The only way to make that work would be to have a signature for all
programs users are allowed to execute, that way even if the user changes
that name of the the program he/she wants to execute the signature still
wouldn't match. I'm not sure that this can be setup without using third
party software however I could be wrong.
o.f
Topi Ylinen wrote:
>>Is is possible to setup a policy on Win2000 Active Directory
>>whereby you can
>>use wildcards to deny users access to running certain
>>programs, for example
>>blocking userss running setup*.*
>>
>>
>
>Even if this were possible, I'm not sure want you want to go this way.
>Let's say I'm an Evil Guy trying to install a backdoor/privilege escalation
>tool. Imaginary command prompt session follows (commmand prompt not really
>needed since you could perform the same actions in Windows as well; I'm
>using it here to illustrate a point).
>
>(me tries to run an evil setup.exe)
>C:\>setup
>Access denied.
>(oooh, now what?)
>C:\>ren setup.exe utterlyharmlessprogram.exe
>C:\>utterlyharmlessprogram
>(here we go...)
>
>You don't want to block files based on what they are *called* (file
>extensions being the possible exception) but rather based on what they
>*are* or what they *do*.
>
>--
>T.
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>
>
programs users are allowed to execute, that way even if the user changes
that name of the the program he/she wants to execute the signature still
wouldn't match. I'm not sure that this can be setup without using third
party software however I could be wrong.
o.f
Topi Ylinen wrote:
>>Is is possible to setup a policy on Win2000 Active Directory
>>whereby you can
>>use wildcards to deny users access to running certain
>>programs, for example
>>blocking userss running setup*.*
>>
>>
>
>Even if this were possible, I'm not sure want you want to go this way.
>Let's say I'm an Evil Guy trying to install a backdoor/privilege escalation
>tool. Imaginary command prompt session follows (commmand prompt not really
>needed since you could perform the same actions in Windows as well; I'm
>using it here to illustrate a point).
>
>(me tries to run an evil setup.exe)
>C:\>setup
>Access denied.
>(oooh, now what?)
>C:\>ren setup.exe utterlyharmlessprogram.exe
>C:\>utterlyharmlessprogram
>(here we go...)
>
>You don't want to block files based on what they are *called* (file
>extensions being the possible exception) but rather based on what they
>*are* or what they *do*.
>
>--
>T.
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]