Breaking out of Jail with Microsoft Word

This article describes a way a malicious user could use Microsoft Word and VBA code to circumvent locked down restrictions set by an administrator. The article also describes how to mitigate the risk. This is of interest for people running Terminal Services or just someone trying to lock down their clients.

For the environment that I have set up to test this, I’ve installed a Windows Server 2003 machine and set it up to run Terminal Services. I’ve also installed Office, the goal here is to only allow a user to run Microsoft Word and nothing else. The user’s desktop is then redirected to a share where the user doesn’t have write access. The desktop contains one item; a link to Word. Logging in to the terminal server, everything looks good; the user can basically run Word and change his password.

Apart from the above setting the rest of the GPO settings are located at the end of this article. It’s basically a few lockdown settings and a software restriction policy defaulting to “disallowed”, with an additional path rule allowing Microsoft Word.

Given this configuration let’s see what we can do.