Re: Restricting cmd.exe access

From: John R Ellingsworth (jellings@mail.med.upenn.edu)
Date: 03/16/02


From: "John R Ellingsworth" <jellings@mail.med.upenn.edu>
To: "Rooster" <rooster@attrition.org>
Date: Sat, 16 Mar 2002 08:25:07 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No. He says he wants to know the ramifications of "restricting
system access to cmd.exe". I read it as denying system account
cmd.exe access (which may not be possible), and which he pointed out
in a follow up email.

It does work, for this exploit; if a user does not have specific
permissions to access cmd.exe (or any other command properly ACL'd),
then it won't launch as scripted because the user does not have
rights.

If you do allow user cmd access and test it, you'll see that it is
run from the account of that user.
So I think it best to only give access to Administrator account.

This is an ideal ACL solution for a webserver.

Thanks,

John Ellingsworth
Project Leader
Virtual Curriculum

- ----- Original Message -----
From: "Rooster" <rooster@attrition.org>
To: "John R Ellingsworth" <jellings@mail.med.upenn.edu>
Cc: "Curious George" <chris@isabellelee.com>;
<security-basics@securityfocus.com>
Sent: Saturday, March 16, 2002 3:36 AM
Subject: Re: Restricting cmd.exe access

> i think you missed what he said. he wants to not allow SYSTEM from
> having access to the command shell.
>
> for the record, i don't think this will do what you want it to.
> first of all, you can't really deny system from amything, and
> second of all, it would just take a bit of code to pop up a command
> shell even if the exe itself is restricted.
>
> -=rooster=-
>
> On Wed, 13 Mar 2002, John R Ellingsworth wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Do it. Restrict access to Administrator only.
> >
> > I do it (am doing it right now) - no known problems.
> >
> > Test it out on a dev machine first if you have concerns.
> >
> > Thanks,
> >
> > John Ellingsworth
> > Project Leader
> > Virtual Curriculum
> >
> > - ----- Original Message -----
> > From: "Curious George" <chris@isabellelee.com>
> > To: <security-basics@securityfocus.com>
> > Sent: Tuesday, March 12, 2002 12:59 PM
> > Subject: Restricting cmd.exe access
> >
> >
> > >
> > >
> > > This is a slight off shoot of the scary site post. What
> > > are the potential ramifications of restricting "system"
> > > access to cmd.exe? My thought is with all the MS
> > > exploits that are gaining access via some service
> > > running in the system context, this would be a great
> > > way to mitigate the potential impact. Thoughts?
> > >
> > > I am also thinking, ok this is going to inhibit using the
> > > scheduler service under the system account to run
> > > local batches, as well as any stored procedure in
> > > SQL that accesses the command shell, but services
> > > could be run in another context and still have access
> > > to the command shell...
> > >
> > > Am I way off with this? Will this break something that I
> > > am just not seeing?
> > >
> > > TIA
> > Curious.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.8 for non-commercial use
> > <http://www.pgp.com>
> >
> > iQA/AwUBPI+7LQbexkNIm1OFEQJvAgCgrVNKa5ifP3fCF2j4WhPksOi3+osAn2Tm
> > bvJa+z2tVw1xiQmGgKWQEs26
> > =AWRF
> > -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPJNHsgbexkNIm1OFEQKsygCg8cniyx8eIXjyn0i+Lm6jjbRffiIAoNvy
qf2h9ic6bydla+zllrlT2Brn
=yMQN
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Restricting cmd.exe access
    ... so i figured he was refering to the system account. ... He says he wants to know the ramifications of "restricting ... > permissions to access cmd.exe (or any other command properly ACL'd), ... >>> John Ellingsworth ...
    (Security-Basics)
  • Re: Restricting cmd.exe access
    ... Admin use only. ... If I need cmd, I have to logout. ... Subject: Restricting cmd.exe access ... > Hash: SHA1 ...
    (Security-Basics)
  • Re: Restricting cmd.exe access
    ... there is no security tab. ... Subject: Restricting cmd.exe access ... > Hash: SHA1 ...
    (Security-Basics)
  • RE: Restricting cmd.exe access
    ... Just try walking an oblivious user through some ... Subject: Restricting cmd.exe access ... > running in the system context, ... > SQL that accesses the command shell, ...
    (Security-Basics)
  • RE: Restricting cmd.exe access
    ... Subject: Restricting cmd.exe access ... Just try walking an oblivious user through some ... > running in the system context, ... > SQL that accesses the command shell, ...
    (Security-Basics)