RE: services running in windows domain (winXP clients)

From: Triantafyllidis Christos (ctria_at_physics.auth.gr)
Date: 12/15/04

  • Next message: Scott Mulcahy: "Corrupt Certificate information on local system"
    Date: Wed, 15 Dec 2004 20:12:05 +0200 (EET)
    To: Burak Bayoglu <bayoglu@uekae.tubitak.gov.tr>
    
    

    As far as I know trojans copies themselves in c:\windows or its
    subfolders. i don't think it is a good to set everyone - deny on
    c:\windows. :)

    restricting execution means that i should know the trojans... (i don't
    know them all)

    F-secure antivirus full updated didn't find the trojan.

    Thanks for the help

    Christos Triantafyllidis

    On Wed, 15 Dec 2004, Burak Bayoglu wrote:

    > As far as I know, DCs only list the services on itself and allows to
    > configure the services policy for these ones. Another alternative is
    > that if you know the exact path where the executable of the trojan is
    > placed, you can use "File System" to give "everyone - deny" rights to
    > the file. You may need to create a dummy file on DC to configure thsi
    > setting. Or you can restrict the execution of this program using GP
    > again. As a result the service will not be run by the client next time.
    > As a better solution, you must use an effective anti-virus software to
    > protect against well known trojan and virus programs.
    >
    >
    > Burak BAYOGLU
    > TUBITAK UEKAE
    > Network Security
    > Senior Researcher
    > CISA, CISSP
    >
    >
    > -----Original Message-----
    > From: Christos Triantafyllidis [mailto:ctria@physics.auth.gr]
    > Sent: Thursday, December 09, 2004 11:41 PM
    > To: focus-ms@securityfocus.com
    > Subject: services running in windows domain (winXP clients)
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Is there any way to allow only specific services to run at win
    > XP clients through domain group policy?
    >
    > The services rule in group policy allows configure only on the
    > specified services.
    >
    > What if there is a Trojan (or any other unknown program for the
    > server group policy) that adds a service in windows xp? can we
    > possible disable all services except the ones we want to run?
    >
    > Thanks,
    >
    > Christos Triantafyllidis
    >
    > - --
    > PGP key : http://tassadar.physics.auth.gr/~ctria/pgp_public_key.asc
    > MD5sum : *b426d395137af5d2a42c88840e131a5e
    > pgp_public_key.asc* -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.6 (GNU/Linux)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFBuMYsJmvANO7gN+YRAnZZAJ9G8ucOM6jNAXXHrKyP2tx04iky3gCeLe90
    > /5QboRtTBNj5WOSr2xPyJHI=
    > =0QDX
    > -----END PGP SIGNATURE-----
    >
    >
    > ----------------------------------------------------------------
    > -----------
    > ----------------------------------------------------------------
    > -----------
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Scott Mulcahy: "Corrupt Certificate information on local system"

    Relevant Pages

    • RE: services running in windows domain (winXP clients)
      ... protect against well known trojan and virus programs. ... XP clients through domain group policy? ...
      (Focus-Microsoft)
    • RE: services running in windows domain (winXP clients)
      ... > configure the services policy for these ones. ... > protect against well known trojan and virus programs. ... > XP clients through domain group policy? ...
      (Focus-Microsoft)
    • Re: greyed out firewall settings??
      ... This _might_ be due a trojan / virus activity. ... To delete the value from the registry" in the ... There is no group policy snapin available. ...
      (microsoft.public.windowsxp.help_and_support)
    • RE: Remote Shell Trojan: Threat, Origin and the Solution
      ... Subject: Remote Shell Trojan: Threat, ... I'm not an expert in C or the ELF filestructure. ... segment and then the data segment. ... so that execution will begin with the actual program code, ...
      (Incidents)
    • Re: Trojan horse Downloader.Generic.ML
      ... >> that fed that textfile to the QBASIC interpreter, ... >> trojan than deltree.exe is when a deltree.bat trojan is found. ... >> of the program are automated) the program is not a threat. ... Invoking would result in execution of content without any further user ...
      (comp.security.firewalls)