Terminal Service and Cmd.exe BackDoor Security

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My company actually is a Application Service Provider which enable our
clients to logon to our systems through Terminal Servers to access our
Application.
Unfortunately, our Application need to have a 'File -> Open' function to
open some files for the Application.
Althought, we have used the GPO for Terminal Service to only allow the users
in just accessing the Application itself.
What I have found out is that, through this 'File -> Open' function, I can
easily navigate to 'Windows\System32' to activate the 'cmd.exe' command. From
here, then I can do whatever I want especially when there is a Administrator
account (some users need that better authority to some service).
May I know if there is any kind of ways in blocking our users in navigating
to the 'cmd.exe' command or simply to say, block them from accessing the
'System32' commands?
 
Hopefully you do not have many users that are administrators on your
Terminal Services and that issue should be looked at closer to find a way to
not have to do such. Keeping in mind that you can not realistically restrict
anyone with administrator powers if they know how to use administrator
powers and want to what you could do is to either change NTFS permissions on
those binaries so that users that do not need access do not have permissions
to the file and/or use Software Restriction Policies to use path and/or hash
rules to restrict those binaries which is the best way if the TS is Windows
2003. You can also use Group Policy to restrict access to command prompt and
registry editing if you look under user configuration/administrative
templates/system. The links below are on Software Restriction
licies. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html
 
Guess that really helps. Thank you Steven.
Will check through the GPO for the software restriction.
Just yet, this does not really disable Administrative users from altering
the NTFS permission. Do not know whether there is another way on doing so?
 
You can not realistically expect to reliably restrict anybody that is a
local administrator. You can put a roadblocks in their way with Group Policy
and such but creative users may find a way around it if they are skilled and
determined. Having said that very restrictive Software Restriction Policies
would be the best bet along with restricted network access for file and
print sharing to the users you want to restrict. If a computer is booted
into Safe Mode then SRP will not apply to members of the local
administrators group if they would in regular startup mode via the
enforcement rule. If the user does not have physical access to the server
then they can not boot into Safe Mode. Every effort should be made to not
make users local administrators which may include running applications
certified by Microsoft for XP/2000/2003 or trying to get applications to
work without user being local administrator which may be possible by
configuring the folder and registry permissions for the application. --
Steve
 
Back
Top