Skip to main content

How to prevent a user from using the sticky key command from exposing the command prompt without logging in.

First off, several things would have to fail before this vulnerability is exposed. The organization in question would not be following the Defense-in-Depth concept that we discussed listed below. In particular, the first level “Policies, Procedures, & Awareness” would not be followed.



In order to be able to change the Sethc.exe file, the user would have to both take ownership and give themselves rights to this application. A standard user account cannot do this. If the users are given local admin rights, this vulnerability could be exploited. By copying the CMD.EXE application and remaining it to Sethc.exe, a command prompt could be brought up under the system context without a user logging in.

For your IT Staff, a rogue member could easily exploit this vulnerability. To prevent this from happening, execute the procedure on this link to remove the user’s ability to use a command prompt. The key to this is the Software Restriction Policy. Since it is created using a hash, changing the name and location of the CMD.EXE file will still not allow the user to run it. Be careful not to apply this policy to those who actually need to use a command prompt. You may want to keep this policy on the client machines to help prevent standard users from working outside their job descriptions. Also, on the servers but for only the IT staff who do not need to use a command prompt.



Reference:
http://aplawson.wordpress.com/2009/04/22/pentest-sticky-keys-sethcexe-vulnerability-in-2003-xp-vista/

Comments

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.