Use Restricted Groups GPO (File permissions and path) http://support.microsoft.com/kb/967715 You can use the subinacl command to check the svchost key, You can use Windows 2000 resource kit cusrmgr to change local administrator password.
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Paul Everett [mailto:[email protected]] Sent: Monday, March 23, 2009 9:04 AM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Okay, I'm concerned about this, but need more direction than what has been posted so far. We've been running BGinfo here in our login script for years and we've been putting "domain users" into their local admin group to keep it from erroring. We've recently started just giving full access to the bginfo file, but still have a couple hundred machines with "domain users" in the local admin group. 1. Is there a way (script or GP) to take "domain users" out of the local admin group? 2. How can I give users full access to the bginfo file without visiting every machine? 3. Where in GP do I disable Autorun? 4. How do I do the INI redirection trick? 5. How can I make sure the svchost key has read-only rights for everyone? Could this adversely affect some applications? 6. Is there a way to change the local admin password via script or GP? Thanks, Paul -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, March 20, 2009 5:11 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward <[email protected]> wrote: > Just as a followup the following KB article fixed that issue, what I am > still concerned about even though these systems where patched about 2-3 > months ago with MS08-067 they still got somewhat infected... As mentioned, Conficker has multiple methods of propagation. The MS08-067 Server RPC vulnerability is only half the problem. The other common vector is removable media, such as USB flash drives. Combined with Autorun, all you have to do is insert the media, and Windows will automatically run Conficker for you. Even with Autorun completely disabled, the user can still find the Trojan horse executable on the media and double-click to run it manually. If you're running with unprivileged users, it can still set itself up in the user's profile. It shouldn't (*shouldn't*) be able to disable anti-virus or compromise the local system, but it can run within the privilages of the user. It can scan for hosts still vulnerable to MS08-067. It can scan for network shares, and try to copy itself to them. It can try to brute force passwords to propagate to more hosts. That last is presumably what leads to the account lockouts others have described. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
