Immunity to PSTOOLS

Hey there,

Im sure everyone is familiar with PStools, well at my workplace all our comps are connected through a LAN obviously, and firewalls are not in-use internally, and there is no port security.

Some co workers like to mess around and shut down/log off/kill processes on other coworkers computers without their knowledge. I was wondering aside from unplugging my ethernet cable....are there any other ways to make myself immune to these foolish pranks? Currently I have a script running over and over spamming shutdown -a, but that only works sometimes. It does not prevent someone from using pskill on cmd.exe and then proceeding the shutdown.

Are there any specific ports that PStools use that I can add on the firewall settings, since I now know how to enable it ?

Please help! I will really appeciate it!
steve07xAsked:
Who is Participating?
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
As I stated
> it may take a massive virus infection and a smart IT person to realize
> how it could have been prevented before these things change.

Security isn't just about data theft.

If you can't make changes to your system's settings, then you're at the mercy of your co-workers.

You can always be working on something very important when they log you off and lose all that work... then tell your boss how they just caused you to lose hours worth of work.
0
 
shaileshtaralCommented:
you need to install software based firewall as windows xp is not capable of doing such kinds of activities.the free software based firewalls are zone alarm, comondo,wachgaurd,etc using this firewall you can protect such kinds of unwanted activities.
0
 
steve07xAuthor Commented:
Well since I cant do that, are there any cmd commands to abort logoff/lock?
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The only one you MAY be able to abort is the shutdown - using shutdown - see shutdown -?

As for stopping people... It sounds like security is not at all a concern in your company.  Users should not have rights PERIOD to do that.  Is everyone a domain admin?  Or is the domain users group in the local admin group of the machine?  NEITHER should be the case, but they should only be able to log you out or shut you down IF they are.  I would change that... but if they insist on allowing everyone everything... it may take a massive virus infection and a smart IT person to realize how it could have been prevented before these things change.
0
 
steve07xAuthor Commented:
It is almost what you described. Security is not a concern, everyone is a domain admin and local admin. Atm, I have a batch file that I run to prevent the shutdown but...it does not stop logoff,shutdowns,process kills.

:start
shutdown -a
goto start
0
 
steve07xAuthor Commented:
I like the second option better! ^^
0
 
OnityCommented:
Hi one way to stop them from running the tools appears to be to create a dummy file with in the  %systemroot% directory with no read or write access as described here http://forum.sysinternals.com/topic16586.html
0
 
steve07xAuthor Commented:
Can you please explain your answer, I still dont understand xD!
0
 
OnityCommented:
The following is taken directly from here http://technet.microsoft.com/en-gb/magazine/2007.03.desktopfiles.aspx

basically the programs are run by copying to your admin share which is admin$ and then running. If you create a dummy file with the name of the file that gets copied over and set it so that it can only be written by your account and you have ownership over it i believe it should stop the tools from working. the other option is if you do not share stuff across the network or use network shares you could turn off "file and printer sharing".

admin$ links to %systemroot% which generally is c:\windows, the link i posted in the last comment says that the shutdown file is %systemroot%\PSSDNSVC.EXE

In the first link i gave you they say about file image redirect but i do not know anything about this unfortunately.

How Do the Tools Work?
The tools all generally work in the same manner. On the host system, you launch the desired PsTool. Though many can be run locally, you'll find that these tools typically provide their utmost utility when run against a remote system or several systems at once. (PsExec is a specific exception that comes to mind, as you will see in my example below.) Using the command-line argument you provide, the utility copies itself to the remote system's administrative share, which is the same as %SystemRoot% (Windows directory) on the remote system.
Once copied into the remote directory, the application launches itself and installs a Windows service. This Windows service performs the task you requested, using the credentials you provided at launch time. If an end-user UI on the client system is required by the specific tool, this service then launches an additional binary in the user's context. (Remember that services can't throw direct interactive UIs.) The service communicates any necessary information back to the console that launched it. And finally, the service uninstalls itself.
As you can see, the tools are powerful and self-contained. Though they involve multiple binaries and multiple processes, you as a user don't have to worry about it-you simply run the desired tool and it works.
In order to use the tools, you must have the following prerequisites: either Windows NT®, Windows 2000, Windows XP, or Windows Server® 2003 (x86 or x64 versions of Windows are supported, but Itanium versions are not); the default administrative network share enabled on the remote system you are running the tools on (admin$); and the ports for File and Printer Sharing opened on the remote system (whether you are using Windows Firewall, Internet Connection Firewall, or another firewall product).


This may not work but it would be worth a try
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.