[Updates] Re: More Before-The-Fact-Isms II
From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 01/22/05
- Next message: Gordon Fecyk: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware thr"
- Previous message: Roger Abell [MVP]: "Re: GPO and password policies"
- In reply to: Gordon Fecyk: "More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Next in thread: Karl Levinson [x y] mvp: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Reply: Karl Levinson [x y] mvp: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 17:56:44 -0600
I've run into a problem and a solution with locking down the Execute
permissions in %userprofile%. If the %userprofile% ACL is not the default
(with the current user having full control over everything), Win2K can't
save the user's profile when the user logs off. They also can't reload it.
The workaround uses the logon and logoff script local security policies.
Edit them by hitting Start / Run and typing gpedit.msc, or by actually
editing the domain or OU's group policy.
First I created two scripts and stored them in
%systemroot%\system32\GroupPolicy\user\scripts\logon and ..\logoff
respectively. They were:
logon.bat:
cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC C
/P "%userdomain%\%username%":F
cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /G
"%userdomain%\%username%":12345789ABCD
logoff.bat:
cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /G
"%userdomain%\%username%":F;F
logon.bat runs just after loading the profile but before launching any
network logon script or explorer.exe. logoff.bat runs after everything is
closed but before Win2K saves the user's settings.
Now if there only a way to prevent the limited user from manually turning on
the Execute permissions or launching logoff.bat. Of course most users won't
know how, if they're going to deliberately do that.
MAYBE a buffer overflow or similar exploit could cause some malicious code
to change the ACL back to its default, and then launch some executable
posing as a web graphic lurking in Temporary Internet Files. But that's
what "NX" and XP SP2 are for, right?
-- PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc> What's a PGP Key? See <http://www.pan-am.ca/free.html> GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
- Next message: Gordon Fecyk: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware thr"
- Previous message: Roger Abell [MVP]: "Re: GPO and password policies"
- In reply to: Gordon Fecyk: "More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Next in thread: Karl Levinson [x y] mvp: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Reply: Karl Levinson [x y] mvp: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
