Re: Disabling Execute access in Documents and Settings?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/20/04
- Previous message: Steven L Umbach: "Re: Safe mode"
- In reply to: Gordon Fecyk: "Disabling Execute access in Documents and Settings?"
- Next in thread: Gordon Fecyk: "Re: Disabling Execute access in Documents and Settings?"
- Reply: Gordon Fecyk: "Re: Disabling Execute access in Documents and Settings?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 20 Jun 2004 02:59:09 GMT
I like the idea about disabling execute for files only in a user profile and may be
helpful in locking down a computer to unauthorized application use as many users do
that in their profile if their computer is configured to only allow them to write to
their profile by modifying ntfs permissions for everyone/users for the root/drive
folder.
Windows XP Pro of course uses Software Restriction Policies to control what can and
can not be executed on a computer by a user. I don't know of any way to change the
default profile permissions assigned to a user when their profile is created, though
a startup script using fileacl may be able to configure to your needs as it seems to
have the ability to configure special permissions and it is an official MS support
tool now. I really like the fact that it has an inherit and protect switch that makes
some advanced folder configuration possible. --- Steve
http://membres.lycos.fr/jfb/gb/gbtools/fileacl.htm
http://www.microsoft.com/downloads/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en
"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:O4x096jVEHA.1656@TK2MSFTNGP09.phx.gbl...
> Someone showed me a neat trick thattakes advantage of a recent IE6
> cross-site scripting vulnerability. The trick successfully copied an
> executable to %userprofile%\Start Menu\Programs\Startup.
>
> Neat little trick, though the executable's still bound by the permissions of
> the user logged on. But the area is writable and executable to the user in
> question.
>
> The obvious before-the-fact fixes include:
>
> * System or Group Policy defining which executables may be run
> * Disable scripting for the My Computer zone and stick to the "Classic"
> Explorer Shell (Registry setting, either Policy or Default Profile)
> * Disable personal program groups / Start Menu items (but does nothing if
> script can write to HKEY_CURRENT_USER)
>
> But nothing stops a user from manually downloading some executable and
> running it from their desktop, My Documents, Home directory, etc.
>
> It occurred to me that denying Execute permissions, for files only, for
> non-Administrators within Documents and Settings would catch a lot more than
> just scripting vulnerabilities, and still let folks use web content in
> folders and run local HTML pages with scripts. For example, denying execute
> permissions in %temp% would stop viruses in ZIP files.
>
> By default, a user has Full Control over their own folder in Documents and
> Settings. Is there a way to change this default?
>
> --
> PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
> What's a PGP Key? See <http://www.pan-am.ca/free.html>
> GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
>
>
- Previous message: Steven L Umbach: "Re: Safe mode"
- In reply to: Gordon Fecyk: "Disabling Execute access in Documents and Settings?"
- Next in thread: Gordon Fecyk: "Re: Disabling Execute access in Documents and Settings?"
- Reply: Gordon Fecyk: "Re: Disabling Execute access in Documents and Settings?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
