RE: Tightening up security for quarantine script

• Previous message: Nate: "Re: MS 2000 DUN Connection Name issue"
• In reply to: Pierre Dufresne: "Tightening up security for quarantine script"
• Next in thread: Sarbjit Singh Gill: "RE: Tightening up security for quarantine script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Pierre Dufresne'" <pierre.dufresne@messf.gouv.qc.ca>, <focus-ms@securityfocus.com>
Date: Fri, 6 Feb 2004 14:41:32 -0000

So long as you allow your users to be admins of their laptops then there is
no way around this. The only possible way to prevent people messing with it
would be to place the script functionality into a compiled program. It
still would not stop them from deleting it but it would make the ability to
mess with the actions practically impossible for most users.

If you use VBScript then it should not be too painful to move the code to a
VB application.

 This will not make it impossible but impracticable.

Alan Melia
SIE Engineer
Tel: +44 118 909 4236
Mobile: +44 781 771 0060

-----Original Message-----
From: Pierre Dufresne [mailto:pierre.dufresne@messf.gouv.qc.ca]
Sent: 05 February 2004 15:05
To: focus-ms@securityfocus.com
Subject: Tightening up security for quarantine script

Hi everybody,

When you use the quarantine functionnality of Windows 2003, you need to
write and then distribute a script on the computers of the users that are
going to connect through a VPN.

This script is supposed to do some validations and then end with the
execution of a small utility called RQC.exe that sends an OK return code to
the VPN server.

In our environment, most of the users are local admin of their laptop and
are in a position to modify the script, thus bypassing the validation
process.

Has anybody been using this quarantine feature and given some thoughts on
how to protect the script?

Any comment would be appreciated.

Thanks

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Nate: "Re: MS 2000 DUN Connection Name issue"
• In reply to: Pierre Dufresne: "Tightening up security for quarantine script"
• Next in thread: Sarbjit Singh Gill: "RE: Tightening up security for quarantine script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: need to modify local group membership via VBscript ... The script I posted was orginally used to add another domain group ... It only worked if Domain Admins was ... can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ... (microsoft.public.windows.server.scripting) Re: ISA > ISA Client > Configuring laptops ... create a new OU named Laptops under the SBSComputers ... script and disable_fwc.vbs as a shutdown script. ... should run and disable the firewall client & remove the proxy settings. ... >>> For disabling the firewall client-> ... (microsoft.public.windows.server.sbs) Re: need to modify local group membership via VBscript ... A logon script runs with the credentials of the user, ... ' Bind to local Administrators group on remote computer. ... Wscript.Echo "Domain Admins already in Administrators on " & strComputer ... (microsoft.public.windows.server.scripting) Re: Looking for maybe impossible script? ... The admin rights on the laptops were ... Even if i could get a script that would notify me of such ... I just dont have the time. ... aide fix and tracing them down to the port an then shuting it off. ... (microsoft.public.windows.server.scripting) Re: need to modify local group membership via VBscript ... It only worked if Domain Admins ... script can add domain groups to the local Administrators group. ... version intended to run as a Startup script, configured in Group Policy: ... (microsoft.public.windows.server.scripting)