In the current environment there exists a policy where files within %system32% are only allowed to be owned by System and Administrators. An issue has arisen where after converting these permissions cmd.exe is unable to execute. The addition of the user that is currently logged in resolves this, however adding a group myGroup with the user contained fails. The command prompt informs me that I do not have the permissions which seems odd. Am I missing a registry edit or is there something else that I should be looking for here?
Asked
Active
Viewed 239 times
0
-
What a silly idea – Izzy Aug 25 '10 at 19:19
-
@Izzy thanks but its necessary – Woot4Moo Aug 25 '10 at 19:23
-
To prevent what exactly? – Izzy Aug 25 '10 at 19:54
-
@Izzy to prevent members of the Users group to utilize certain files, for instance cmd and netstat. This is in a non AD environment and users that need these are placed in a custom group. – Woot4Moo Aug 25 '10 at 19:58
-
What does the restriction on file "ownership" have to do with execution rights? That doesn't make sense. – Grizly Sep 02 '10 at 06:11
-
@Grizly I was adding all the pieces of the puzzle instead of leaving anything up to guesswork – Woot4Moo Sep 02 '10 at 17:28
-
Hmm, on my Vista box, the owner of that folder is "TrustedInstaller", Admin groups have Full, and users have Read & Execute. Could you post the details of that "Policy". Have you run RegMon while testing? http://blogs.technet.com/b/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx – Grizly Sep 03 '10 at 00:01
-
Correct TrustedInstaller is the owner, my post has made it so that I must remove the Users group from that file. I will look into RegMon – Woot4Moo Sep 03 '10 at 11:40
2 Answers
1
Under Win7 (should be similar to Vista)
Run gpedit.msc to start the Group Policy Editor
Navigate to: User Config -> Admin Templates -> System
Check the settings for: "Prevent access to the command prompt"
jftuga
- 5,731
- 4
- 42
- 51
-
-
-
Setting it to disabled also fails, the only difference is now I am able to edit the objects properties outright instead of only being able to view them. – Woot4Moo Aug 26 '10 at 15:07
1
First of all - I don't think it is the uac. The uac will only prevent you starting cmd.exe as admin. But please try executing cmd as admin. This should work.
I would switch to another cmd:
And place it in %ProgramFiles%
Adding a group to cmd.exe should work like adding a user. I don't think that a gpo fixes your issue. Only if you don't modify all files in %system32%.
You've added a new group to cmd.exe - but why? You said that you just modified the owner - but by the way - there can only be one owner... I suppose that you modified the access rights to be only System and Administrators. Maybe your policy overwrites your changes?
Another question is - does this make sense? Why would I try to tighten rights that are already safe? And why would I allow more right to specific files without Admin rights?
Edit: Access rights needed for cmd.exe
- Administrators all rights
- System all rights
- YOURGROUP Read,Execute
Works on my system...
Edit2
Please try to run cmd.exe and analyse what failed with Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Andreas Rehm
- 851
- 6
- 11
-
I cannot place outside programs to do the work of system files. Yes I modified the owner and reverted it back to its original owner. The only users with access on cmd.exe to begin with in my scenario are System and Administrators. It does not work when I run it as an admin, only if I am explicitly on the file when users and/or auditors is missing. I am not tightening the rights, I am loosening them. I need to add a specific user group to them that in this case is not users. Adding certain groups to the file is needed because of applications that reside on the box and certain users need – Woot4Moo Aug 27 '10 at 21:13
-
-
I've tried this own my system. It works fine - the only difference is your system32 lockdown. Do you really need it? – Andreas Rehm Aug 27 '10 at 21:26
-
-
-
TrustedInstaller is the owner - and i think it needs to be the owner. You should be aware that messing around with access rights could prevent Windows Updates from installing properly. – Andreas Rehm Aug 27 '10 at 21:29
-
Correct I am aware of this. I will try to use process monitor in hopes of digging deeper. – Woot4Moo Aug 27 '10 at 21:34
-