Sign in with
Sign up | Sign in
Your question

Run CMD.exe at logon screen

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 10, 2004 9:51:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I have read about the use of enforcing the pressing of "CTRL+ALT+DEL" before
logon to windows NT. But i really can't get it. Is it better to enforce or
not ?
Also, I have known that you can edit the registry to run the command
interpreter before logging onto windows. How can that be useful (or harmful)
for both the user and administrator?

Thank you
Mohamed
Anonymous
a b 8 Security
November 11, 2004 7:48:45 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I read somewhere that launching CMD.exe before logging into windows launches
CMD.exe as a "System" user, giving it complete control over all local
resources.


"ircian" <ircian@discussions.microsoft.com> wrote in message
news:BDB35879-4044-4A01-90BB-DB6C6F9F3780@microsoft.com...
> Hello,
>
> I have read about the use of enforcing the pressing of "CTRL+ALT+DEL"
> before
> logon to windows NT. But i really can't get it. Is it better to enforce or
> not ?
> Also, I have known that you can edit the registry to run the command
> interpreter before logging onto windows. How can that be useful (or
> harmful)
> for both the user and administrator?
>
> Thank you
> Mohamed
Anonymous
a b 8 Security
November 11, 2004 7:48:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

so you mean that, security wise, it is better not to enforce pressing
ctrl+alt+del at logon so as not to launch cmd.exe ?

Also, concerning that system user , you mentioned he had complete control
over "local" resources, how far is his control over domain resources, if the
system was a workstation connected to a windows server domain?

Thanks
Mohamed

"Andre Rojde" wrote:

> I read somewhere that launching CMD.exe before logging into windows launches
> CMD.exe as a "System" user, giving it complete control over all local
> resources.
>
>
> "ircian" <ircian@discussions.microsoft.com> wrote in message
> news:BDB35879-4044-4A01-90BB-DB6C6F9F3780@microsoft.com...
> > Hello,
> >
> > I have read about the use of enforcing the pressing of "CTRL+ALT+DEL"
> > before
> > logon to windows NT. But i really can't get it. Is it better to enforce or
> > not ?
> > Also, I have known that you can edit the registry to run the command
> > interpreter before logging onto windows. How can that be useful (or
> > harmful)
> > for both the user and administrator?
> >
> > Thank you
> > Mohamed
>
>
>
Related resources
Anonymous
a b 8 Security
November 14, 2004 3:05:43 AM

Archived from groups: microsoft.public.win2000.security (More info?)

It is better to enforce it which should happen automatically for a domain
member computer. It can be configured in security policy/security options
which can be invoked via secpol.msc for a local computer. The link below
explains more which contains reference to security options.. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2...
Disable CTRL+ALT+DEL Required for Logon

Security Objective: Enabling this option will disable the trusted path
mechanism. The purpose of the trusted path mechanism is to prevent spoofing
of user login sessions. It is the mechanism which causes the operating
system to always intercept CTRL+ALT+DEL key-sequences and prevents other
sub-systems and processes from capturing that key-sequence. If this
mechanism is disabled, it would be simply for an attacker to spoof the logon
interface with a keystroke logger. Therefore, this setting should never be
enabled. The default setting of this option is Disabled on a Windows 2000
computer, although a policy tool may show it as Not Defined.

Recommendation: Set this policy to disabled.

Note: The default is "leave as is" but disabling the setting ensures that it
is overridden on machines where it has been changed.

"ircian" <ircian@discussions.microsoft.com> wrote in message
news:BDB35879-4044-4A01-90BB-DB6C6F9F3780@microsoft.com...
> Hello,
>
> I have read about the use of enforcing the pressing of "CTRL+ALT+DEL"
> before
> logon to windows NT. But i really can't get it. Is it better to enforce or
> not ?
> Also, I have known that you can edit the registry to run the command
> interpreter before logging onto windows. How can that be useful (or
> harmful)
> for both the user and administrator?
>
> Thank you
> Mohamed
Anonymous
a b 8 Security
November 14, 2004 3:29:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

ircian wrote:
> Hello,
>
> I have read about the use of enforcing the pressing of "CTRL+ALT+DEL"
> before logon to windows NT. But i really can't get it. Is it better
> to enforce or not ?

I sure think so. But are you on a network?

> Also, I have known that you can edit the registry to run the command
> interpreter before logging onto windows. How can that be useful (or
> harmful) for both the user and administrator?

Don't know. What would be your purpose?
>
> Thank you
> Mohamed
!