Windows 8 networks drives not mapping via logon script with UAC enabled

Many enterprises attempting to tackle Windows 8 may find themselves in the same predicament we did, whereby existing logon scripts fail to map network drives when UAC is enabled. Unfortunately this isn't as simple to fix as it was in Windows 8, well that isn't strictly true, it is easy to fix by disabling UAC, but you introduce another problem, metro apps no longer work.

For those uninitiated, metro apps require UAC enabled to work, and in most circumstances UAC breaks drive mappings.

The root cause of this problem is that drive mappings are occurring in the under the wrong permission token.

When UAC is enabled, metro apps work, but drives are mapped with the privileged token, so you can't see them under windows explorer but if you open a command prompt as administrator you will be able to access those mapped drives.

When UAC is disabled, metro apps don't work, drives are still mapped with the privileged token but windows explorer is also started with the privileged token, so the mapping are visible.

The trick is being able to leave UAC enabled so metro apps work, but still mapping the network drives in the non-privileged context so they appear in explorer. Chances are if you have a complex logon script with HKCU registry edits, you probably want some of your logon script to run as privileged user (registry) and some as non-privileged user (drive mappings).

We tested a number of solutions that all had some downfalls:

• Disabling UAC and forfeiting the use of metro apps
• Playing around with different combinations of UAC group policy options
• Using the EnableLUA registry setting

None of the above could deliver mapped drives and working metro apps, however there is a solution.

The Solution

We use Kixtart scripting internally, so ideally we would like to keep these scripts when moving to Windows 8. I stumbled upon a function called RunAsInteractiveUser that was designed for Vista and Windows 7. The RunAsInteractiveUser function leverages windows task schedulers ability to run a task as the interactive user, therefor inheriting the unprivileged token if UAC is enabled.

This function allows programs to be launched as the non-privileged user when being launched from a privileged process on a system where UAC is enabled. 

We did a simple modification to our Kixtart script, when a Windows 8 system launches the logon script, the drive mapping section is ignored but is spawned with the non-privileged account. The code goes something like this.

;**** Windows 8 override/skips
if instr(@producttype,"Windows 8")
 ;if UAC is specified, only remap drives, skip rest of script
  if ($input = "uac")
    goto remap
  endif
  $RC=RunAsInteractiveUser("\\contoso.info\dfs\scripts\logon\logonuac.cmd", "", "c:\windows\temp\",1)
  ;exit
endif

We then use a batch file called logonuac.cmd to relaunch the logon script with a $input=uac argument, when this argument is specified the script only remaps the network drives and ignores the rest of the script.

1. GPO triggers user logon script with privileged token.
2. Logon script runs, if Windows 8 is detected it performs all actions with privileged token but skips drive mappings. The logon script is then relaunched with the $script=uac argument under the non-privileged token.
3. Logon script detects $script=uac and only maps network drives. After network drives are mapped, the logon script exits.

If you wanted to simplify you could move the drive mappings out of the main logon script into a separate script and use code something like.

if instr(@producttype,"Windows 8")
  $RC=RunAsInteractiveUser("\\contoso.info\scripts\logon\logonuac.cmd", ", "c:\windows\temp\",1)
else
    RUN '"\\contoso.info\scripts\logon\logonuac.cmd"
endif

This would map drives under Windows 8 systems with the privileged token and everything else as normal.

We spent days on this problem, hopefully this solution saves you time.

Alternatively if you are not running Kixtart and don't want to, you can look at the LaunchApp workaround script. You could also do something as simple as moving the logon script away from GPO and running it as a scheduled task on the local machine running as interactive user, this should also work.

Blocking Windows XP user group policy by exploiting a roaming profile vulnerability

For users that roam from workstation to workstation, roaming profiles can be a life saver. All the users settings and customizations move with them and save bucket loads of configuration.

There is a huge security hole with the Windows XP roaming profile model thought, as the HKEY_CURRENT_USER hive is synchronized to the network, any customizations to the security permissions are also synchronized. It is therefore possible to totally block group policies from applying at the HKEY_CURRENT_USER level with a few easy steps.

While this doesn't affect computer level policies in the same way, they are rarely used to enforce restrictions such as blocking regedit, command prompt or the run command. Incidentally a user in a high security environment can bypass these restrictions throughout the whole network by access a single vulnerable machine.

The following steps must be performed as a local Administrator. Hold on, did you say as an Administrator? Doesn't that ruin the whole security hole arguement? In fact there are so many vulnerabilities in Windows XP that unless the patch management of the environment is good, you should be able to elevate to Administrator or SYSTEM on some computer throughout the enviroment.

