-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have, and do, work from a machine that has cmd.exe disabled to Admin use only. If I need cmd, I have to logout. Better safe than sorry.
I recommended that it be tested on a development machine first, so as to minimize the type of headache you describe. Would an admin running a network of 20,000 users go and make this change in a production environment? Sheesh . . . I hope not. Setting ACLs can be trial & error; what may work for you may not work for another system. I also think it is an annoying trick, similar to http://www.security7.ch.vu/, but again, better safe. . . Thanks, John Ellingsworth Project Leader Virtual Curriculum - ----- Original Message ----- From: "Douglas Gullett" <[EMAIL PROTECTED]> To: "John R Ellingsworth" <[EMAIL PROTECTED]>; "Curious George" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, March 15, 2002 1:23 PM Subject: RE: Restricting cmd.exe access > Have you ever tried working from a computer that has cmd.exe > disabled? "no known problems"?!? Just try walking an oblivious > user through some troubleshooting steps on a computer where you > can't have them type 'cmd' to bring up the dos prompt! Now > multiply that by 20,000 users. > > This rapidly mutating thread started from a single website post > that doesn't work for over 75% of the people that tried it. I > haven't read any post that clearly states how it is a threat...and > I am not sure it isn't just a smoke and mirror trick to freak > people out. > > Shouldn't we be trying to figure out what it REALLY does, how it > REALLY does it, and if it REALLY is a serious threat before we > start making everyone's life hell over a webtrick? > > I agree that security professionals should be more paranoid than > the average tech worker, but we need to balance that with some good > thorough thinking and planning! Or we end up annoying everyone for > no reason and making enemies instead of educated allies. I think > everyone will agree that educated allies are very beneficial when > you really need to pull out the big guns over an issue that is > expensive but really vital. > > > Douglas Gullett, CCNA, CCDA, CCNP > > > > -----Original Message----- > From: John R Ellingsworth [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 13, 2002 3:49 PM > To: Curious George; [EMAIL PROTECTED] > Subject: Re: Restricting cmd.exe access > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Do it. Restrict access to Administrator only. > > I do it (am doing it right now) - no known problems. > > Test it out on a dev machine first if you have concerns. > > Thanks, > > John Ellingsworth > Project Leader > Virtual Curriculum > > - ----- Original Message ----- > From: "Curious George" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 12, 2002 12:59 PM > Subject: Restricting cmd.exe access > > > > > > > > This is a slight off shoot of the scary site post. What > > are the potential ramifications of restricting "system" > > access to cmd.exe? My thought is with all the MS > > exploits that are gaining access via some service > > running in the system context, this would be a great > > way to mitigate the potential impact. Thoughts? > > > > I am also thinking, ok this is going to inhibit using the > > scheduler service under the system account to run > > local batches, as well as any stored procedure in > > SQL that accesses the command shell, but services > > could be run in another context and still have access > > to the command shell... > > > > Am I way off with this? Will this break something that I > > am just not seeing? > > > > TIA > Curious. > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > <http://www.pgp.com> > > iQA/AwUBPI+7LQbexkNIm1OFEQJvAgCgrVNKa5ifP3fCF2j4WhPksOi3+osAn2Tm > bvJa+z2tVw1xiQmGgKWQEs26 > =AWRF - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPJJb0wbexkNIm1OFEQJ7MQCffSeZbr6mdbuKGX6Dy72jcFkXsjsAoOPX VX5sCli/v1RgG/DH6Oa+y0jX =yKAq -----END PGP SIGNATURE-----
