i think you missed what he said. he wants to not allow SYSTEM from having access to the command shell.
for the record, i don't think this will do what you want it to. first of all, you can't really deny system from amything, and second of all, it would just take a bit of code to pop up a command shell even if the exe itself is restricted. -=rooster=- On Wed, 13 Mar 2002, John R Ellingsworth wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Do it. Restrict access to Administrator only. > > I do it (am doing it right now) - no known problems. > > Test it out on a dev machine first if you have concerns. > > Thanks, > > John Ellingsworth > Project Leader > Virtual Curriculum > > - ----- Original Message ----- > From: "Curious George" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 12, 2002 12:59 PM > Subject: Restricting cmd.exe access > > > > > > > > This is a slight off shoot of the scary site post. What > > are the potential ramifications of restricting "system" > > access to cmd.exe? My thought is with all the MS > > exploits that are gaining access via some service > > running in the system context, this would be a great > > way to mitigate the potential impact. Thoughts? > > > > I am also thinking, ok this is going to inhibit using the > > scheduler service under the system account to run > > local batches, as well as any stored procedure in > > SQL that accesses the command shell, but services > > could be run in another context and still have access > > to the command shell... > > > > Am I way off with this? Will this break something that I > > am just not seeing? > > > > TIA > Curious. > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPI+7LQbexkNIm1OFEQJvAgCgrVNKa5ifP3fCF2j4WhPksOi3+osAn2Tm > bvJa+z2tVw1xiQmGgKWQEs26 > =AWRF > -----END PGP SIGNATURE----- >