Even easier is to use the "vBootkit" by Nitin and Vipin Kumar. This ingenious boot CD allows the attacker to elevate any process to system level privileges by loading a temporary rootkit into the MBT. For example we could designate the vBootkit to elevate cmd.exe to SYSTEM token after we launch it, or if command prompt is currently blocked with policy we could elevate a 3rd party task manager or launcher.

The beauty of the vBootkit is as soon as you reboot, its gone, it only loads itself into the memory space of the single boot.


Could it get any easier?

1. After elevating yourself to an Administrator or SYSTEM prompt (perhaps via the Kumar's vBootKit), launch a regedit session.

2.  After I navigate to my "HKEY_CURRENT_USER\Software\Policies" key, you can see a number of policies that are set to apply to my account. These have likely been added via domain group policy.

3. If we right click the Policies key and select permissions, we find the SYSTEM has full control over this key.

5. The SYSTEM account is used to deliver group policies directly to this "HKEY_CURRENT_USER\Software\Policies" registry key. By setting the SYSTEM account to Deny permissions. as per the image below, we effectively block the system from being able to apply its group policies to my account.

Computer policies will still continue to function, but you can use the same technique on the "HKEY_LOCAL_MACHINE\Software\Policies" hive to block computer policies. The difference is HKLM changes won't follow you from computer to computer like HKCU policies will in a roaming profile environment.

6. The next step is to delete all the existing policies (unless there is any you want to keep of course). We can now potentially unblock Internet Explorer restrictions, allow the command prompt and perhaps even stop a login script from running.

7. Now if you run a gpupdate you will find the policies don't reapply, your HKCU policy free! The next time you log off these policy permission changes will be synchronized to the network and you will be exempt from HKCU policies on every machine login.

You can see how devastating this could potentially be. A systems administrator doesn't patch an edge workstations as early as early as he or she should, an employee elevates themselves to local administrator and applies these group policy blocks, the changes synchronize to the network. All of a sudden that same employee has allot more flexibility to launch attacks from more privileged workstations (that are running roaming profiles) in other parts of the network.

Possible ways of mitigating the attack

I think the easiest way to mitigate the attack is auditing. Regular checking, or scripted checking of NTUSER.DAT hives on the network share the roaming profiles reside.

I have played around with scripting to mount the hive as read-only (with reg load), check the Policies key for SYSTEM permissions irregularities with subinacl, report on any unusual findings and then un-mount the hive.

Using subinacl and the below string we can audit the current status of the SYSTEM account that is used to apply the group policy to the user "HKEY_CURRENT_USER\Software\Policies" key.

subinacl /verbose=1 /keyreg "HKEY_CURRENT_USER\Software\Policies" /display=dacl

You could very simply do this with a batch or kixtart script and have it run on a weekly or monthly basis and e-mail the dodgy findings directly to you.

Windows startup script not running Windows 7 wireless clients

So many administrators are posting about their woes with Windows 7 processing group policy computer startup scripts.


The Root Cause

The root cause of this problem is that Window 7 simply ignores the group policy settings "Computer Configuration\Administrative Templates\System\Logon\Run logon scripts synchronously" and "Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon" that previously worked so well in Windows XP.


Some Background

I previous wrote a BLOG post about how to make the netlogon service start correctly on wireless clients by adding some service dependencies to netlogon service itself. This unfortunately still doesn't make the computer startup script run on all wireless clients.


The Solution

Here is a quick solution that will ensure group policy computer startup scripts are executed when the computer boots and its so easy, two words, task scheduler.
I have created a task that runs on startup with a 1 minute delay, runs as SYSTEM user and executes my computer startup script, I have then deployed this script with System Center Configuration Manager to all of my wireless clients. Yes it does mean that some of my clients will run the computer startup script twice, but at 300ms to complete the entire script, I am sure this won't inconvenience my users too much.

This is so easy it feels like cheating, but it solves my problems and all my computer startup scripts are running perfectly again.

Below is an example of a task schedule, you just need to replace "<Command>\\domain.local\scripts\launch.cmd</Command>" with the path to your startup script and then save it as "startupscript.xml".

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2011-09-16T13:31:06.4110949</Date>
    <Author>Administrator</Author>
  </RegistrationInfo>
  <Triggers>
    <BootTrigger>
      <Enabled>true</Enabled>
      <Delay>PT1M</Delay>
    </BootTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>\\domain.local\scripts\launch.cmd</Command>
    </Exec>
  </Actions>
</Task>

You can import the startupscript.xml file with the following command.

schtasks.exe /create /XML startupscript.xml /TN startupscript

To make it easier to deploy I put that into a SCCM package and deploy it to all my Wireless clients. Voila, problem solved!