Sign in with
Sign up | Sign in
Your question

Disabling Execute access in Documents and Settings?

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
June 19, 2004 7:48:29 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Someone showed me a neat trick thattakes advantage of a recent IE6
cross-site scripting vulnerability. The trick successfully copied an
executable to %userprofile%\Start Menu\Programs\Startup.

Neat little trick, though the executable's still bound by the permissions of
the user logged on. But the area is writable and executable to the user in
question.

The obvious before-the-fact fixes include:

* System or Group Policy defining which executables may be run
* Disable scripting for the My Computer zone and stick to the "Classic"
Explorer Shell (Registry setting, either Policy or Default Profile)
* Disable personal program groups / Start Menu items (but does nothing if
script can write to HKEY_CURRENT_USER)

But nothing stops a user from manually downloading some executable and
running it from their desktop, My Documents, Home directory, etc.

It occurred to me that denying Execute permissions, for files only, for
non-Administrators within Documents and Settings would catch a lot more than
just scripting vulnerabilities, and still let folks use web content in
folders and run local HTML pages with scripts. For example, denying execute
permissions in %temp% would stop viruses in ZIP files.

By default, a user has Full Control over their own folder in Documents and
Settings. Is there a way to change this default?

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc&gt;
What's a PGP Key? See <http://www.pan-am.ca/free.html&gt;
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4&gt;
Anonymous
June 20, 2004 6:59:09 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I like the idea about disabling execute for files only in a user profile and may be
helpful in locking down a computer to unauthorized application use as many users do
that in their profile if their computer is configured to only allow them to write to
their profile by modifying ntfs permissions for everyone/users for the root/drive
folder.

Windows XP Pro of course uses Software Restriction Policies to control what can and
can not be executed on a computer by a user. I don't know of any way to change the
default profile permissions assigned to a user when their profile is created, though
a startup script using fileacl may be able to configure to your needs as it seems to
have the ability to configure special permissions and it is an official MS support
tool now. I really like the fact that it has an inherit and protect switch that makes
some advanced folder configuration possible. --- Steve

http://membres.lycos.fr/jfb/gb/gbtools/fileacl.htm
http://www.microsoft.com/downloads/details.aspx?FamilyI...

"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:o 4x096jVEHA.1656@TK2MSFTNGP09.phx.gbl...
> Someone showed me a neat trick thattakes advantage of a recent IE6
> cross-site scripting vulnerability. The trick successfully copied an
> executable to %userprofile%\Start Menu\Programs\Startup.
>
> Neat little trick, though the executable's still bound by the permissions of
> the user logged on. But the area is writable and executable to the user in
> question.
>
> The obvious before-the-fact fixes include:
>
> * System or Group Policy defining which executables may be run
> * Disable scripting for the My Computer zone and stick to the "Classic"
> Explorer Shell (Registry setting, either Policy or Default Profile)
> * Disable personal program groups / Start Menu items (but does nothing if
> script can write to HKEY_CURRENT_USER)
>
> But nothing stops a user from manually downloading some executable and
> running it from their desktop, My Documents, Home directory, etc.
>
> It occurred to me that denying Execute permissions, for files only, for
> non-Administrators within Documents and Settings would catch a lot more than
> just scripting vulnerabilities, and still let folks use web content in
> folders and run local HTML pages with scripts. For example, denying execute
> permissions in %temp% would stop viruses in ZIP files.
>
> By default, a user has Full Control over their own folder in Documents and
> Settings. Is there a way to change this default?
>
> --
> PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc&gt;
> What's a PGP Key? See <http://www.pan-am.ca/free.html&gt;
> GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4&gt;
>
>
Anonymous
June 21, 2004 2:17:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> http://membres.lycos.fr/jfb/gb/gbtools/fileacl.htm
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...

So I could do something like this in a login script perhaps:

@echo off
fileacl %userprofile% [options]
(and perhaps for good measure if home's mapped to a server share)
fileacl %homedrive%%homepath% [options]
(rest of script)

This should even work for a user who hasn't logged on to a given station
before, because the profile's copied first before the login script's
executed.

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc&gt;
What's a PGP Key? See <http://www.pan-am.ca/free.html&gt;
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4&gt;
!