It does not even have to be a logon script. I remember years ago some one put a trojan on one of our Pr1me's. It was a simple game, unless you ran it from a privileged account. All was well until the operators ran it at 2am from an operators account. It removed all the ACL's from the file system. Very nice. Took days to sort....
I guess the answer is simple. Don't logon locally using your admin account. Use the normal best practise to logon with a non-priv account, then use "runas" to do anything you need with privs. Only problem I have with this is you can't get an explorer window like this and I hate setting ACLs from the command line... >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >Sent: 18 May 2006 01:22 >To: [email protected] >Subject: Re: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? > >Wasn't one of the infamous Dr. J stories about how they had attempted to gain access to >one of the msn servers by having a boobie trap script like that. If a person had logged >in with certain creds it was indeed set to fire off a script? > >Pen test proof of concept story? > >joe wrote: ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
