Russinovich on Circumventing Group Policy Settings

Windows IT Pro Magazine columnist Mark Russinovich posted an article, "Circumventing Group Policy Settings," in his Sysinternals Blog that makes excellent reading for all you security admins. Here are a couple of snippets:

"Windows administrators should be aware that if a user, even one running with a limited account, can execute just one program of their choice that they also can circumvent many group policy settings, including ones aimed specifically at tightening security such as Software Restriction Policies and Internet Explorer Zones."

\[... huge snip ...\]

"The bottom lines is that full control of an end-user environment is possible only with strict lock-down of the programs they run, something that you can accomplish by using SRP in white-list mode, for example. Note that this is not a bug in Windows, but rather a design decision made by the Group Policy team."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.