>I just tested this on NT4 SP4 and this is real! Policies are, for the >most part, obsolete.... I'm not sure what the reference to policies being obsolete is supposed to mean. They could be by-passed, but there are ways to prevent this. 1. Remove any file named explorer.exe, taskmgr.exe, etc... during a login script. Since login scripts still process prior to loading the desktop (or any of the renamed executables), its possible to eliminate any trojans that might be present. 2. Place a copy of the "official" files (explorer, etc...) into the user's home directory and then ACL them for Administrator's modification only, thereby preventing this from being an issue in many profiled environments. 3. I haven't tried this, but it should be possible to prevent, by policy, execution of the given executables from the user's home directory (while still permitting them to be run from %systemroot%). Their desktop will hang, I would assume, as a result of them placing an excluded filename in their home directory. Note these are only workarounds, and may not work if the user has access to the user's home directory (%systemroot% if no directory specified) in situations where ACLs can be usurped (e.g. a user is a Local Administrator and can boot to the machine, rather than the domain). Clearly there's a large and real issue here, but just as clearly, Policies aren't, for the most part, obsolete. You may also prefer to use CMD.EXE instead of COMMAND.COM to test this, just to be safe and ensure you'll be able to recover. On a funny note, I followed the original poster's suggestion of renaming calc.exe as explorer.exe and rebooted...;-]...needless to say there was a momentary look of shock on my face as I tried to remember what to do to get the real explorer back on my desktop...;-] (in case you find yourself in this situation, CTRL-ALT-DEL, Task Manager, File, Run, %systemroot%\explorer.exe restores your desktop) Cheers, Russ - NTBugtraq Editor http://ntbugtraq.ntadvice.com/archives
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:45 PDT