My Tuesday Session Offline Access Demo - TechEd New Orleans

Thank you for attending my session! Please remember to do the evaluation - it is extremly important for me! :)

Here is the summary for the Offline Access Demo. In the blog you will also find the PowerShell scripts I was using: https://blogs.technet.com/b/plwit/archive/2010/05/08/visual-studio-2010-community-launch-i-demo.aspx. Scripting Language is everywhere the same so don't worry about the Polish content of the blogpost ;)

Enjoy!

Summary (1): Demo shows the possibility of the system crash with unapprorpiate AppLocker configuration. Then demo shows how to recover from this situation by editing the registry offline – the purpose is to show that it is possible to bypass the security mechanisms in the O.S. I will NOT be playing with the ACL’s.

Action:

1. Start the Application Identity service. Make sure that it has the Automatic start.

2. Create the AppLocker rule without the default rules è Click „No” at the end of the wizard for the first rule.

3. Wait one minute. See how AppLocker with no default rules works.

4. Logoff. Logon. See the result.

5. Boot from the Windows 7/2008R2/Vista/2008 CD. Go to the Repair mode and run the cmd.

6. Type „regedit”. Select Local Machine Key. From the file menu, click Load Hive and load the registry in the offline mode from: %SystemDrive%\Windows\System32\config è SYSTEM.

7. Go to the Select key and check which set of controls is the „Current”

8. Go to the ControlSet00X \Services\AppIDSvc and change the Start key value to 4.

9. Reboot. See the result.

Why 4? See the start values below:

0x0 Boot
0x1 System
0x2 Automatic
0x3 Manual
0x4 Disabled

Summary (2): I used the custom DLL that intercepts user’s password. This and any other DLL can be added here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa è Notification Packages. The feature is called PASSFILT.

Autor: Paula Januszkiewicz [MVP]