I thought it might be a worthwhile project documenting how windows XP can be unlocked and accessed when it has been locked down by an administrator in a corporate network.

At work we have SOE machine (Standard operating environment) with Windows XP. All manner of restrictions and lockouts have been installed to reduce people tampering with the setup of the machine.
Examples.
1) No registry editing allowed.
2) Internet Explorer locked to default start page.
3) Administrative tools locked away.
4) Unable to access Network configuration (to configure alternative network)
5) Unable to install hardware/software without administrative rights etc.

Obviously there are ways around everything. The intention is not modify the system in any manner that will be detected (i.e. delete the user.dat/system.dat) etc.
As an example regedit.exe
When running regedit on machine it states that this has been restricted and to contact administrator.
Further delving found that all this is based on the state of a key in the registry. So copy regedit to usb stick and patch function called to check registry key.
Now I have a regedit that allows me to view the data in the registry.

Next trick it to get the administrative console suite (.msc files) and modify them in a similar manner (i.e. run from USB stick) so I can access say the DiskManager without having the administrative access.

Any thoughts or comments are welcome
peterg70

You are FIRED!!

Any thoughts? Sure. The next thing they will lock out will be USB pen drives (or just all USB Mass Storage devices).

BTW - Naides is right. You're fired.

I worked for a company that had similar policies, (the operative word here is "worked", usually companies that go to this length to restrict you will also be monitoring what you do on your machine, naides is right if you value your income then be VERY careful - this whole concept of "IT know's what you need to do and will supply you with the access and tools we think you need" is patently stupid - kind of like giving a carpenter a ball peen hammer, "what's the problem it is a hammer!".

SiGiNT

Use BootRoot. Your machine may be SOE but your sysadmin is SOL.

In that case the next points of entry to consider would be the CD-ROM and floppy drives.

It'd be best to practice these attempts on your own machine at home

And here's how to install a rootkit simply by putting a seemingly innocent CD in a CD-ROM drive:
http://www.woodmann.com/forum/showthread.php?p=48532#post48532

HMMMMMMMMMMMMMM........

I dont know about BootRoot.
If the sysadmins are so anal about locking down the system, I dont see how you could run such a program.
I would be surprised if they even have floppy drives.

Back to the original problem, how to get quasi "admin" rites on a work box.

I will assume it is a network boot. I have no idea how to get around this without detection.

If you have floppy,cd or USB access, how do you interupt the boot process and change it without the network noticing a change ?


Woodmann

I agree that they are monitoring (I think the software is Managesoft etc which updates and records activities. Thats why I don't want to modify the machine setup or boot from an external device. Without the station booting I have no connection to the network (each machine was authorised to get onto the network) If i bring my laptop I have no chance of using their network.

The machine are only network boot for maintenance purpose. I.e. local harddisk fails.
Each harddisk is an standard installation image (i.e. no extra software allow period)
USB won't be disabled otherwise people wouldn't be able to work on other laptops and historical machines etc.
Like I said before by patching a copy of regedit I now have restored the ability to access the registry and clean up anything that isn't locked down by security level. I wonder if this can be circumvented as well.

I don't want root access to install software but to do little things like setup secondary network so my laptop can transfer files to and from the station.
Also map my USB stick to Z: rather than continually being mapped under a network drive. or random letter (sometimes its F: then G: then E etc.

anyway just further thoughts and investigations to proceed.

How is the authorisation done? Is it by MAC address? Many (but not all) network adapters can be set to an arbitrary MAC via software, so that little restriction has been nulled. You can also change the machine name of your laptop to match that of the "official" machine. You will also need the server names and the same version of the Client that the rest of the network uses. E.g. if they used Netware v4.0 you'd install a Netware 4.0 client on your laptop and configure it to use the same settings. That way your laptop will appear to be the machine it's replacing.


I'm approximately 90% certain that they won't be checksumming the HD images, so small changes can go unnoticed. Don't forget sector 32 and the rest of the "reserved" space. Some stuff can go there


Well, whatever you want to use it for, nonetheless you want root. You're quite obviously going to need to do a bit of modification in order to get the network settings changed and the drive letters "stuck".

I know how to get the drive letter stuck - it requires editing the registry:
HKLM\Enum\SCSI\(devicename)\(deviceid)\
Add a string value named "UserDriveLetterAssignment" and set its value to the starting and ending drive letters it can be assigned (e.g. "ZZ".

Howdy,

If the USB connections are working, why not use a USB file tranfer setup ?
You can just plugin your laptop and have at it.

Woodmann

Interesting Fact when using USB on these corporate machines.
If I connect my own External harddisk then the security profile of the root c: directory is replicated on the external USB harddisk which then prevents me from deleting etc on the whole drive.

hi,

At work we have a similar problem: how to lock the workstations without going into an administrative nightmare. I'm afraid it's totally impossible if the user has physical access to the computer.

Normally, we do this with the laptops (one could apply the same to a workstation):

1. Disable USB ports, CD-Rom booting, etc at the BIOS.
2. Set a BIOS password.
3. Use a certificate to identify the computer (we only allow access by ssh to our VPN to some known IPs and so on).
4. Encrypt the certificate with the user's password (we choose the password on his behalf, so it's not too trivial to guess)
5. Personal firewall, ...

We also apply the same kind of restrictions commented above: set up a very limited user which can't run any application which is not explicitaly allowed. The allowed applications are strictly those the user needs for his work: mozilla, some special emulator, etc ... As limited as possible.

Well, with this all, particularly point 3, we try to prevent a third person from stealing the laptop and getting inside the VPN. But by no means we can restrict the legitimate owner of the laptop from getting admin rights, because one can flash (clear) the BIOS memory and then use a CD to clear the admin's password.

With respetc to applying this politics to all the workstations and not only to the laptops, well, it would be very time-consuming and we dont have resources for this. In fact, in real life things aren't like one would expect: security patches (even if critical) aren't applied until a few days, time restrictions compel to instal insecure software, internal fights between departments make impossible to stablish restrictive security policies, people in high positions download .exe files and infect the network, ...



No time for this At least you have somebody devoted to this task there are much more important things to do. Logs are there just in case you need them, but excluding a few ones nobody is going to review them.

Mostly one tries to prevent access from the outside and forgets that the enemy is inside ...

Regards,
Havok.

EDIT:

I forgot something important: In the workstations we use cryptographic cards to identify the users. They contain a certificate and the traffic is always encrypted. Again, this doesn't prevent anybody from getting root, because the OS is in the local HD and this isn't checksumed. However, ciphering the traffic limits very much the kind of things you can do, even if you are root in your local machine. Users are centralized in an LDAP server.

As for my comment on monitoring, yes it's impossible to contnually monitor everyone, but the logs are there and there was a room with about 10 monitors - displaying the newest or most suspect employee's desktops, I assume keystroke monitoring was also logged, and keyword detection was flagged - words like "resume, crack, etc.....".

SiGiNT

On systems where they disabled the games, for example : If the help system is available you can still run stuff from there usually - just open up Start->Help and then search for "Solitaire" for example, and it usually gives you a button or a link you can push to launch the program !

-nt20