?
Solved

Restricting AT from the command prompt

Posted on 2006-06-07
7
Medium Priority
?
365 Views
Last Modified: 2013-12-04
There is an interesting quirk in windows that allows a user who has administrative rights to schedule a command prompt to start using the “at” command without requiring a username or password, unlike the task scheduler GUI.  The problem with this is that the new command window runs as “system” and thus gives it system/administrative rights.  Having a command window with admin rights is very hazardous and I would like to remove that risk.  
The risk itself is not that great because:
     1.      The task scheduler requires user name and password for the process to run under so only the “at” command can be used and it’s not common knowledge (a quick google search will tell you how though).  
     2.      Admin rights are given to a small percentage of the employees within our organization, but enough to not be able to manually police them.
I would like to remove this risk anyways.  
My question is how can I remove that functionality, or at least restrict it from the command prompt?  I don’t want to get rid of the command prompt and policing individuals separately is not an option due to lack of resources.  Any ideas would be great.  Thanks.
0
Comment
Question by:oscarfg
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16855800
Not foolproof, but you could (a) change permissions on the AT.exe file in the system32 folder so users can't access it and/or (b) disable the scheduler service.
0
 

Author Comment

by:oscarfg
ID: 16855953
Can this be done through Active Directory, such as creating a policy that restricts the start of the scheduler?  
0
 
LVL 32

Expert Comment

by:r-k
ID: 16856601
Sorry I don't have a quick answer for that. Hopefully someone else reading this thread will.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 600 total points
ID: 16863699
http://support.microsoft.com/?kbid=310208   http://www.google.com/search?hl=en&lr=&q=site%3Amicrosoft.com+scheduled+task+%22group+policy%22&btnG=Search
As you've indicated, AT.exe and other Task Schedules need admin rights. There are several ways to schedule a task, the AT.exe, schtasks.exe, and 3rd party apps... there is also the wizard in the control panel. You can remove the AT.exe and others or change the perm's, but the GP above will likely suit your needs and can be set to a group or indiviuals.
-rich
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 400 total points
ID: 16884052
You could also create a software restriction policy using Group Policy editor and deny access to at.exe.  However, this also isn;t foolproof.  Someone could introduce a renamed copy of at.exe to a machine and use that.

The best approach would therefore be a mixture of disabling the task scheduler service unless explicitly required, restricting users ability to create or modify scheduled tasks and preventing access to at.exe
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16886679
The M$ KB article I linked to above takes care of 3rd parties apps to use the M$ scheduler API as well as any built-in mechanisims.
-rich
0
 

Author Comment

by:oscarfg
ID: 17131963
sorry for the delay gents, was on a bit of a vacation.
Split the points because both posts help me further my answer.  
Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question