Immunity to PSTOOLS

Hey there,

Im sure everyone is familiar with PStools, well at my workplace all our comps are connected through a LAN obviously, and firewalls are not in-use internally, and there is no port security.

Some co workers like to mess around and shut down/log off/kill processes on other coworkers computers without their knowledge. I was wondering aside from unplugging my ethernet cable....are there any other ways to make myself immune to these foolish pranks? Currently I have a script running over and over spamming shutdown -a, but that only works sometimes. It does not prevent someone from using pskill on cmd.exe and then proceeding the shutdown.

Are there any specific ports that PStools use that I can add on the firewall settings, since I now know how to enable it ?

Please help! I will really appeciate it!
steve07xAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shaileshtaralCommented:
you need to install software based firewall as windows xp is not capable of doing such kinds of activities.the free software based firewalls are zone alarm, comondo,wachgaurd,etc using this firewall you can protect such kinds of unwanted activities.
0
steve07xAuthor Commented:
Well since I cant do that, are there any cmd commands to abort logoff/lock?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
The only one you MAY be able to abort is the shutdown - using shutdown - see shutdown -?

As for stopping people... It sounds like security is not at all a concern in your company.  Users should not have rights PERIOD to do that.  Is everyone a domain admin?  Or is the domain users group in the local admin group of the machine?  NEITHER should be the case, but they should only be able to log you out or shut you down IF they are.  I would change that... but if they insist on allowing everyone everything... it may take a massive virus infection and a smart IT person to realize how it could have been prevented before these things change.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

steve07xAuthor Commented:
It is almost what you described. Security is not a concern, everyone is a domain admin and local admin. Atm, I have a batch file that I run to prevent the shutdown but...it does not stop logoff,shutdowns,process kills.

:start
shutdown -a
goto start
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
As I stated
> it may take a massive virus infection and a smart IT person to realize
> how it could have been prevented before these things change.

Security isn't just about data theft.

If you can't make changes to your system's settings, then you're at the mercy of your co-workers.

You can always be working on something very important when they log you off and lose all that work... then tell your boss how they just caused you to lose hours worth of work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
steve07xAuthor Commented:
I like the second option better! ^^
0
OnityCommented:
Hi one way to stop them from running the tools appears to be to create a dummy file with in the  %systemroot% directory with no read or write access as described here http://forum.sysinternals.com/topic16586.html
0
steve07xAuthor Commented:
Can you please explain your answer, I still dont understand xD!
0
OnityCommented:
The following is taken directly from here http://technet.microsoft.com/en-gb/magazine/2007.03.desktopfiles.aspx

basically the programs are run by copying to your admin share which is admin$ and then running. If you create a dummy file with the name of the file that gets copied over and set it so that it can only be written by your account and you have ownership over it i believe it should stop the tools from working. the other option is if you do not share stuff across the network or use network shares you could turn off "file and printer sharing".

admin$ links to %systemroot% which generally is c:\windows, the link i posted in the last comment says that the shutdown file is %systemroot%\PSSDNSVC.EXE

In the first link i gave you they say about file image redirect but i do not know anything about this unfortunately.

How Do the Tools Work?
The tools all generally work in the same manner. On the host system, you launch the desired PsTool. Though many can be run locally, you'll find that these tools typically provide their utmost utility when run against a remote system or several systems at once. (PsExec is a specific exception that comes to mind, as you will see in my example below.) Using the command-line argument you provide, the utility copies itself to the remote system's administrative share, which is the same as %SystemRoot% (Windows directory) on the remote system.
Once copied into the remote directory, the application launches itself and installs a Windows service. This Windows service performs the task you requested, using the credentials you provided at launch time. If an end-user UI on the client system is required by the specific tool, this service then launches an additional binary in the user's context. (Remember that services can't throw direct interactive UIs.) The service communicates any necessary information back to the console that launched it. And finally, the service uninstalls itself.
As you can see, the tools are powerful and self-contained. Though they involve multiple binaries and multiple processes, you as a user don't have to worry about it-you simply run the desired tool and it works.
In order to use the tools, you must have the following prerequisites: either Windows NT®, Windows 2000, Windows XP, or Windows Server® 2003 (x86 or x64 versions of Windows are supported, but Itanium versions are not); the default administrative network share enabled on the remote system you are running the tools on (admin$); and the ports for File and Printer Sharing opened on the remote system (whether you are using Windows Firewall, Internet Connection Firewall, or another firewall product).


This may not work but it would be worth a try
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.