RE: Tightening up security for quarantine script

From: Alan Melia (Melmac) (alanme_at_melmac.co.uk)
Date: 02/06/04

  • Next message: Michael Boyle: "Need free app for viewing metadata in Word documents"
    To: "'Pierre Dufresne'" <pierre.dufresne@messf.gouv.qc.ca>, <focus-ms@securityfocus.com>
    Date: Fri, 6 Feb 2004 14:41:32 -0000
    
    

    So long as you allow your users to be admins of their laptops then there is
    no way around this. The only possible way to prevent people messing with it
    would be to place the script functionality into a compiled program. It
    still would not stop them from deleting it but it would make the ability to
    mess with the actions practically impossible for most users.

    If you use VBScript then it should not be too painful to move the code to a
    VB application.

     This will not make it impossible but impracticable.

    Alan Melia
    SIE Engineer
    Tel: +44 118 909 4236
    Mobile: +44 781 771 0060

     
     

    -----Original Message-----
    From: Pierre Dufresne [mailto:pierre.dufresne@messf.gouv.qc.ca]
    Sent: 05 February 2004 15:05
    To: focus-ms@securityfocus.com
    Subject: Tightening up security for quarantine script

    Hi everybody,

    When you use the quarantine functionnality of Windows 2003, you need to
    write and then distribute a script on the computers of the users that are
    going to connect through a VPN.

    This script is supposed to do some validations and then end with the
    execution of a small utility called RQC.exe that sends an OK return code to
    the VPN server.

    In our environment, most of the users are local admin of their laptop and
    are in a position to modify the script, thus bypassing the validation
    process.

    Has anybody been using this quarantine feature and given some thoughts on
    how to protect the script?

    Any comment would be appreciated.

    Thanks

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Michael Boyle: "Need free app for viewing metadata in Word documents"

    Relevant Pages

    • Re: need to modify local group membership via VBscript
      ... The script I posted was orginally used to add another domain group ... It only worked if Domain Admins was ... can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ...
      (microsoft.public.windows.server.scripting)
    • Re: ISA > ISA Client > Configuring laptops
      ... create a new OU named Laptops under the SBSComputers ... script and disable_fwc.vbs as a shutdown script. ... should run and disable the firewall client & remove the proxy settings. ... >>> For disabling the firewall client-> ...
      (microsoft.public.windows.server.sbs)
    • Re: need to modify local group membership via VBscript
      ... A logon script runs with the credentials of the user, ... ' Bind to local Administrators group on remote computer. ... Wscript.Echo "Domain Admins already in Administrators on " & strComputer ...
      (microsoft.public.windows.server.scripting)
    • Re: Looking for maybe impossible script?
      ... The admin rights on the laptops were ... Even if i could get a script that would notify me of such ... I just dont have the time. ... aide fix and tracing them down to the port an then shuting it off. ...
      (microsoft.public.windows.server.scripting)
    • Re: need to modify local group membership via VBscript
      ... It only worked if Domain Admins ... script can add domain groups to the local Administrators group. ... version intended to run as a Startup script, configured in Group Policy: ...
      (microsoft.public.windows.server.scripting)