Disabling Execute access in Documents and Settings?

  • Thread starter Thread starter Gordon Fecyk
  • Start date Start date
G

Gordon Fecyk

Someone showed me a neat trick thattakes advantage of a recent IE6
cross-site scripting vulnerability. The trick successfully copied an
executable to %userprofile%\Start Menu\Programs\Startup.

Neat little trick, though the executable's still bound by the permissions of
the user logged on. But the area is writable and executable to the user in
question.

The obvious before-the-fact fixes include:

* System or Group Policy defining which executables may be run
* Disable scripting for the My Computer zone and stick to the "Classic"
Explorer Shell (Registry setting, either Policy or Default Profile)
* Disable personal program groups / Start Menu items (but does nothing if
script can write to HKEY_CURRENT_USER)

But nothing stops a user from manually downloading some executable and
running it from their desktop, My Documents, Home directory, etc.

It occurred to me that denying Execute permissions, for files only, for
non-Administrators within Documents and Settings would catch a lot more than
just scripting vulnerabilities, and still let folks use web content in
folders and run local HTML pages with scripts. For example, denying execute
permissions in %temp% would stop viruses in ZIP files.

By default, a user has Full Control over their own folder in Documents and
Settings. Is there a way to change this default?
 
I like the idea about disabling execute for files only in a user profile and may be
helpful in locking down a computer to unauthorized application use as many users do
that in their profile if their computer is configured to only allow them to write to
their profile by modifying ntfs permissions for everyone/users for the root/drive
folder.

Windows XP Pro of course uses Software Restriction Policies to control what can and
can not be executed on a computer by a user. I don't know of any way to change the
default profile permissions assigned to a user when their profile is created, though
a startup script using fileacl may be able to configure to your needs as it seems to
have the ability to configure special permissions and it is an official MS support
tool now. I really like the fact that it has an inherit and protect switch that makes
some advanced folder configuration possible. --- Steve

http://membres.lycos.fr/jfb/gb/gbtools/fileacl.htm
http://www.microsoft.com/downloads/...ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en
 
http://membres.lycos.fr/jfb/gb/gbto...ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en

So I could do something like this in a login script perhaps:

@echo off
fileacl %userprofile% [options]
(and perhaps for good measure if home's mapped to a server share)
fileacl %homedrive%%homepath% [options]
(rest of script)

This should even work for a user who hasn't logged on to a given station
before, because the profile's copied first before the login script's
executed.
 
Back
Top