Counteracting White Scorpion's way
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Counteracting White Scorpion's way

  1. #1
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567

    Talking Counteracting White Scorpion's way

    ===========================================
    Preventing Someone from logging into System:
    Counteracting W.S. 's way
    ===========================================
    by kurt_der_koenig

    About a couple weeks ago White Scorpion posted a tut on how to elevate your rights in Xp (go here to see it, http://www.antionline.com/showthread...hreadid=264025 .)
    It was a nice one at that, very useful. But what about protecting ourselves against it.
    Especially when we have users under us and don't want them to snoop around. I will try to
    show you certain steps to couteract such elevations. Nothing brand new here but maybe an
    overview to help us in need.

    Preventing the use of RUN:

    This is one step to prevent the automatic running of cmd.exe, or any application for that
    matter by use the run in the start menu. While this will not prevent the use of the command
    prompt it will help stem the automatic use of it. Remember to back up your registry as
    always. The steps are as follows:::

    1> Go to start>run (ironic isn't )

    2> type Regedit

    3> Go to HKey_Current_User\Software\Microsoft\ Windows\CurrentVersion\Policies\Explorer

    4> Create a DWORD by right clicking on the panel and by selecting new/DWORD

    5> Name this DWORD NoRun and give it the value of one (the number one! ex 1)

    Remember to do this in the account of the user you want this to effect. Of course, if you do
    while in your account then it will only effect you and not the other users.

    Preventing the use of CMD.EXE

    This is the winner here. While disabling run can prevent the user from querying the
    cmd.exe off the bat, it does not prevent them from finding the cmd.exe and runing it to
    their happiness. Same thing here as the last, editing the registry here again. And as before
    make sure you do this in their account not yours.

    1> Go to start>run

    2> type Regedit

    3> Go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

    4> Create a DWORD <method same as before> and name it DisableCMD

    5> give it the value of one (1)

    While this eliminates the possiblities down it is not completely finished. The user
    can still use their creation of batch files (.bat) to dump commands. (i.e. at 10:30
    /interactive taskmgr then naming it with the extention of .bat) The same goes for this as
    the last prevention ( preventing cmd.exe ). But instead of giving the value of 1, you will
    use 2. This will also block cmd.exe along with the useage of batch files.

    To automate this create a simple registry file. Creating this can also help you fix this if
    your user has changed or deleted this by puting this in the start up(change the permissions
    so they can not delete it).

    Code:
    Windows Registry Editor Version 5.00
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
    "DisableCMD="2"
    [HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoRun"="1"

    link(source learned from)::::
    http://www.windowsitpro.com/Windows/...834/38834.html

  2. #2
    Nice tutorial Kurt

    Just one thing:

    What i would do if i would work on such a system: copy cmd.exe to another location.
    then open it up with a hex editor, scroll down until you find the string
    DisableCMD
    direct after this string you will see an address pointing to a value in the registry. change one or 2 characters in this address, e.g: Microsoft --> Microzoft. save the cmd.exe and run it. Now it won't be blocked anymore!

    don't think i am trying to pull down the value of your tutorial, this is not my intention, but i just want to point out that that isn't safe either.

    i would suggest disabling the schedular service, this will block this possibility of elevating your rights...

  3. #3
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    don't think i am trying to pull down the value of your tutorial, this is not my intention, but i just want to point out that that isn't safe either.
    I don't take offense to that. Actually I learned from this and I thank you lol. I just wanted to put out a basic protection from this- thats all.

    kurt

  4. #4
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Kurt, I'd give ya greenies for that but I gotta spread 'em around more before I can. This is a huge help! thanks.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  5. #5
    I don't take offense to that. Actually I learned from this and I thank you lol. I just wanted to put out a basic protection from this- thats all.

    kurt
    i'm glad you are not offended

    also another thing i would like to add: disable access to registry tools, since it will allow a user to reset your restrictions if it is accessable.

    (btw, that trick i showed you with the cmd.exe also works with regedit.exe and taskmgr.exe).

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Also, you can prevent access to scheduler service thru a GPO as described here:
    http://support.microsoft.com/default...b;en-us;314970
    Use a Group Policy Object
    You can use Windows 2000 Group Policy settings to deny users the ability to delete or create tasks. To do so, follow these steps: 1. Start the Active Directory Users and Computers utility.

    To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    2. Right-click the domain or organizational unit where you want to create the Group Policy object (GPO), and then click Properties.
    3. Click the Group Policy tab, and then click New.
    4. Type a descriptive name for the GPO, and then press ENTER.
    5. Click Properties, and then click the Security tab.
    6. In the Name list, click the user or group that you want to prevent from having these Group Policy settings applied (if any), and then click to clear the following check boxes in the Allow column of the Permissions list:
    Read
    Apply Group Policy
    7. Click OK, and then click Edit.
    8. Under User Configuration, expand Administrative Templates, expand Windows Components, and then click Task Scheduler.
    9. In the right pane, double click Disable Task Deletion.
    10. Click Enabled, and then click OK.
    11. Quit the Group Policy dialog box, and then click Close
    maybe the easiest way, since you can run commands from several sources. This ways you just
    block access to task scheduller for anyone you want.
    im a GPO Fan
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    yes, that would even be a better solution...

  8. #8
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    Well cacosapo, that would be better but if I remember right home edition does not have this GPO! Of course I have Professional and not HE.
    File-level access control - Any user with Administrator privileges can limit access to certain network resources, such as servers, directories, and files, using access control lists. Only Windows XP Professional supports file-level access control, mostly because this feature is typically implemented through Group Policy Objects, which are also not available in Home Edition.
    http://www.winsupersite.com/showcase...p_home_pro.asp

    So I must say, if they changed this then so be it but I don't think so. HE users would be left out of this. So the registry editing would be the only available way.

  9. #9
    yes kurt, your right, but technically the GPO is nothing more then a GUI front-end for setting these registry keys...

    and i also read of a possibility to "upgrade" home to pro with a couple of simple downloads...
    unfortunately i can not remember where i have read this, but i think a bit of googling will sort that out

  10. #10
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    and i also read of a possibility to "upgrade" home to pro with a couple of simple downloads...unfortunately i can not remember where i have read this, but i think a bit of googling will sort that out
    Yeah I heard of that too. ahh the almighty google- all heil ;lol.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •