We have a problem on our net work with pupils trying to hack the school computers with the Net Commands.
Save a document in plan txt in office word 2003 containing a cmd command.com then save it as a .exe.Office file converts it to a command promt.
In cmd do this.
net user whatever /add
net localgroup administrator whatever /add
You can see that this gives a new user to the computer with local admin rights.
We have disabled cmd in GPO and have added command.com command.exe and cmd.exe in GP on the domain.
We cannot stop scripts running because of a kix scrip for loading the printers.
Any help please.
Do those commands actually successfully run? On what OS - XP or 2K? If so, I would be taking a good close look at what rights your users have, as there's no way they should be able to do that as a normal user. I'll double check tomorrow on one of our machines.
Thanks for the fast response.
Yes the commands run.
It's all over YouTube and is driving me mad.
I have disabled notepad.exe but how to stop office plain text edit?
You need to test it on your networks before the little angels do.
The computers have a default Admin user for us and are on the domain.
Could be why we get the odd BSD.
Theres no way that should work at all. There must be something wrong with your setup or access rights to allow users to add users to the local admin.
You need to use USBDLM to change your usb drives letters to the ones you set then use a software restriction policy on them. For your user areas you need to use R2s file filters. This will stop them running the scripts from USB drives and their home areas.
Last edited by ChrisH; 1st December 2008 at 12:02 AM.
You try it.
Login to computer as pupil with no admin or anything on the domain.
Open office save command.com in word office as whatever .exe.
office then converts to nice dos-exe little cmd. then run net commands on the domain.
Use example net commands of YouTube.
Log off domain.
Then login local with admin nice.
I get: A system error 5 occured, Access is denied.
Pupils have no admin or local rights on the computers.
Pupils should only login to the domain with no local login.
All pupils login on the domain and are members of the pupil user group.
The computer hard drives have default ms shares and no local users.
When the computers join the domain we add domain administrators.
Any help please.
Ok I think some details would be helpful here:
On the local machines who is listed under the local administrators group?
You shouldn't have to add domain admins to local admin this should be done automatically.
To stop scripts being run take the steps I have already said.
Get USBDLM setup and configured on all the machines.
Use a software restriction policy to deny all executable files on these devices.
If you dont have R2 on your file server get it! It makes life easier. In the mean time use another SRP on their home areas.
I will check this in the morning as I have to be in bed before midnight or I turn into a pumpkin
All ok it was a teachers password.
Pupil login then makes local account for later.
Only probelm is stopping pupils making command.com bat files for cmd access
In office2003 word.
Stop them using the methods I have mentioned. Also teachers with admin?
Last edited by SYNACK; 1st December 2008 at 01:58 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)