18

I've worked on places where the admins have disabled desktop personalization on Windows for settings like:

  • changing desktop background and lock screen images
  • local themes - no high contrast for example
  • fonts

What are the risks of these settings?

Bor
  • 293
  • 2
  • 7
  • 8
    I worked on a company where the wallpaper were stored server-side and changed to put special events, training due, expected maintenance, things like that. – ThoriumBR Aug 20 '21 at 12:34
  • 8
    Receive ADA lawsuit if you don't allow it. – Joshua Aug 20 '21 at 17:01
  • 7
    You risk loss of productivity while I try to get around that limitation. I always try, sometime succeed. – ixe013 Aug 20 '21 at 19:13
  • 7
    @Joshua ADA does not require that the USER is able to personalize their own desktop ... im sure any corp that had policies in place to enforce this could just as easily have allowances to those policies in which an ADMIN would change it to the users preference given the correct circumstances. – CaffeineAddiction Aug 20 '21 at 20:27
  • 2
    @CaffeineAddiction: It would; but I've yet to run into a corporation that can do so reliably. – Joshua Aug 20 '21 at 20:33
  • 1
    Fonts have been used as as conduit for exploits see here: https://security.stackexchange.com/questions/91347/how-can-a-font-be-used-for-privilege-escalation – JimmyJames Aug 22 '21 at 21:01
  • 1
    @ixe013: One place I worked in had everything locked down. One of the policies in the employee handbook explicitly called out trying to circumvent that locked-down-ed-ness as a grievous breach of the rules, punishable in the same way theft of intellectual policy might be. I was astounded. But, hey, they paid me twice a month... – Flydog57 Aug 23 '21 at 02:37

4 Answers4

46

Changing them to other Windows defaults would pose no security risk.

Allowing people to install fonts or screensavers from third parties poses a HUGE security risk.

However, it's most likely these things are locked down not for security reasons but for conformity reasons. If you are rolling out thousands of computers, less options means less things to troubleshoot down the road. If you cant change the screen contrast, you will never get a phone call to tech support saying that the screen contrast is "broken".

More Information on Malicious Fonts

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • I would like to know how screensavers are any more risk than any other third party program. (Perhaps they're not.) – Joshua Aug 20 '21 at 17:17
  • 8
    Can you clarify why installing fonts poses a "huge security risk"? – meriton Aug 20 '21 at 17:24
  • 16
    Screensaver are basically executables under Windows, and Windows' font system is regularly victim of fairly grave vulnerabilities because it runs in highly privileged context (for legacy reasons) and likely contains quite a bit of legacy code. – Ginnungagap Aug 20 '21 at 17:40
  • 7
    @Joshua most managed IT environments don't allow the installation of *any* third party software by the end user. Needed apps for the job are pre-installed, everything else requires an admin password/special permission. So it's not that they're more dangerous than other third party applications, it's that they are third party applications to begin with – TCooper Aug 20 '21 at 18:05
  • 12
    @meriton: The ability to install fonts includes the ability to install raster fonts, which are renamed .dll files; hence the ability to dupe other accounts into running your code. – Joshua Aug 20 '21 at 18:07
  • 1
    @meriton see also: https://security.stackexchange.com/questions/41652/how-do-i-know-if-a-font-is-malicious – CaffeineAddiction Aug 20 '21 at 18:11
  • @Ginnungagap I think that's Josua's point: If I can have both write and execute privileges (as in My Documents), a screen saver is no more dangerous than any software I download off the Internet. Whether a "Cute kittens" screen saver is more likely to be downloaded and run is hard to measure... – ixe013 Aug 20 '21 at 19:16
  • 5
    @ixe013 Sites that prohibit desktop customization also usually prohibit installing applications. And even if they don't, users tend to be more careful about downloading applications than screensavers (because they don't realize they're effectively the same). – Barmar Aug 20 '21 at 19:47
  • What is an installer other than a program that writes files to disk (and registry entries)? Word and Excel do that all the time. Without some dedicated software to watch for "installations", it is very hard to enforce. Unzip the portable app when you can, or point the installer to My Documents, sometimes with the help of the RunAsInvoker compatibility shim. FYI, here is how you run "install" a slow but complete Linux virtual machine without admin rights : https://superuser.com/a/1173654/84632 – ixe013 Aug 20 '21 at 19:58
  • 2
    @Joshua A screensaver is just a cute name for a keylogger, so far as malware authors are concerned. – alephzero Aug 21 '21 at 00:15
  • 1
    In older Windows, a fun trick to bypass security measures was to replace login.scr with cmd.exe, reboot and wait five minutes. The login screensaver would kick in, opening a nice administrator command prompt for you :-) – Aaron F Aug 22 '21 at 11:46
  • @meriton Furthermore on Windows font rendering is done by the kernel. There are fonts that can cause a blue screen whenever something is rendered in the font. – AndreKR Aug 22 '21 at 18:29
  • Even without deliberate malice, fonts can still cause problems. Invalid fonts can cause application crashes, even BSODs. Source: decades of experience dealing with fonts in production DTP environments. As for screen savers, that's a no-brainer. Screen savers are .exe files. Allowing users to run arbitrary executable files from unknown sources in a business environment is extremely dumb. – barbecue Aug 22 '21 at 23:51
  • @meriton https://www.hoplite-tech.com/blog/why-cyber-criminals-love-font-files-in-windows – Alan B Aug 23 '21 at 09:15
  • For me forcing screen/screensaver is sometimes done for professional reason. I personnaly was told by the IT that having a tux (linux penguin) peeing on the windows logo as a desktop background was not corporate and I should change it. I am a dev therefore they did not remove the admin rights because I need them. – f222 Aug 23 '21 at 12:55
22

