Fixing the DLL Preloading Vulnerability with Group Policy, the right way!Posted: September 2, 2010
Microsoft has recently released a patch to address a well-publicized vulnerability in Windows where programs can load “bad” DLL’s from a WebDAV or SMB share. However, you need to create a new registry entry to modify Window’s behavior on DLL loading and close the hole.
The new registry entry is CWDIllegalinDllSearch, and there is more information, and a Fix It tool, on Microsoft’s Security Research and Defense blog. Susan Bradley rightly points out that their advice is not really suitable when there are numerous PC’s in the network, especially when they are all managed by Group Policy. She mentioned a solution involving Group Policy Preferences.
It’s not often I can keep up with Susan, but I have figured out how she’d do it! We’ll make a new Group Policy Preference with the required registry settings. This preference could be applied to the default domain, but I have chosen to limit it to client machines, so it will be created for the SBSComputers OU.
- Preconditions: All your PC’s must have Group Policy Preferences installed; this is standard for Vista and higher, but available as an update for XP SP3.
- They must also have KB2264107 installed first. Do it now if you haven’t already.
- Open the Group Policy Management Console, select your domain, and go through the OU tree until you reach SBSComputers.
- Right-click, select “Create a GPO and link it here”.
- Pick a name, “DLL Preloading Vulnerability Prevention”. Click OK.
- Find the GPO you just created and right-click it. Select Edit.
- In the GPO editor, select Computer Configuration/Preferences/Windows Settings/Registry.
- Right click the Registry item and select New/Registry Item.
- In the window shown below, to the right of the Key Path item box, click the […] button.
10. Select SYSTEM/CurrentControlSet/Control/Session Manager. Do not open any subkeys under Session Manager. Click Select.
11. Enter the new value name, CWDIllegalinDllSearch.
12. Enter the value type, REG_DWORD.
13. For value data, enter 2.
14. Click OK.
15. Close the GPO Editor, and the GPMC console.
If you wish, you can refresh the GPO settings at each client by doing a gpupdate /force.
The “default” setting of 2 for CWDIllegalinDllSearch blocks DLL loading from Webdav and SMB’s. There is a more restrictive setting that blocks DLL loading from USB devices. For that, you would select the Hexadecimal radio button in the dialog above and enter FFFFFFFF. Until I know how this affects the system I am sticking with the defaults. It occurs to me that if you have techs who troubleshoot with thumb-drive utilities, this may break them. Just so you know.
There are other ways to implement this in Group Policy; one method I have seen involves creating a new GP template with the registry settings. I think GP Preferences are the better way to go as, with a custom template, the registry settings are "tattooed" (this is the official GP nomenclature) onto the machine’s registry and remain there even if the policy is removed. I like to have a clean machine with transparent settings, even though this setting will be permanent through the life of Windows.
Thanks for the hints, Susan!