[36180] in bugtraq
Re: First vulnerabilities in the SP2 - XP ?...
daemon@ATHENA.MIT.EDU (Robert Decker)
Fri Aug 20 00:47:47 2004
Message-ID: <41242541.4030006@esbsystems.com>
Date: Wed, 18 Aug 2004 23:57:53 -0400
From: Robert Decker <rdecker@esbsystems.com>
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
In-Reply-To: <20040816135814.18677.qmail@www.securityfocus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
As a work around to the issue - although not to easy to configure for
the home user,
I would think if you have users who are ignorant, gullable, or just
plain stupid - a windows sysadmin might consider a GPO in AD with one or
more of the following policies:
User Configuration --> Administrative Templates --> System --> Prevent
Access to Command Prompt
User Configuration --> Administrative Templates --> System --> Run Only
Allowed Windows Applications
User Configuration --> Administrative Templates --> System --> Don't
Run Specified Windows Applications
Another huge advantage would be the proper implementation of the
following in an AD GPO:
Configure some Software Restriction Policies in User Configuration -->
Windows Settings --> Security Settings --> Software Restrictions
and if possible, couple it with certificates. (although, i'm not too
familiar with this one)
Computer Configuration --> Windows Settings --> Security Settings -->
Local Policies --> Security Options --> System settings: Use
Certificate Rules on Windows Executables for Software Restriction Policies
