+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Net commands Help in Technical; We have a problem on our net work with pupils trying to hack the school computers with the Net Commands. ...
  1. #1
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Thumbs down Net commands Help

    We have a problem on our net work with pupils trying to hack the school computers with the Net Commands.
    Examples
    Save a document in plan txt in office word 2003 containing a cmd command.com then save it as a .exe.Office file converts it to a command promt.
    In cmd do this.
    net user whatever /add
    net localgroup administrator whatever /add
    You can see that this gives a new user to the computer with local admin rights.

    We have disabled cmd in GPO and have added command.com command.exe and cmd.exe in GP on the domain.
    We cannot stop scripts running because of a kix scrip for loading the printers.

    Any help please.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    Quote Originally Posted by eric.777 View Post
    We have a problem on our net work with pupils trying to hack the school computers with the Net Commands.
    Examples
    Save a document in plan txt in office word 2003 containing a cmd command.com then save it as a .exe.Office file converts it to a command promt.
    In cmd do this.
    net user whatever /add
    net localgroup administrator whatever /add
    You can see that this gives a new user to the computer with local admin rights.

    We have disabled cmd in GPO and have added command.com command.exe and cmd.exe in GP on the domain.
    We cannot stop scripts running because of a kix scrip for loading the printers.

    Any help please.
    In group policy block .exe, .cmd, .bat in all paths. then allow to run them files from the location of your scripts.

  3. #3
    joe90bass's Avatar
    Join Date
    Oct 2007
    Location
    S Wales
    Posts
    1,349
    Thank Post
    322
    Thanked 107 Times in 96 Posts
    Rep Power
    50
    Quote Originally Posted by eric.777 View Post
    We have a problem on our net work with pupils trying to hack the school computers with the Net Commands.
    Examples
    Save a document in plan txt in office word 2003 containing a cmd command.com then save it as a .exe.Office file converts it to a command promt.
    In cmd do this.
    net user whatever /add
    net localgroup administrator whatever /add
    You can see that this gives a new user to the computer with local admin rights.

    We have disabled cmd in GPO and have added command.com command.exe and cmd.exe in GP on the domain.
    We cannot stop scripts running because of a kix scrip for loading the printers.

    Any help please.
    The last I heard of that vulnerability was in NT Pre one of the SPs (can't remember which!)

    Do those commands actually successfully run? On what OS - XP or 2K? If so, I would be taking a good close look at what rights your users have, as there's no way they should be able to do that as a normal user. I'll double check tomorrow on one of our machines.

  4. #4
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Thumbs down Net Commands

    Thanks for the fast response.

    Yes the commands run.
    It's all over YouTube and is driving me mad.
    I have disabled notepad.exe but how to stop office plain text edit?
    You need to test it on your networks before the little angels do.
    The computers have a default Admin user for us and are on the domain.
    Could be why we get the odd BSD.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 279 Times in 257 Posts
    Rep Power
    106
    Theres no way that should work at all. There must be something wrong with your setup or access rights to allow users to add users to the local admin.
    You need to use USBDLM to change your usb drives letters to the ones you set then use a software restriction policy on them. For your user areas you need to use R2s file filters. This will stop them running the scripts from USB drives and their home areas.
    Last edited by ChrisH; 30th November 2008 at 11:02 PM.

  6. #6
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Thumbs down

    You try it.
    Login to computer as pupil with no admin or anything on the domain.
    Open office save command.com in word office as whatever .exe.
    office then converts to nice dos-exe little cmd. then run net commands on the domain.
    Use example net commands of YouTube.
    Log off domain.
    Then login local with admin nice.

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    I get: A system error 5 occured, Access is denied.

  8. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 279 Times in 257 Posts
    Rep Power
    106
    Quote Originally Posted by DMcCoy View Post
    I get: A system error 5 occured, Access is denied.
    That is what I just got as well. The script would not run on our system as I have taken the steps I outlined above. I am willing to bet that even though your users have GPOs set on them to alter things (an admin can still have GPOs set on them) you normal domain users are already local admins for some reason. This is sometimes done by lazy admins when they cant get software to work for normal users.

  9. #9
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Thumbs down

    Pupils have no admin or local rights on the computers.
    Pupils should only login to the domain with no local login.
    All pupils login on the domain and are members of the pupil user group.
    The computer hard drives have default ms shares and no local users.
    When the computers join the domain we add domain administrators.
    Any help please.

  10. #10
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 279 Times in 257 Posts
    Rep Power
    106
    Ok I think some details would be helpful here:

    Server OS?
    On the local machines who is listed under the local administrators group?

    You shouldn't have to add domain admins to local admin this should be done automatically.

    To stop scripts being run take the steps I have already said.
    Get USBDLM setup and configured on all the machines.
    Use a software restriction policy to deny all executable files on these devices.
    If you dont have R2 on your file server get it! It makes life easier. In the mean time use another SRP on their home areas.

    I will check this in the morning as I have to be in bed before midnight or I turn into a pumpkin

  11. #11
    eric.777's Avatar
    Join Date
    Mar 2007
    Location
    .
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Smile

    All ok it was a teachers password.
    Pupil login then makes local account for later.
    Only probelm is stopping pupils making command.com bat files for cmd access
    In office2003 word.

  12. #12
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 279 Times in 257 Posts
    Rep Power
    106
    Stop them using the methods I have mentioned. Also teachers with admin?

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,984
    Thank Post
    850
    Thanked 2,650 Times in 2,250 Posts
    Blog Entries
    9
    Rep Power
    763
    Quote Originally Posted by eric.777 View Post
    All ok it was a teachers password.
    Pupil login then makes local account for later.
    Only probelm is stopping pupils making command.com bat files for cmd access
    In office2003 word.
    This should be disabled in Group policy for the users:

    User Configuration > Administrative Templates > System > Prevent access to the Command Prompt : Enabled

    Edit: giving teachers admin rights is like giving terrorists nuclear weapons
    Last edited by SYNACK; 1st December 2008 at 12:58 PM.

  14. #14

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,224
    Thank Post
    54
    Thanked 276 Times in 184 Posts
    Rep Power
    133
    Quote Originally Posted by SYNACK View Post
    This should be disabled in Group policy for the users:

    User Configuration > Administrative Templates > System > Prevent access to the Command Prompt : Enabled

    Edit: giving teachers admin rights is like giving terrorists nuclear weapons
    Alas we've found that that GPO does not disable access to command.com - as it is an old 16 bit prog - unfortunately necessary for some nacky old programs we still have to run.

SHARE:
+ Post New Thread

Similar Threads

  1. PHP commands
    By Silverman in forum Web Development
    Replies: 10
    Last Post: 3rd June 2008, 03:24 PM
  2. script commands
    By chalkwellstu in forum Scripts
    Replies: 16
    Last Post: 29th January 2008, 04:08 PM
  3. Server 2003 run commands.
    By starscream in forum Wireless Networks
    Replies: 3
    Last Post: 26th June 2007, 10:49 AM
  4. VLAN Simulator - Commands
    By Nij.UK in forum Wireless Networks
    Replies: 1
    Last Post: 20th February 2007, 01:27 PM
  5. unix and sql commands
    By danIT in forum General Chat
    Replies: 9
    Last Post: 14th February 2007, 01:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •