Shell Policy is not the same as security
Another classic post from Windows API developer, Raymond Chen. It’s an important reminder, and one that I find many people don’t fully understand.
Shell policies control how Explorer and other shell components behave, but that’s just blocking the front door.
For example, there is a shell policy to prevent the user from changing the wallpaper from the Desktop control panel. This disables the controls on the Desktop control panel for changing the wallpaper, but there are ways to change the wallpaper other than that. If users can run an arbitrary program, then they can run a program that calls
SystemParametersInfo(SPI_SETDESKWALLPAPER)to change the wallpaper directly, bypassing the shell.
The purpose of the shell policies is merely to make it more difficult for users to perform various categories of operations by removing them from the shell interface. But, of course, if the users are allowed to write their own program with its own user interface, then they can still access the underlying functionality.
And this really sums it all up right here:
Setting a policy to remove the user interface for a feature is like removing the staircase that leads to the second floor to keep people out. If you let them bring a ladder, then they can still get up there.
And in a similar vein, Mark Russinovich (of PsTools and SysInternals fame), shows us how to bypass group policy as a limited user. Another reason I don’t think much of GPO’s…and I’m speaking as a former GPO administrator!
I’d also add (it may be obvious if you read Mark’s article) that if a users has Power User or Administrator credentials on their local system, then you have no guarantee that your group policies are securing anything. It’s trivial to override all GPO’s on your local system if you have these elevated rights.