RG01C – Hacking and Protecting Managed Laptops

By Max Ranzau


This article discusses the methods which an attacker may employ, to circumvent management software alike Workspace Manager on portable computers. In this case the definition of the attacker follows the presumption that 90% of all security attacks originate from the inside of an organization. In other words, it’s your own users who may be attacking your systems for one reason or another.

Some folks will be rattled by the emergence of such an article, because in their opinion such things should not be discussed in the open. However not everybody agrees with merely not talking about security painpoints make them stay away. That’s Security by Obscurity which went out the window along with 2400 baud Modems. That being said, it would be indeed appear biased to bring forward such information without discussing the appropriate countermeasures.

That way it’s up to you – the admin – to consider if a) this applies to your environment and b) to what extent you trust your users. Many administrators need to heighthen their awareness of security. Hence this article. On the other hand, some admins don’t have a clue to what it means to service their users. If you fall into the latter category it should not suprise you that some of your users will blatantly defy your attempts to control their workspace environment regardless if it goes against the grain of corporate policy or not. Workspace Manager is indeed a powerfull ally in your IT datacenter, but with all instruments of power, it goes almost without saying – wield it responsibly!

The Scope

The article applies primarily to laptops. Reason is that SBC environments in regards to Workspace Manager is almost impossible to hack as, the users do not have administrative credentials and no physical access as the machines are typically placed in a datacenter. A workstation placed on the corporate campus may technically be vunerable to the attacks as discussed in this article, however the workplace environment may by nature or coincidence, practically prevent users from tampering with the equipment i.e. it may look suspicious when Secretary Betty is yanking the hardrive out of her workstation during lunch break..?

Finally when it comes to Terminal/Citrix servers, the shell is usually never set in the WinLogon registry, but rather as Initial Program on the portlistener. Alternatively, the Workspace Manager desktop may be served to the users as a Published/Remote Application. You may usually be able to connect to the servers using a RDP client in Console mode (mstsc.exe /console), where it will connect to Session zero (pre Win2008). In this mode, the initial program value of the port listener will be ignored and you will get shot straight into regular Explorer. To sum things up, if you are an admin you can (and damn well should be able to) bypass Workspace Manager at will.

Laptops are an entirely different matter. Per nature, the computer can be removed from both the corporate network and physical boundries, it is vunerable to tampering by users in the privacy of their own home. It is the aim of this article to discuss what can happen and what to do to prevent that. Note however this article does not take into account any laptop-securing-gadgets that are currently on the market.

A final word in terms of scope. When ever you lock a computer down, you have to provide means for yourself and other admins to unlock it again. Alternatively if this is too complicated, you have to ensure that critical data stored on the laptop is backed up (i.e. if the computer fails to boot and you’ve locked everyone out) and provide a means to make sure the user gets up and running as quick as possible again. This could be done by ensuring you have identical corporately managed laptops in storage available to roll immediatly in the case a laptop gets lost, stolen or broken somehow.

The nature of the Beast

In order to understand the nature of the security exploits and the respective countermeasures, it is important to understand what makes up a RES managed computer:

The first and foremost important thing to know, is when the Workspace Manager WorkSpace manager (pfwsmgr.exe) kicks in at logon. Normally explorer.exe would be pulled up, but this is where Workspace Manager initializes. If this doesn’t happen, the workspace is effectively unmanaged. This behavior is governed by the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon REG_SZ Shell.

The normal for the shell value is “explorer.exe” without quotes. When Workspace Manager has been installed, and the shell has been changed (either using RES SetShell or RES Wisdom) the value will be “C:\Program Files\RES Workspace Manager\pwrstart.exe” powermenu (including quotes). Flipping this value back to the default explorer.exe value is usually the name of the game for a user to acquire control of a Workspace Manager managed computer.

Once inside, the wiley hacker will attempt to ensure that he stays in the picture. Either by force, by removing the RES products or by stealth by creating himself an alternate local administrator account as a backdoor. On the topic of additional active Workspace Manager components, there is the RES service which runs in the background. This service currently syncstatushas no influence on the shell value and only deals with syncronizing the locally cached copy of the configuration database to the central db. Once a target laptop is compromised, a user may decide to stop this service as well. You will be able to spot this by examining the last syncronisation date of a given agent. If the agent has been dark for an unusual long time, chances are you as the admin has lost control of that computer.
If RES Wisdom is employed, there is a RES Wisdom Agent service running on the laptop. This service will allow the admin centrally and silently to perform almost any kind of machine based query. From the perspective of security this includes:

  • Modifying (enabeling, disabeling, changing passwords, etc) local accounts
  • Monitoring the last logged-on username
  • Querying/setting the shell value
  • Querying installed software

last-user-wisdomIf the user does not disable the Wisdom Agent service, the administrator can take back control with the computer with relative ease as it’s just a matter of flipping the shell back to Workspace Manager. If the user has decided to create himself an alternate backdoor account, this is easy to spot in Wisdom. When you look at your Agent node, notice the columb called Last console user. If this is an account you can’t recognize, then you might very well have a backdoor on your hands.


