Can't prevent BAT/CMD file termination by users

• To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
• Subject: Can't prevent BAT/CMD file termination by users
• From: Tim Chilton <Tim_ChiltonSFI.CO.UK>
• Date: Fri, 27 Mar 1998 15:48:35 +0000
• Reply-To: Tim Chilton <Tim_ChiltonSFI.CO.UK>
• Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

I've just found an interesting hole in security with .BAT and .CMD files,
it seems that the BREAK command is no longer supported under NT, hence
Ctrl+C will always abort a script file, couple this with the fact that the
logon script is a plain batch file and you have a weak link when logging
onto NT since the uses can abort any configuration you are attempting to
enforce on them.

I use a logon script written in mainly in KIX to ensure that people get a
consistent environmet and can only access machines which are correctly
configured for their needs, eg  only allowing English people on to English
NT and Japanese people on Japanese NT machines, plus preventing interactive
logon for accounts, like Backup, etc.

Obviously using a logon scripts with a forced logoff for invalid
configurations are a lot easier to implement than setting the "logon
locally" privelege for each machine, but it's all a bit futile if the user
can simply hit Ctrl+C to bypass it.

If you want to check this out,  BREAK /? returns
       Sets or Clears Extended CTRL+C checking on DOS system
       This is present for Compatibility with DOS systems. It has no effect
 under Windows NT.

I've tried this both on NT3.51, SP5 and NT4 SP3 using both .BAT and .CMD
files.

Tim

• Prev by Date: Re: NT Screen Saver Password Protect Bug
• Next by Date: Re: Can't prevent BAT/CMD file termination by users
• Prev by thread: Re: Alert: NTBugtraq may be off air!
• Next by thread: Re: Can't prevent BAT/CMD file termination by users
• Index(es):
  • Date
  • Thread