Archived from groups: microsoft.public.win2000.security (More info?)
Someone showed me a neat trick thattakes advantage of a recent IE6
cross-site scripting vulnerability. The trick successfully copied an
executable to %userprofile%\Start Menu\Programs\Startup.
Neat little trick, though the executable's still bound by the permissions of
the user logged on. But the area is writable and executable to the user in
question.
The obvious before-the-fact fixes include:
* System or Group Policy defining which executables may be run
* Disable scripting for the My Computer zone and stick to the "Classic"
Explorer Shell (Registry setting, either Policy or Default Profile)
* Disable personal program groups / Start Menu items (but does nothing if
script can write to HKEY_CURRENT_USER)
But nothing stops a user from manually downloading some executable and
running it from their desktop, My Documents, Home directory, etc.
It occurred to me that denying Execute permissions, for files only, for
non-Administrators within Documents and Settings would catch a lot more than
just scripting vulnerabilities, and still let folks use web content in
folders and run local HTML pages with scripts. For example, denying execute
permissions in %temp% would stop viruses in ZIP files.
By default, a user has Full Control over their own folder in Documents and
Settings. Is there a way to change this default?
--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
Someone showed me a neat trick thattakes advantage of a recent IE6
cross-site scripting vulnerability. The trick successfully copied an
executable to %userprofile%\Start Menu\Programs\Startup.
Neat little trick, though the executable's still bound by the permissions of
the user logged on. But the area is writable and executable to the user in
question.
The obvious before-the-fact fixes include:
* System or Group Policy defining which executables may be run
* Disable scripting for the My Computer zone and stick to the "Classic"
Explorer Shell (Registry setting, either Policy or Default Profile)
* Disable personal program groups / Start Menu items (but does nothing if
script can write to HKEY_CURRENT_USER)
But nothing stops a user from manually downloading some executable and
running it from their desktop, My Documents, Home directory, etc.
It occurred to me that denying Execute permissions, for files only, for
non-Administrators within Documents and Settings would catch a lot more than
just scripting vulnerabilities, and still let folks use web content in
folders and run local HTML pages with scripts. For example, denying execute
permissions in %temp% would stop viruses in ZIP files.
By default, a user has Full Control over their own folder in Documents and
Settings. Is there a way to change this default?
--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
Facebook
Twitter
Instagram