Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

How to RENAME file in C:\WinNT\System32\.... when not administrator logged in?

We've learned of a DLL, not critical to Windows (used by some obscure redirector for WinSock that we
know we do not require at our institution), that needs to be renamed so it cannot be used.   The file sits in
a subdirectory of C:\WinNT\System32\...     and is thus protected from prying non-Administrative user hands.

Unfortunately we have 700+ workstations deployed statewide and it's not practical to log into every one of
them remotely as Administrator to rename this file.  We need to have the actual user of the workstation,
who is VERY SELDOM granted administrative rights, run something that will rename that file.  Note an administrative user HAS been defined for each workstation (although there are a finite, but non-trivial, collection of names/password pairs for this user, depending on the make/model/phase of moon).

The workstations in question are Win2K, but they're not connected to an AD type hub yet.  Instead, it's an old NT-style domain.  So the suddenly discovered Run-As service was just as quickly discarded.

Are there any tools available for Win2K that could do this?  
0
jlw011597
Asked:
jlw011597
  • 9
  • 2
  • 2
  • +3
1 Solution
 
Wouter BoevinkMasterCommented:
I believe in the nt resource kit there is something like su.exe for running commands as super user. It's almost the same as the run-as service.
0
 
jlw011597Author Commented:
Well, we HAVE access to a WinNT Resource Kit, just not at the moment.  While we try to find the right locksmith to get us access to it, tell me more about this SU.EXE
program...  Is it something that would run on a Win2K box without our having to put it there, such that we could run it from, say, a Netware login script as the user makes a
network connection?
0
 
Wouter BoevinkMasterCommented:
http://www.swynk.com/trent/Articles/SUReadme.asp

Extract from the above page

The above privileges are no longer required when using SU. In order to support this, the user
must install a new service based component used by SU. The service component is encapsulated in
the executable suss.exe, and this is installed by issuing the following command line at a Windows NT
command prompt (cmd.exe):
suss.exe -install

I don't thinks this is a solution.

Are you running netware?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jlw011597Author Commented:
Not without having somebody do an ADMINistrative login already, and if that happens
then we could delete the file ourselves during that procedure.  

Yes, running NW.  No, don't have ZENWorks.  Wish we'd taken the time years ago to
do so, it would solve oh-so-many problems.
0
 
SysExpertCommented:
I would use the elevated privileges option.
This may be able to be used as is, or you might need create a small install package, that all it does, is delete the file.

I hope this helps !
--------------------------------------------------------


Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer
0
 
jlw011597Author Commented:
SysExpert:

If the WinNT domain that these Win2K workstations are beholden to doesn't already
allow this policy, can it be made without needing to physically visit each Win2K box
to grant/install this?

If we have to visit every box anyway, it defeats the purpose, we could do the rename
ourselves manually.  

If it requires Win2K server for the Win2K workstations to be beholden to, that ain't gonna happen in the timeframe before we'd be visiting every workstation physically
anyway (3-4 months total).

Need something we can effect this on from the WinNT domain controller (?) or from
a Netware Login Script (which of course runs under the unprivileged user's ID).
0
 
jhanceCommented:
Unfortunately, anything you do presents a security risk.

You can deploy some application via the server logon script but it needs to use some form of LogonUser or otherwise gain access to administrator level privileges.  The only way to do that is to supply the username/password to the LogonUser call and that means either giving the user the admin pw or embedding it into the logon script application.  Either is risky.

The best solution would be a service that you could connect to from the server and effect changes to the system remotely.  Too bad this wasn't considered up front in the network design stage.  Perhaps now would be a good time to consider implementing such a scheme since it likely that a similar problem may come up again.

I guess if this were my problem, I'd write an application that does what you want and logs in using LogonUser to a privileged account.
0
 
jlw011597Author Commented:
Agreed, too bad it wasn't considered in advance.  That's what we get having the
workstation folks being Windows-centric and supported by one organization, while the file/print services being Netware and supported by a different organization.  Me, I'm
in the NW camp, and am frustrated that I've never been allowed to try to resolve their
problem using the NW tools that would do it.  They, they're frustrated by the logistics of having 21 campuses state-wide with NO knowledgable personnel on site there, and a 3-month deployment window once a year when they can arrange the road trips necessary to get their deployments done.  They lock an image down, ship it to the hardware vendor, vendor drop-ships hardware state-wide, they drive around for 3 months and install it, then use Proxy software to fix one machine at a time for the next 9 months until they do it all again.

