Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998

Re: Can't prevent BAT/CMD file termination by users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't prevent BAT/CMD file termination by users

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Can't prevent BAT/CMD file termination by users
From: "Andrew S. Baker" <ABakerthebeast.com>
Date: Fri, 27 Mar 1998 11:38:02 -0500
In-Reply-To: <19980327111752.14d841c9.inthebeast.com>
Reply-To: "Andrew S. Baker" <ABakerthebeast.com>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

If you use the BREAK OFF command in Kixtart, this will disable CTRL-C and
CTRL-BREAK processing for Kixtart and any batch file that is called during
the scripts execution (including the parent batch file).


================================
 Andrew S. Baker
 Network Administrator
 mailto:ABakerthebeast.com

 CastleNet, LLC
 http://www.thebeast.com
================================

"If it's worth doing at all, it's worth doing right."



> -----Original Message-----
> From: Windows NT BugTraq Mailing List
> [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Tim Chilton
> Sent: Friday, March 27, 1998 10:49 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Can't prevent BAT/CMD file termination by users
>
>
> I've just found an interesting hole in security with .BAT and .CMD files,
> it seems that the BREAK command is no longer supported under NT, hence
> Ctrl+C will always abort a script file, couple this with the fact that the
> logon script is a plain batch file and you have a weak link when logging
> onto NT since the uses can abort any configuration you are attempting to
> enforce on them.
>
> I use a logon script written in mainly in KIX to ensure that people get a
> consistent environmet and can only access machines which are correctly
> configured for their needs, eg  only allowing English people on to English
> NT and Japanese people on Japanese NT machines, plus preventing
> interactive
> logon for accounts, like Backup, etc.
>
> Obviously using a logon scripts with a forced logoff for invalid
> configurations are a lot easier to implement than setting the "logon
> locally" privelege for each machine, but it's all a bit futile if the user
> can simply hit Ctrl+C to bypass it.
>
> If you want to check this out,  BREAK /? returns
>        Sets or Clears Extended CTRL+C checking on DOS system
>        This is present for Compatibility with DOS systems. It has
> no effect
>  under Windows NT.
>
> I've tried this both on NT3.51, SP5 and NT4 SP3 using both .BAT and .CMD
> files.
>
> Tim
>

Prev by Date: Can't prevent BAT/CMD file termination by users
Next by Date: What does "map" mean in this context?
Prev by thread: Can't prevent BAT/CMD file termination by users
Next by thread: What does "map" mean in this context?
Index(es):
- Date
- Thread