even runs inside IE's window.)  But wait, you don't always
    have to specify a URL to view  a page or open a file, you  can put
    in a path name to get the file.  Hmmm.... let's try a simple  one,
    the  Windows  Explorer.   Go  to  the  address  line  and  type in
    c:\windows\explorer.exe  and  press  enter  (note:  the c:\windows
    corresponds to  the root  windows directory.)   You should  get  a
    dialog box asking whether to save or open.  Try open.  You  should
    now see an explorer window. (Under IE, it may ask for if you  want
    to allow  it to  pass through  Authenticode. If  so, choose  yes.)
    Wow!   Let's  try  something  a  little  more  deadly: the command
    prompt.  On  a 95 box,  type c:\windows\command.com, on  an NT box
    try c:\winnt\cmd.exe or c:\winnt\vdm.exe.  Choose to open it,  and
    poof!  command prompt.  So what  you say, what can a user do  from
    here?   Just   about  anything,  even   if  it's  just   obtaining
    information.  On 95, type winipcfg (NT, ipconfig /all) to get  all
    IP info.  Any program DOS or Windows, can be run from the  command
    prompt.
SOLUTION

    First problem with  background images can  be solved in  following
    way.   Create a  bitmap file  and call  it Netscape  Wallpaper.bmp
    (or Internet Explorer Wallpaper.bmp) and give admins ownership and
    make  the  file  read-only.   If  then  someone  tries  to  change
    background Netscape  will crash  with a  Dr.Watson error  (IE only
    says it can't create  the file).  One  very important thing is  to
    note that both  files MUST be  the background you  want displayed.
    Otherwise, you  just end  up with  whatever those  .bmps are.  One
    other option is to right-protect the Winnt directory, but this  is
    not advisable because NT will complain about lack of permission.

    What about  second problem?   It's not  really a  security flaw in
    that IE/NS are doing exactly what they're being told.  The problem
    comes if an administrator is naive enough to believe System Policy
    alone will plug access to  desktop programs.  Under System  Policy
    Editor,  you  can  policy  down  to  the nub, taking off Explorer,
    Find,  My  Computer,  Etc.   These  apply  to  a  secure lab/kiosk
    situation.  An administrator would expect these to be off  limits.
    But they forget about the web  browser and the fact that they  are
    basically new  interfaces to  your computer  (IE4 remember?)   So,
    How do you solve  it.  Answer: There  is no easy way  to solve it,
    you can only  act like a  UNIX admin and  set user permissions  on
    all basic files/programs.  This way,  if a user tries to run  cmd,
    but they  don't have  execute access,  well, sorry  you won't  get
    anywhere.   Under  95,  you're  basically  shot,  except  that you
    really  shouldn't  be  relying   on  system  policy  anyway   (FAT
    sucks....)