> Is is possible to setup a policy on Win2000 Active Directory
> whereby you can
> use wildcards to deny users access to running certain
> programs, for example
> blocking userss running setup*.*
Even if this were possible, I'm not sure want you want to go this way.
Let's say I'm an Evil Guy trying to install a backdoor/privilege escalation
tool. Imaginary command prompt session follows (commmand prompt not really
needed since you could perform the same actions in Windows as well; I'm
using it here to illustrate a point).
(me tries to run an evil setup.exe)
C:\>setup
Access denied.
(oooh, now what?)
C:\>ren setup.exe utterlyharmlessprogram.exe
C:\>utterlyharmlessprogram
(here we go...)
You don't want to block files based on what they are *called* (file
extensions being the possible exception) but rather based on what they
*are* or what they *do*.
> whereby you can
> use wildcards to deny users access to running certain
> programs, for example
> blocking userss running setup*.*
Even if this were possible, I'm not sure want you want to go this way.
Let's say I'm an Evil Guy trying to install a backdoor/privilege escalation
tool. Imaginary command prompt session follows (commmand prompt not really
needed since you could perform the same actions in Windows as well; I'm
using it here to illustrate a point).
(me tries to run an evil setup.exe)
C:\>setup
Access denied.
(oooh, now what?)
C:\>ren setup.exe utterlyharmlessprogram.exe
C:\>utterlyharmlessprogram
(here we go...)
You don't want to block files based on what they are *called* (file
extensions being the possible exception) but rather based on what they
*are* or what they *do*.
--
T.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]