Logon script problem

  • Thread starter Thread starter Bruce
  • Start date Start date
B

Bruce

Hi, I was hoping some could help with a logon script problem.

We have recently upgraded our network from NT4 Server/Win95 to Win2000
Server and XP.

We have an antivirus suite installed on all the XP clients. They are
updated with the new virus definitions by running update.exe. This is
done when the user logs on (update.exe in the logon script). We
download the latest update.exe every night and put it on a share on
the server.

It worked on Win95 as it did not have any file/process security. But
with XP it no longer works because the login script is run with the
user's authority (which does not have permission to install
update.exe). My question is, is there a way to get it to work on XP?

I am thinking we could use the runas.exe command (or similar) in the
logon script to run update.exe as a user with the correct admin rights
(eg. a user in the domain admins group). But then we have the problem
that the user can read the logon script and find out the password for
that user. Maybe we could make the logon script executable but not
readable? I still feel this would be insecure.

What we need is a way to "SUID" the file like you can do on Unix, so
when the update.exe program is executed the process that is created
has the userid set to the owner of the file (which we can set to
administrator) rather than the user. Maybe there is a way to do that
in Windows 2000?

Any advice appreciated.

Thanks,

Bruce.
 
What AV package are you using??
Hi, I was hoping some could help with a logon script problem.

We have recently upgraded our network from NT4 Server/Win95 to Win2000
Server and XP.

We have an antivirus suite installed on all the XP clients. They are
updated with the new virus definitions by running update.exe. This is
done when the user logs on (update.exe in the logon script). We
download the latest update.exe every night and put it on a share on
the server.

It worked on Win95 as it did not have any file/process security. But
with XP it no longer works because the login script is run with the
user's authority (which does not have permission to install
update.exe). My question is, is there a way to get it to work on XP?

I am thinking we could use the runas.exe command (or similar) in the
logon script to run update.exe as a user with the correct admin rights
(eg. a user in the domain admins group). But then we have the problem
that the user can read the logon script and find out the password for
that user. Maybe we could make the logon script executable but not
readable? I still feel this would be insecure.

What we need is a way to "SUID" the file like you can do on Unix, so
when the update.exe program is executed the process that is created
has the userid set to the owner of the file (which we can set to
administrator) rather than the user. Maybe there is a way to do that
in Windows 2000?

Any advice appreciated.

Thanks,

Bruce.
 
Back
Top