On a footnote, RES provides a utility on their portal called SetShell. This tool is used to set the above key to the correct value either locally or remote. If you need to connect remotely to a computer that computer must have Remote Registry service enabled and you must be running locally with credentials equivalent of an administrator on the remote computer.

The Secret Sauce

There are several ways for a user to gain control with a managed laptop. Some of the methods fall beyond the scope of this article. For example, the user may altogether decide to acquire a seperate computer (or worse – a Mac! :-) or may have a seperate harddrive and swap between that and the “managed” harddrive. There are probably some nice networking solutions to deal with foreign computers on the network and in regards to the harddrive swapping, if all else fails, there’s always superglue…. NO – I’m KIDDING of course! :-) Suffice to say, if you want to prevent foreign computers or harddrives, you need to look for other solutions as that’s beyond the scope of the RES products to deal with.

Safe Mode Attack
One of the easiest ways to bypass an alternative shell like Workspace Manager, is to use the Safe mode boot option. The beauty/danger of this one is that it doesn’t require any special tools nor technical skills:

  • During boot, press F8 and chose Safe Mode with Command Prompt. At logon note that a local administrator account is needed as domain services are disabled in safemode. If the attacker does not know the local administrator password it can be easily reset by using a tool such as the NT Password and Registry Offline Editor. The selected SafeMode will force the shell to become a command prompt, which means Workspace Manager does not load.
  • Start regedit.exe
  • Change HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\SHELL to explorer.exe
  • Exit and restart the computer and log in as usual.

Safe Mode Countermeasures
It is not straight off the bat to prevent SafeMode, as Microsoft never intended for it’s customers to circumvent it as SafeMode was meant as a recovery tool. Some people would think you’re crazy to disable SafeMode as it’s a good recovery option. However you might argue if the laptop’s data is backed up on a regular basis and the laptop is running a corporate image (officially at least) then what’s the problem? There are indeed ways to disable F8. You need to grab a hex editor and patch the %SYSTEMDRIVE%\NTLDR file. Note: Uncle Balmer may not approve of this so don’t go complaining to MS Support if it doesn’t work. You can Google patch ntldr F8 and you will find several descriptions. Here is the skinny on the operation. This has been tested on WinXP SP2.

  1. Download a hex editor such as XVI32
  2. Remove the hidden, read-only and system attributes from the ntldr file. Use this command: ATTRIB -H -S -R C:\NTLDR
  3. Open the ntldr file in the hex editor
  4. Search for the following string (F3 in XVI32): CD 16 0F 85 09 (in a XPsp2, this was found at offset 0x779)
  5. Replace the string with CD 16 90 90 90
  6. Save and exit and replace the attributes with this command: ATTRIB +H +S +R C:\NTLDR

Once active this will render the F8 key inoperable at boot time. As a result the entire SafeBoot menu will be unavailable for better or for worse. Note that if you later apply a servicepack to the machine, you may have to re-apply this hack if ntldr is updated. Also be aware that the above offset and values may not be applicaple to newer OS’es (google is your friend)

Alternate Boot Attack
A different way to gain access the registry is to boot up the computer from an alternate boot media and modify the registry offline. This is a bit more advanced and will probably be beyond the capability of most IT mugglers anyway. The procedure would be something like this:

  • Create a bootable media. This can be a CD or USB stick loaded up with BartPE or similar. In a pinch, a bootable OS CD can be employed, using the Recovery Console. Alternatively the before mentioned NT Offline Editor can be used, however the method below presumes you are just using a regular boot media.
  • Boot up the target computer with the media.
  • Start regedit.exe
  • Navigate up to HKEY_LOCAL_MACHINE and go to the File|Load hive menu
  • Load the file %systemroot%\system32\config\software. This file contains the HKLM\Software part of the registry of the dormant configuration. When prompted, enter a name for the key to store the hive file in. Let’s use the name Hack
  • Navigate to HKEY_LOCAL_MACHINE\Hack\Software\Microsoft\Windows NT\Current Version\Winlogon\SHELL and change the value to explorer.exe. DO NOT exit after this.
  • Go back to the Hack key, then select the File|Unload Hive menu item. This will save the change back to the registry hive
  • Exit regedit and reboot the machine as usual, explorer will now load normally.

