This is a slight off shoot of the scary site post. What
are the potential ramifications of restricting "system"
access to cmd.exe? My thought is with all the MS
exploits that are gaining access via some service
running in the system context, this would be a great
way to mitigate the potential impact. Thoughts?
I am also thinking, ok this is going to inhibit using the
scheduler service under the system account to run
local batches, as well as any stored procedure in
SQL that accesses the command shell, but services
could be run in another context and still have access
to the command shell...
Am I way off with this? Will this break something that I
am just not seeing?
TIA
Curious.