I was working on a laptop provided by my client and I wanted to disable JavaScript to get around an access control that was preventing me from using a certain application. Basically, instead of disabling logon, the app would pop an alert and redirect me to the logon page. Since JavaScript runs on the client (i.e., in the browser), the user has control over this sort of thing and can disable the JavaScript. No JS, no redirect.

Because the laptop wasn’t my own (again, it belonged to the client) there were certain restrictions placed on my via Group Policy Objects (GPO) on what I could or couldn’t do in the OS. One of these restrictions prevented me from simply disabling IE’s “Security Settings -> Custom Level… -> Scripting -> Active Scripting”. Bummer… but that’s not the end of the story. I really wanted that JS disabled.

I did some research and found some information on Microsoft’s Knowledge Base (support.microsoft.com/kb/182569) regarding registry settings to tweak Internet Settings. I opened regedit and got to work. In about 2 minutes I had disabled JavaScript and a few other items that made aspects of the assessment more … pleasant.

My point in writing this is two-fold:

1. Don’t be stupid and use GPO to restrict users and then leave regedit available to them! Come on! People are smart and if they are determined and have even a small amount of clue, you, as the admin, are hosed. This is an issue of configuration management and workstation administration.
2. DON’T USE CLIENT-SIDE TECHNOLOGY TO ENFORCE APPLICATION POLICY! If it’s on the client then the user can mess with it to her heart’s content! This is an issue with Secure Software Design and integrating security into the Software Development Life Cycle (SDLC).