-
December 1st, 2004, 08:29 PM
#1
Counteracting White Scorpion's way
===========================================
Preventing Someone from logging into System:
Counteracting W.S. 's way
===========================================
by kurt_der_koenig
About a couple weeks ago White Scorpion posted a tut on how to elevate your rights in Xp (go here to see it, http://www.antionline.com/showthread...hreadid=264025 .)
It was a nice one at that, very useful. But what about protecting ourselves against it.
Especially when we have users under us and don't want them to snoop around. I will try to
show you certain steps to couteract such elevations. Nothing brand new here but maybe an
overview to help us in need.
Preventing the use of RUN:
This is one step to prevent the automatic running of cmd.exe, or any application for that
matter by use the run in the start menu. While this will not prevent the use of the command
prompt it will help stem the automatic use of it. Remember to back up your registry as
always. The steps are as follows:::
1> Go to start>run (ironic isn't )
2> type Regedit
3> Go to HKey_Current_User\Software\Microsoft\ Windows\CurrentVersion\Policies\Explorer
4> Create a DWORD by right clicking on the panel and by selecting new/DWORD
5> Name this DWORD NoRun and give it the value of one (the number one! ex 1)
Remember to do this in the account of the user you want this to effect. Of course, if you do
while in your account then it will only effect you and not the other users.
Preventing the use of CMD.EXE
This is the winner here. While disabling run can prevent the user from querying the
cmd.exe off the bat, it does not prevent them from finding the cmd.exe and runing it to
their happiness. Same thing here as the last, editing the registry here again. And as before
make sure you do this in their account not yours.
1> Go to start>run
2> type Regedit
3> Go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
4> Create a DWORD <method same as before> and name it DisableCMD
5> give it the value of one (1)
While this eliminates the possiblities down it is not completely finished. The user
can still use their creation of batch files (.bat) to dump commands. (i.e. at 10:30
/interactive taskmgr then naming it with the extention of .bat) The same goes for this as
the last prevention ( preventing cmd.exe ). But instead of giving the value of 1, you will
use 2. This will also block cmd.exe along with the useage of batch files.
To automate this create a simple registry file. Creating this can also help you fix this if
your user has changed or deleted this by puting this in the start up(change the permissions
so they can not delete it).
Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD="2"
[HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"="1"
link(source learned from)::::
http://www.windowsitpro.com/Windows/...834/38834.html
-
December 1st, 2004, 08:47 PM
#2
Nice tutorial Kurt
Just one thing:
What i would do if i would work on such a system: copy cmd.exe to another location.
then open it up with a hex editor, scroll down until you find the string
direct after this string you will see an address pointing to a value in the registry. change one or 2 characters in this address, e.g: Microsoft --> Microzoft. save the cmd.exe and run it. Now it won't be blocked anymore!
don't think i am trying to pull down the value of your tutorial, this is not my intention, but i just want to point out that that isn't safe either.
i would suggest disabling the schedular service, this will block this possibility of elevating your rights...
-
December 1st, 2004, 09:21 PM
#3
don't think i am trying to pull down the value of your tutorial, this is not my intention, but i just want to point out that that isn't safe either.
I don't take offense to that. Actually I learned from this and I thank you lol. I just wanted to put out a basic protection from this- thats all.
kurt
-
December 1st, 2004, 10:49 PM
#4
Kurt, I'd give ya greenies for that but I gotta spread 'em around more before I can. This is a huge help! thanks.
Even a broken watch is correct twice a day.
Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!
-
December 2nd, 2004, 07:31 AM
#5
I don't take offense to that. Actually I learned from this and I thank you lol. I just wanted to put out a basic protection from this- thats all.
kurt
i'm glad you are not offended
also another thing i would like to add: disable access to registry tools, since it will allow a user to reset your restrictions if it is accessable.
(btw, that trick i showed you with the cmd.exe also works with regedit.exe and taskmgr.exe).
-
December 2nd, 2004, 01:37 PM
#6
Also, you can prevent access to scheduler service thru a GPO as described here:
http://support.microsoft.com/default...b;en-us;314970
Use a Group Policy Object
You can use Windows 2000 Group Policy settings to deny users the ability to delete or create tasks. To do so, follow these steps: 1. Start the Active Directory Users and Computers utility.
To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the domain or organizational unit where you want to create the Group Policy object (GPO), and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type a descriptive name for the GPO, and then press ENTER.
5. Click Properties, and then click the Security tab.
6. In the Name list, click the user or group that you want to prevent from having these Group Policy settings applied (if any), and then click to clear the following check boxes in the Allow column of the Permissions list:
Read
Apply Group Policy
7. Click OK, and then click Edit.
8. Under User Configuration, expand Administrative Templates, expand Windows Components, and then click Task Scheduler.
9. In the right pane, double click Disable Task Deletion.
10. Click Enabled, and then click OK.
11. Quit the Group Policy dialog box, and then click Close
maybe the easiest way, since you can run commands from several sources. This ways you just
block access to task scheduller for anyone you want.
im a GPO Fan
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
December 2nd, 2004, 10:28 PM
#7
yes, that would even be a better solution...
-
December 5th, 2004, 04:39 AM
#8
Well cacosapo, that would be better but if I remember right home edition does not have this GPO! Of course I have Professional and not HE.
File-level access control - Any user with Administrator privileges can limit access to certain network resources, such as servers, directories, and files, using access control lists. Only Windows XP Professional supports file-level access control, mostly because this feature is typically implemented through Group Policy Objects, which are also not available in Home Edition.
http://www.winsupersite.com/showcase...p_home_pro.asp
So I must say, if they changed this then so be it but I don't think so. HE users would be left out of this. So the registry editing would be the only available way.
-
December 5th, 2004, 12:19 PM
#9
yes kurt, your right, but technically the GPO is nothing more then a GUI front-end for setting these registry keys...
and i also read of a possibility to "upgrade" home to pro with a couple of simple downloads...
unfortunately i can not remember where i have read this, but i think a bit of googling will sort that out
-
December 6th, 2004, 03:14 AM
#10
and i also read of a possibility to "upgrade" home to pro with a couple of simple downloads...unfortunately i can not remember where i have read this, but i think a bit of googling will sort that out
Yeah I heard of that too. ahh the almighty google- all heil ;lol.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|