oscarfg
asked on
Restricting AT from the command prompt
There is an interesting quirk in windows that allows a user who has administrative rights to schedule a command prompt to start using the “at” command without requiring a username or password, unlike the task scheduler GUI. The problem with this is that the new command window runs as “system” and thus gives it system/administrative rights. Having a command window with admin rights is very hazardous and I would like to remove that risk.
The risk itself is not that great because:
1. The task scheduler requires user name and password for the process to run under so only the “at” command can be used and it’s not common knowledge (a quick google search will tell you how though).
2. Admin rights are given to a small percentage of the employees within our organization, but enough to not be able to manually police them.
I would like to remove this risk anyways.
My question is how can I remove that functionality, or at least restrict it from the command prompt? I don’t want to get rid of the command prompt and policing individuals separately is not an option due to lack of resources. Any ideas would be great. Thanks.
The risk itself is not that great because:
1. The task scheduler requires user name and password for the process to run under so only the “at” command can be used and it’s not common knowledge (a quick google search will tell you how though).
2. Admin rights are given to a small percentage of the employees within our organization, but enough to not be able to manually police them.
I would like to remove this risk anyways.
My question is how can I remove that functionality, or at least restrict it from the command prompt? I don’t want to get rid of the command prompt and policing individuals separately is not an option due to lack of resources. Any ideas would be great. Thanks.
Not foolproof, but you could (a) change permissions on the AT.exe file in the system32 folder so users can't access it and/or (b) disable the scheduler service.
ASKER
Can this be done through Active Directory, such as creating a policy that restricts the start of the scheduler?
Sorry I don't have a quick answer for that. Hopefully someone else reading this thread will.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The M$ KB article I linked to above takes care of 3rd parties apps to use the M$ scheduler API as well as any built-in mechanisims.
-rich
-rich
ASKER
sorry for the delay gents, was on a bit of a vacation.
Split the points because both posts help me further my answer.
Thanks.
Split the points because both posts help me further my answer.
Thanks.