Group Policy Central

A Google Engineer recently irresponsibly disclosed to the public after only warning Microsoft 5 days earlier of a vulnerabilities that allows a malicious third-party to take advantage of a security issue with the Help and Support Center in Windows XP/2003 after. As a result this has left many users (and organisations) open to attack using this exploit. Thankfully Microsoft have quickly responded and they have published an security advisory (http://www.microsoft.com/technet/security/advisory/2219475.mspx) about this issue with workaround instructions while they are working on a security fix.

Update: This security vulnerability is now being actively used by hackers.

For your benefit I have written instructions below showing you how you can mitigate this security issue using Group Policy Preferences. As this workaround involves in deleting a registry key (and sub-keys) I have also put in instructions on how to backup and restore this key after you have deployed a the fix for this issue in your organisation.

How to backup the affected registry

In these steps you will create a registry keys backup file for later use to restore the functionality of the Help and Support Center after you are deploy the related hotfix. Normally you can backup the registry using the Registry Wizard in Group Policy Preferences however this is a Windows XP specific key and you cannot remotely import a HKEY_CLASSES_ROOT remotely via Group Policy Management Console therefore we need to Export (a.k.a backup) the registry key via the traditional Regedit method.

Step 1. Go to a Windows XP computer that you want to use for a template to backup the registry.

Step 2. Run Regedit and navigate to the HKEY_CLASSES_ROOT\HCP key then click on File and then Export

Step 4. Save the registry as key a file (example HCP_Backup.reg)

Note: Keep this file safe as you will need it to restore the HCP key once you have deployed the hotfix.

How to delete the HCP registry key

These instruction will show you how to delete the HKEY_CLASSES_ROOT\HCP key that is the suggested workaround to this security issue.

Step 1. Create a new Group Policy Object that is targeted to the computer object you want to apply this workaround.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and then from the menu click on Action > New > Registry Item

Step 3. Select Delete from the Action pop-down menu and then HKEY_CLASSES_ROOT from the HIVE: menu and type HCP in the Key Path:

Step 4 (Optional): Then click on the Common Tab and tick Apply once and do not reapply.

Note: Doing this will allow you to restore the functionality for selected users if required by simply running the previously

The HCP functionality will now be broken when you click on any HCP:// link. While this is not an often used feature of Windows XP I have seen it some organisations that use a link to the just straight to the “Offer Remote Assistance” feature.

How to restore the HCP registry key

Once Microsoft releases an security hotfix for this issues then you may want to restore the registry key we deleted above. Unfortunately (as I mentioned before) we are not able to easily import the registry key using the “Registry Wizard” option of Group Policy Preferences as you can only import HKLM_CLASSES_ROOT keys locally on a PC. Therefore we will need to use a logon script (OH NO!!!) to import the original HCP keys.

Step 1. Edit the same GPO that you previously deleted the HCP key.

Step 2. Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) and double click on Startup in the right hand pane.

Step 3. Click on Show files…

Step 4. Paste a copy of the HCP_Backup.reg file we created in the backup steps then close the folder.

Step 5. Back on the Startup Properties windows click on the Add… button.

Step 6. Type regedit.exe in the Script Name: field and /s HCP_Backup.reg in the Script Parameters: field then click OK

This will now import the backup registry key the next time the computer reboots.

Step 7 (CLEAN UP). Finally go navigate to Computer Configuration > Preferences > Windows Settings > Registry in the Group Policy Management Editor and either disable or delete the HCP Delete key preference item previously created.

Hope it helps…

As I have previously mentioned there has been a lot of press lately where some hackers took advantage of some holes in IE and Adobe Reader to hack Google’s systems in China. As a result Microsoft have burnt the midnight oil and rushed out an Out of Cycle patch for Internet Explorer to resolve this issues even thought this issues seems to be fairly low spread.

Even so if you are still running Internet Explorer 6.0 on Windows XP (yes there  are some corporations that do) it is STRONGLY recommended that you install this patch ASAP. Needless to say if you are still running IE6 on Windows XP then you also need to look at updated to IE7 or IE8. Besides the more compliant HTML rendering engine that the newer browsers offer they are also much more secure. If you happen to be running Vista (yeah for you!) then the risk is about 256 times less likely to affect you due to the extra protection the OS offers such as Protected Mode and Address Space Layout Randomisation (ASLR). Windows 7 users are even more secure as on top of Protected Mode and ASLR as Internet Explorer also has Data Execution Protection enabled by default.

So while your making yourself more secure installing this patch be sure to also check out my other article showing how to turn off JavaScript for Adobe Reader one of the other reported attack vectors for the Google Hack.

For more information about the http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Update: This security issues was orignal posted as KB979352

Microsoft have been getting a lot of press (here , here and here) about security vulnerability KB979352 in Internet Explorer that was used by Chinese Hackers to breach Google’s security and gain access to anti-china protestors email accounts and other private data. As a result Microsoft have now released a security advisory for IT professional listing multiple ways to mitigate this security issue before they release a patch (which they are rushing to get out).

One of the ways listed to mitigate this issue on IE6 (other than not running IE6) is to configure Active Scripting to either be disabled or set to prompt. Now this is pretty easy for one user to change this setting manually but for large organisation (like Google) performing this workaround on the many thousand’s of computers would be very time consuming.

So to make this change in Group Policy open the Group Policy Object (GPO) that is targeted on your user accounts and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then under the “Local Intranet” and “Internet” configured the “Allow Active Scripting” option to “Disable” or “Prompt” (see image below).

Now if you do configure this option it is likely that some legitimate sites on the locally and on the Internet may break so workaround that issue you can explicitly add them to “Trusted Sites” zone. To do this again open the Users GPO and navigate to the Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then open the “Site to Zone Assignment List ” setting and click “Enabled” then click the “Show” button.

Then type the full URL in the “Value Name” field and a “2” in the “Value” field for each site you want to run the Active Scripts.

Now according to Microsoft your browser should be configured to mitigate this security vulnerability.

For more information about the security vulnerability see the Microsoft Advisory at http://www.microsoft.com/technet/security/advisory/979352.mspx.

Disclaimer: I do not accept any liability what so ever for the information in this article. Please use this information at your own risk.