What is LogonUser?  A standalone program, or a system service to call from a
program written for Win2K?  I'm a programmer as well as a network admin, but I don't program in Windows environments -- OpenVMS is where I do my coding.
0
 
jlw011597Author Commented:
Agreed, too bad it wasn't considered in advance.  That's what we get having the
workstation folks being Windows-centric and supported by one organization, while the file/print services being Netware and supported by a different organization.  Me, I'm
in the NW camp, and am frustrated that I've never been allowed to try to resolve their
problem using the NW tools that would do it.  They, they're frustrated by the logistics of having 21 campuses state-wide with NO knowledgable personnel on site there, and a 3-month deployment window once a year when they can arrange the road trips necessary to get their deployments done.  They lock an image down, ship it to the hardware vendor, vendor drop-ships hardware state-wide, they drive around for 3 months and install it, then use Proxy software to fix one machine at a time for the next 9 months until they do it all again.

What is LogonUser?  A standalone program, or a system service to call from a
program written for Win2K?  I'm a programmer as well as a network admin, but I don't program in Windows environments -- OpenVMS is where I do my coding.
0
 
jhanceCommented:
There are several Windows API calls which permit a "logon" or its equivalent from an application.  LogonUser() coupled with CreateProcessAsUser() can get you a process running as a privileged user.  But you may have some issues with how things are currently setup.

What security context does the NW logon script run in?

What about remote access via administrative shares on the workstations?

How do you deploy new software?  Is that method an option?

0
 
jlw011597Author Commented:
Security Context of the NW login is of course the context of the user logging in.  So
unless that user is Administrator (which requires us to visit or proxy one-by-one to
each workstation) the NW login script will not have sufficient rights to delete or rename
the file.

Remote Access via admniistrative shares on the workstation?  When I last looked at
these workstations, they had deliberately disabled admininstrative shares.  At least
it looked that way...   I'll ask the folks who own the boxes.

They deploy new software by visiting each workstation once a year with a CD
containing a new image, or in many cases by having the hardware vendor place
their image on the machine and having it drop shipped to the remote site.  This is
done when the machine onsite already is being aged out.  Said machine usually
goes to an underling whose own machine is passed down another level and finally
salvaged out.  Old machines being passed down are reimaged from CD while new
machines imaged at the factory are installed, both by the roving technician teams which visit each of the 21 campuses once a year.  In fact that method is somewhat
of an option, since the new images have a newer version of the NW client that does
not have this problem DLL, but that deployment takes 3-4 months, and we need to
get this DLL renamed faster than that, hense our search for ideas here.
0
 
GUEENCommented:
Have you considered unregistering the .dll prior to attempting to delete it?
REGSVR32 /U your.DLL
then rename it from a dos window?
0
 
jlw011597Author Commented:
shekerra:

No, we haven't, and here's why:

We  need something that can be run non-interactively from, preferably, a NW login script or, perhaps, from a .BAT file that's ALREADY being run from the Startup group in
Windows.   And it's got to be able to be run from any user context.  Something that's interactive or requires an Administrator login is going to require a hands-on or, possibly, a proxy visit to each and every workstation, and that takes more time than we
can tolerate.

Your suggestion certainly doesn't sound like something that could be done by a
non-Administrator.
0
 
Asta CuCommented:
jlw is awaiting Expert feedback here.
Asta
0
 
GUEENCommented:
I'm still not clear on this particular .dll file
What is it used for and why is it there (from an old image?)
0
 
jlw011597Author Commented:
The particular DLL is part of an obsoleted Netware Client.  It lived in C:\WINNT\SYSTEM32\NETWARE\ and, as such, was well protected from users'
meddling hands.

It's used by the Netware Client for redirecting of WINSOCK calls to an NDS server (normally
bounces right back, since the service being requested seldom exists there).  Under certain
circumstances [still waiting for an explanation of these], this DLL decides that it will NOT bounce
back to its caller, and instead sits in a tight loop pounding at all available NDS servers requesting
data which does not exist there, and won't take any of the responses (No such data here, bozo)
for veracity, just asking again.  Floods the network with irrelevant tripe in the process.

Yes, it's from an old image, but because of deployment choices made by the owners of the
boxes, upgrading that image requires physically visiting the machines with somebody knowledgable of the procedures AND the authentications of a Win2K administrator.  State-wide.
Long and time-consuming, hense our desire to find some way to effect a non-interactive backdoor way to disable the .DLL until such time as the scheduled re-imaging could take place.
0
 
SysExpertCommented:
Because of the way win2k protects "critical" Dlls, this is going to be a real problem.
You would need to rename it both in the Main directory and in the DLL cache.

In addition, yes you should be able to deploy  elevated privileges remotely, as shown in my previous comment.

I hope this helps !
0
 
jlw011597Author Commented:
I'm going to accept this answer because, simply, we haven't been able to verify it but it seems to be referenced as the final response we've received.

At this point the issue is no longer an issue so I'm trying to
close off anything I've got pending escrow points for.

Sorry we can't validate/verify this answer locally.  We'll come back to it eventually when the powers-that-be decide it's
critical enough to have to have been done yesterday, again.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 9
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now