Re: [Updates] Re: More Before-The-Fact-Isms II
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 01/22/05
- Next message: Judy: "Re: SPYWARE"
- Previous message: Karl Levinson [x y] mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware thr"
- In reply to: Gordon Fecyk: "[Updates] Re: More Before-The-Fact-Isms II"
- Next in thread: Gordon Fecyk: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Reply: Gordon Fecyk: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 22:30:21 -0500
"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:eMiemeBAFHA.3120@TK2MSFTNGP12.phx.gbl...
> I've run into a problem and a solution with locking down the Execute
> permissions in %userprofile%. If the %userprofile% ACL is not the default
> (with the current user having full control over everything), Win2K can't
> save the user's profile when the user logs off. They also can't reload
it.
I think that might be a good and necessary thing. It might annoy the users,
but increased security often means reduced functionality. If the user can
save changes to the profile, then so can a virus running as user. Some
places specifically configure the profiles to be locked from being changed.
Would it be acceptable to have the users get their profiles the way they
want it, and then lock it down?
Are you sure the problem is with all rights [including execute] in the
entire user profile [and not just certain files]? I would expect the main
thing necessary is permissions on the ntuser*.* files in the root of the
profile, and I would be surprised if execute was necessary. When
troubleshooting ACL problems, I usually run filemon from
www.sysinternals.com to find out what specific permission on which specific
file is needed, does doing that help you reduce what permissions need to
change, and could you just leave the permissions on those [presumably] few
files in the default? That should still be just as secure, as long as you
can leave the permissions on the default profile folder restricted.
> First I created two scripts and stored them in
> %systemroot%\system32\GroupPolicy\user\scripts\logon and ..\logoff
> respectively. They were:
>
> logon.bat:
> cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC
C
> /P "%userdomain%\%username%":F
> cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":12345789ABCD
I would be afraid to depend on logon batch files executing as users for
security. Logon scripts tend to fail or stop working from time to time and
you may never know it.
> logoff.bat:
> cscript %systemroot%\system32\xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":F;F
>
> logon.bat runs just after loading the profile but before launching any
> network logon script or explorer.exe. logoff.bat runs after everything is
> closed but before Win2K saves the user's settings.
>
> Now if there only a way to prevent the limited user from manually turning
on
> the Execute permissions or launching logoff.bat. Of course most users
won't
> know how, if they're going to deliberately do that.
I think to be able to run those files, either you have to allow users to
modify the permissions on the entire profile folder, or try to run the batch
file under a different account. One way to do this might be to use
something like the runas command [either Microsoft's or a third party's] and
use Microsoft's script encoder or even a simple bat2exe utility to make sure
the password isn't stored in clear text in the script file. This is not
totally secure and uncrackable, but it might be secure enough for what
you're trying to do [secure against outsiders, not insiders].
Instead of putting the runas user password into the script, you can also use
Task Scheduler to create a scheduled task / icon, and use the technique here
so that the user doesn't have to know or enter the admin password. You can
schedule .JOB files to run at logon, but my windows 2000 task scheduler
doesn't have an option for running scheduled tasks at logoff. Scheduled
tasks can be dragged and dropped across the network by browsing to remote
computers or possibly even to a shared network drive, although you may have
to edit the icon and re-enter the password eitehr remotely or locally after
copying the file.
- Next message: Judy: "Re: SPYWARE"
- Previous message: Karl Levinson [x y] mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware thr"
- In reply to: Gordon Fecyk: "[Updates] Re: More Before-The-Fact-Isms II"
- Next in thread: Gordon Fecyk: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Reply: Gordon Fecyk: "Re: [Updates] Re: More Before-The-Fact-Isms II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