Alternate Boot Countermeasures
In order to prevent this hack, the admin would have to reconfigure the BIOS/CMOS settings on the laptop before the user ever gets his hands on it. I would recommend changing the boot order, so the harddrive always boots first. Then password protect the BIOS. This is however far from 100% hackproof as some vendors provide backdoor passwords, and there are even calculators which will generate a master BIOS password from the computers servicetag. In summary, locking down the BIOS and Bootorder is an important thing to do, but dont expect too much of it.

An admin may also consider enabeling a harddrive password. This is usually only good for protecting the contens of the harddrive from 3rd parties, such as if the laptop got stolen. In order to actually use the laptop, the user must know this password. This means that in order to protect the harddrive from offline attacks by the user himself, this method is basically useless as the attacker will know the password already. Besides, on quite a few harddrives, the password does actually not encrypt the contens of the drive itself. It merely just shuts off the harddrive if an invalid password is given. An old hack to circumvent this was to purchase a matching harddrive and then switch the circuit boards (with a steady hand and a bit of patience)

Offline Boot
usb-adaptorAn attacker may also attempt to mount the drive on another computer using a USB harddrive adaptor. Then combine it with the method of loading and editing the offline registry hive as described in the Alternate Boot section above. This would trumph a changed bootorder + password protected bios.

Offline Boot Countermeasures
This may be prevented by using Vista/Win7’s BitLocker or some of the other nice drive encryption technologies out there. However, drive encryption by itself would be useless as the password hash would be stored on the drive itself. If the laptop may be outfitted with a TPM,  it may be an entirely different matter. I have not had the opportunity to test this, so any feedback would be welcome.

The [perhaps questionable] Morale of the Story

As discussed, there are numerous ways of both hacking and securing a mobile computing platform. If you have techsavy users it will be a perpetual cat-and-mouse game. The take-away from all this is:

  • Yes, a laptop can indeed be locked down to an almost unhackable state
  • No, it will unlikely be easy to service, because you have to do all the unlocking in reverse and then lock it down again, once you’re done. You may tire of this quickly, so consider thinking of the laptop as a user-agnostic piece of kit which can be replaced at the drop of a hat
  • The user may decide to buy their own hardware and alternate.
  • You can then attempt to block that legally, physically and/or digitally if possible at all.

Consider this:
95% of your regular (non-technical) users will be perfectly happy in a managed computing environment which gives them what they need to perform their work duties Supporting these folks with RES Workspace Manager in your toolbelt will save you a massive amount of time and you are likely to get positive feedback on the performance and predictability of the solution you offer. 4% of the users will be made happy if you provide a few exceptions for them (such as allowing them to install applications, etc). But within the last 1% of your users you are likely to find a handfull of techsavy users which you will never really be able to control. Why? because they don’t WANT to be controlled and chances are they may be just as smart as you anyway. If they get the feeling you are merely snooping around their rigs to see what movies they might have downloaded, you will find yourself kicked out faster than a duck through chinatown. Now, before you climb on the high horse and get all rightious about it, take a moment to think about it:

  • First: In order to do their job it would seem that all they’re likely to ever need from you, is for you to keep the mailserver running.
  • Second, these users may be further up the corporate foodchain where you might find your own administrative career in jepardy if you mess around with their perceived priveledges.
  • Third, chances are they may be smart enough to fly under the radar so you won’t notice they are running outside your managed environment anyway.
  • Fourth and finally , if you’ve got really sensitive stuff to worry about, make sure it never leaves the datacenter in the first place. Keep such things running on a SBC environment

The conclusion seems clear. Protecting corporate laptops from unauthorised 3rd party access is definatly within the realm of the possible. However, protecting the laptop from tampering by authorised users, seems to be a uphill battle as none of the technology available with off-the-shelf consumer electronics seems to be designed with this goal in mind. My advice, if this really is a cardinal point for you, is to look for specialized laptop hardware which is designed with this specifically  in mind.

Again, feedback is appreciated

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Comments are welcome as always. Just do the math below. * Time limit is exhausted. Please reload the CAPTCHA.