+ Post New Thread
Results 1 to 10 of 10
Windows Thread, URGENT: Stopping bat files, exe etc and userpasswords command in Technical; Hi We had a student come in and run a batch file on our RDP server (which was setup for ...
  1. #1

    Join Date
    Apr 2007
    Location
    Leicester
    Posts
    33
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    URGENT: Stopping bat files, exe etc and userpasswords command

    Hi

    We had a student come in and run a batch file on our RDP server (which was setup for students to work outside college) which allowed him access to active directory.

    The batch file that ran had the following details:

    control userpasswords

    This allowed him to run an MMC with which he could view Active Directory.

    I have tried to look for the exe file that is being run, but cant find it. Googled the problem and did not come up with anything.

    I understand, and some may mention that because he has limited access rights he cannot do much, however I do not want anyone to run this command, bat or exe files.

    I have searched the forum but was unsuccessful in finding anything.

    Could someone shed some light on what can be done to stop this.

  2. #2

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,467
    Thank Post
    524
    Thanked 1,993 Times in 932 Posts
    Blog Entries
    23
    Rep Power
    575
    Did he run it from a thumb drive? It sounds to me like there is a hole in your policies he is exploiting. Is he being disiplined as this is quite a serious offence under civil law y'know?

  3. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104
    You should be looking for topics on software restriction policies and the file screen features of server 2003 R2.

  4. #4

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    17
    Check your group policies. There is a setting in user policies under I think admin templates > Windows Components probably called Microsoft manage console or something similar that allows you to set what MMC snapins are available to anyone with that policy applied. Mine are set so that Teachers can access only the Active directory User and computers so they can reset passwords. Pupils are restricted from starting ANY MMC snapin. They have no need to.

    That should cure your current problem but I would also advice carefully checking your permissions on AD OUs themselves. Even if a pupil could start an AD users and ciomputers MMC on my network they stil could not access any settings etc because they don't have permission to browse them. The teacher group has slightly higher permission to allow them to change passwords but in general only Techs and NMs should have AD access. In a default 2k3 installed domain I think only domain and enterprise admin groups have access to AD so you may have inheritted some unwise changes to AD security.

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Teth with access to the correct tools users have read access to most of AD by default.

    frankybaloney as mentioned above you need to look at software restriction and if you have R2 the FSRM features.

  6. #6
    comedydave's Avatar
    Join Date
    Sep 2007
    Location
    Gloucestershire, UK
    Posts
    154
    Thank Post
    9
    Thanked 9 Times in 9 Posts
    Rep Power
    15
    Quote Originally Posted by cookie_monster View Post
    Teth with access to the correct tools users have read access to most of AD by default.

    frankybaloney as mentioned above you need to look at software restriction and if you have R2 the FSRM features.
    As he said, we have had some success with the blight of swf and exe games on our network.
    Even to the point we had to curb it back a bit because it was deleting .js files from students OCR work.
    Not sure how well it works with virus*ahem*pen drives tho. I haven't really had a play with it yet

  7. #7

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    17
    In combination with locking out all MMCs with group policy you should be covered tho.

    A software restriction policy to restrict executables to only running from locations you aprove is a must I think too. Only our 6th form computing students are an exception to the policy that prevents running anythign executable including Java, swf, bat, com, vbs, etc.. from removable drives and home drives.

    They have a slightly different policy that allows them to run executables from a folder in their home space that only 6th form pupils can create and use. Its neccesary for pascal with delphi and VB2005 Projects. They don't tend to abuse it because there are only 23 of them in the school so tracking down an offender wouldn't take long.

    They are still banned from running installers of course.

    We put so much effort into restricting what they can do lol.

    On my list for tomorrow is preventing the intel graphics options from being accessable by a student and resetting a room full of screen back to 1280x1024 instead of 800x600 which they worked out how to do on our new suite today.

  8. #8
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 69 Times in 42 Posts
    Rep Power
    33
    Out of interest, does restricting access to control panel via GPO block this as "control" just launches control panel.

    Either way I'd hope that s/w restriction would sort it out for you.

  9. #9

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    17
    You control panel is different entirely to MMC. Some of the items in control panel will start an MMC put its not an MMC in itself so there are 2 seperate sections of GP to configure to properly lock it up.

    An account with access to control panel fully restricted could still access disk management, services, computer management etc directly if they knew how to start an MMC and add the apropriate snapin unles you lock the snapins individually or the MMC as a whole.

  10. #10
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 69 Times in 42 Posts
    Rep Power
    33
    Quote Originally Posted by Teth View Post
    You control panel is different entirely to MMC. Some of the items in control panel will start an MMC put its not an MMC in itself so there are 2 seperate sections of GP to configure to properly lock it up.

    An account with access to control panel fully restricted could still access disk management, services, computer management etc directly if they knew how to start an MMC and add the apropriate snapin unles you lock the snapins individually or the MMC as a whole.
    Yeah, so blocking control panel should block this particular route (not verified that though) but obviously if they can run "mmc" and then add snapins they'll get to the same place. This is the recurring problem with group policies: they mostly stop people using a particular route to get to a setting rather than removing the right to change the setting itself.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 43
    Last Post: 8th September 2013, 02:43 AM
  2. Who is stopping up then?
    By russdev in forum General Chat
    Replies: 13
    Last Post: 7th January 2008, 08:42 PM
  3. urgent: Sims.net command line reporter (CLR)
    By russdev in forum MIS Systems
    Replies: 2
    Last Post: 20th September 2007, 02:00 PM
  4. Services Stopping
    By edsa in forum Windows
    Replies: 2
    Last Post: 10th July 2007, 10:58 AM
  5. Kids saving notepad files as command.bat
    By Kyle in forum Windows
    Replies: 15
    Last Post: 29th November 2006, 01:27 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •