Have you ever tried working from a computer that has cmd.exe disabled? "no known problems"?!? Just try walking an oblivious user through some troubleshooting steps on a computer where you can't have them type 'cmd' to bring up the dos prompt! Now multiply that by 20,000 users.
This rapidly mutating thread started from a single website post that doesn't work for over 75% of the people that tried it. I haven't read any post that clearly states how it is a threat...and I am not sure it isn't just a smoke and mirror trick to freak people out. Shouldn't we be trying to figure out what it REALLY does, how it REALLY does it, and if it REALLY is a serious threat before we start making everyone's life hell over a webtrick? I agree that security professionals should be more paranoid than the average tech worker, but we need to balance that with some good thorough thinking and planning! Or we end up annoying everyone for no reason and making enemies instead of educated allies. I think everyone will agree that educated allies are very beneficial when you really need to pull out the big guns over an issue that is expensive but really vital. Douglas Gullett, CCNA, CCDA, CCNP -----Original Message----- From: John R Ellingsworth [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 3:49 PM To: Curious George; [EMAIL PROTECTED] Subject: Re: Restricting cmd.exe access -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do it. Restrict access to Administrator only. I do it (am doing it right now) - no known problems. Test it out on a dev machine first if you have concerns. Thanks, John Ellingsworth Project Leader Virtual Curriculum - ----- Original Message ----- From: "Curious George" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 12:59 PM Subject: Restricting cmd.exe access > > > This is a slight off shoot of the scary site post. What > are the potential ramifications of restricting "system" > access to cmd.exe? My thought is with all the MS > exploits that are gaining access via some service > running in the system context, this would be a great > way to mitigate the potential impact. Thoughts? > > I am also thinking, ok this is going to inhibit using the > scheduler service under the system account to run > local batches, as well as any stored procedure in > SQL that accesses the command shell, but services > could be run in another context and still have access > to the command shell... > > Am I way off with this? Will this break something that I > am just not seeing? > > TIA Curious. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPI+7LQbexkNIm1OFEQJvAgCgrVNKa5ifP3fCF2j4WhPksOi3+osAn2Tm bvJa+z2tVw1xiQmGgKWQEs26 =AWRF -----END PGP SIGNATURE-----