Sometimes blocking desktop personalisation can be a HR issue rather than a security one. For example, if you allow people to set their own backgrounds, sooner or later someone is going to set something that's a bit risque, or that someone else in the organisation finds offensive - meaning you think need to introduce polices about what is and isn't acceptable, and have arguments about all the edge cases. Better to just block it and avoid the whole issue.

Some environments will also use the desktop background to provide information to the user. This might be with something like BgInfo to show system details, or giving administrative accounts a red background to make them stand out, or showing the classifiction level of the system. If you're doing that sort of thing, the obviously you don't want users changing it.

Gh0stFish
  • 4,664
  • 14
  • 15
  • 5
    BgInfo and other enforced backgrounds can speed up support calls considerably. Need common machine information? Always right where you need it, one click, visible in screen shots, easy for the user to read back to you, etc... So handy. It can help speed up diagnosis and troubleshooting for security response as well. – Booga Roo Aug 21 '21 at 14:03
13

There is a technical reason and a psychological reason to prevent personalisation of an admin account:

Technology

Malware used to play with personalization settings to hide their activities - by blocking these changes, the user (the admin) can be more aware of things trying to change the environment. However, it's been years since I've seen malware do this, so I do not know how relevant it is today.

Psychology

By forcing a "plain" environment, it forces the person into a certain mindset. The admin is reminded that they are on a special-purpose account and that can remind the person about how the account is supposed to be used. If someone changes their admin account to match their user account, it can become easy to forget which account one is on.

It also triggers different behavior. Studies show that when someone dresses like a certain skilled professional (doctor, dentist, mechanic, etc.) the person actually performs better in the technical tasks of that profession, even if the person is not specifically trained in those skills. And it goes both ways. If the skilled professional is not dressed in their typical way, then they score a little worse in the skills that they are trained in. Uniforms really do matter.

So, an "admin" UI helps the person remember to act, and actually act better, as an admin.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 8
    interesting studies - do you have a source for those? I'd love to see correlation excluded as in "people who are on average better in those professions also are wearing their uniforms just because they take their job serious". Makes you wonder what the performance boosting developer uniform is^^ – Frank Hopkins Aug 21 '21 at 17:09
  • 2
    @FrankHopkins 10X developers like me wear blue shorts, a white tee-shirt, and are barefoot. If you are not wearing the same uniform, you are at best 8.3X. – emory Aug 23 '21 at 03:28
2

Personalisation can be used as a security mitigation.

Namely, it can be a mitigation against picture-in-picture attacks, in which an adversary attempts to trick the user into interacting with an image that pretends to be a trusted operating system window. When the style of the fake window doesn’t match the active system theme (or more generally: when it behaves in a way inconsistent with active personalisations), it will alert the user to the fact that it is not actually a real window. Locking the system theme to the default makes it harder to take advantage of this technique: picture-in-picture attacks are usually performed with the (often by necessity) blind assumption that the user did not change the default theme.

However, this mitigation is useless when the attacker can learn all the relevant personalisations, especially in targetted attacks. For the mitigation to work, it requires the user to be aware of the attack vector and to be able to recognise it. (It also requires applications to honour the user’s personalisations instead of shoving their branding in the user’s face like they so often like to do.) Anecdotal reports seem to indicate the mitigation is not particularly effective even in otherwise ideal circumstances:

“Well, we passed this screenshot around our entire information security department, and nobody could tell it’s a picture-in-picture attack. Can you?” they slid an 8.5×11 color print across the table.

“Of course!” I said, immediately relieved. I quickly grew gravely depressed as I realized the implications of the fact that they couldn’t tell the difference.

“How?” they demanded.

“It’s a picture of an IE7 browser running on Windows Vista in the transparent Aero Glass theme with a page containing a JPEG of an IE7 browser running on Windows XP in the Luna aka Fisher Price theme?” I pointed out.

“Oh. Huh.” they noted.

My thoughts of using browser personalization as an effective mitigation died that day.

Nevertheless, as feeble as this technique is, taking personalisation away denies the user the opportunity to apply it.

user3840170
  • 172
  • 7