I have found that users can comprise various Windows versions by accessing commands that can be used to turn off and/or run programs that an administrator does not want executed. Therefore, I will provide details on how to block access to these programs before they can be used to compromise Windows security.
- cmd.exe – The DOS prompt that can be used to run batch files as well as various Windows commands through the command line. This should be blocked to prevent users from running commands that can compromise Windows security.
- taskmgr.exe – Pressing CTRL-ALT-DEL will bring up the option to turn off running tasks in the task manager. By blocking this command, users will not be able to open the task manager window in Windows. Opening task manager while this is blocked will prevent this window from opening. Unfortunately, task manager is often used as a last resort computer shutdown. Therefore, blocking it may not be a good option.
- regedit.exe – This should be blocked by Windows by default. In any case, blocking this will prevent a user from wrecking havoc in the Windows Registry if not blocked already by Windows.
- msconfig.exe – As an added security measure, blocking the ability for users to change what starts and does not start during Windows start-up is highly recommended.
All of these programs can be found in the Windows directory. In some cases, multiple copies can be found in the system, system32 and sysWOW64 folders.
In order to block these files from being accessed, you will have to:
- Take ownership of these files by right-clicking on these files and clicking on the properties menu item. A box with a few tabs must open up.
NOTE: When Windows gets installed for the first time, the owner of the files are set to TrustedInstaller. Unfortunately, the TrustedInstaller is Windows itself. Therefore, Windows is the only object that can add, delete and/or modify any of these files.
It would be nice to add yourself, as well as other trusted individuals, to a group that can make system-wide changes, but there is serious security consequences in doing so. In any case, for those wanting to try to add yourself to the TrustedInstaller group, http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/babe4ace-36cc-4d13-8826-c0070045e46a may help.
- Click on the Security tab.
- Click on the advanced button.
- Click on the owner tab.
- Click on the Edit… button.
- Change the owner from TrustedInstaller to you by clicking on your name. It must be highlighted. Then click the apply button.
- Click the OK button to close the window. Click OK until you reach the Security tab in step 2.
- Click Edit… and remove Users from the list by clicking on Users, Users must be highlighted, and clicking on the Remove button.
- Click Add… and type your name under the Enter the object names to select. Click check names to verify that your name has been found. The name of the computer as well as your name will replace your name if your name was found.
- Click OK when you are satisfied.
- Your name will be on the list with a set of default allows.
- Click OK until all the windows have been closed.
- Test that you can run the command while all other users new and old cannot access the file. If the above steps have been done correctly, only you will be able to run the file.
The above steps can be done to block specific files from being accessed. Fortunately, most, if not all, files outside the Windows directory do not have to have the owner changed. Therefore, changing the owner of a file may not be required since you are the one who installed the program.
When it comes to Windows Professional and above, these steps are simplified. For users of Windows editions that are below professional, taking the long way around maybe the only option.