Home / server / Questions / 174494
Accepted
nedm
Asked: 2010-08-26 09:40:34 +0800 CST

Fixing Microsoft Application DLL Spoofing Vulnerability via GPO

  • 772

With a metasploit module and POC code available, there's a growing concern about the DLL path-searching vulnerability in an increasing number of Microsoft and 3rd party applications. It appears that ensuring SafeDLLSearchMode is enabled mitigates the vlunerability, and I would like to enforce this on a network via Group Policy. While it's enabled by default in XP SP2+ and requires a registry edit to disable, I'd like to find an ADM file (or perhaps there's an existing policy setting I'm missing) that will let me ensure it remains active.

Does anyone know if anything like this is out there, or could anyone suggest how such an ADM file should look? The key in question is: 

HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

With a value of 1 for enabled and 0 for disabled.

group-policy security

1 Answers

  1. Best Answer

    Here is an ADM you can use to apply this preference. If you had Client-Side Preferences you could better manage this setting.

    CLASS MACHINE
CATEGORY "Extras"
  CATEGORY "Software Settings"
    CATEGORY "Safe DLL Search Mode"
        POLICY "Safe DLL Search Mode"
          KEYNAME "System\CurrentControlSet\Control\Session Manager"
              EXPLAIN "Enable safe DLL search mode."
          VALUENAME "SafeDllSearchMode"
            VALUEON  NUMERIC 1
            VALUEOFF NUMERIC 0
        END POLICY
    END CATEGORY
  END CATEGORY
END CATEGORY

    You can also change this value with a simple script:

    REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v "SafeDllSearchMode" /t REG_DWORD /d "1" /f
    • 2