Disabling Execute access in Documents and Settings?

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 06/19/04 

Date: Sat, 19 Jun 2004 15:48:29 -0500

Someone showed me a neat trick thattakes advantage of a recent IE6
cross-site scripting vulnerability. The trick successfully copied an
executable to %userprofile%\Start Menu\Programs\Startup.

Neat little trick, though the executable's still bound by the permissions of
the user logged on. But the area is writable and executable to the user in
question.

The obvious before-the-fact fixes include:

* System or Group Policy defining which executables may be run
* Disable scripting for the My Computer zone and stick to the "Classic"
Explorer Shell (Registry setting, either Policy or Default Profile)
* Disable personal program groups / Start Menu items (but does nothing if
script can write to HKEY_CURRENT_USER)

But nothing stops a user from manually downloading some executable and
running it from their desktop, My Documents, Home directory, etc.

It occurred to me that denying Execute permissions, for files only, for
non-Administrators within Documents and Settings would catch a lot more than
just scripting vulnerabilities, and still let folks use web content in
folders and run local HTML pages with scripts. For example, denying execute
permissions in %temp% would stop viruses in ZIP files.

By default, a user has Full Control over their own folder in Documents and
Settings. Is there a way to change this default? 

-- 
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

Relevant Pages

  • Re: Cross Domain Scripting Vulnerability, Javascript
    ... The local computer zone in XP SP2 doesn't have permissions to execute ... >>> Microsoft Internet Explorer file:javascript: Cross Domain Scripting ... The web site has to know the exact path and name of the ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: possible to execute DOS commands without using "wscript.Shell"?
    ... ' now call the ShellExecute method, ... ' of the IShellDispatch2 class (this class is only ... ' operation: operation to execute ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.scripting.vbscript)
  • Re: Execute a program with an administrative account
    ... > he uses a scanner program he receives a permission error. ... > tries to execute some task not permited to a basic account. ... > If I use the runas command how can I pass the password account to? ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Help on InvokeHelper function
    ... Any clue from anybody? ... Actually i am using IactiveScript Interface to do the scripting ... to execute the Invoke method. ...
    (microsoft.public.vc.atl)
  • Re: Create a word that returns its own name?
    ... The main trick is using "34 put" to print a quote mark, thereby trivially avoiding the problem of quoting a literal quote mark. ... In many other languages you can't have immediately executable code outside the context of some kind of named entity. ... Let's say you had to create a definition in order to execute it. ...
    (comp.lang.forth)