Posts Tagged ‘windows tips’

Spawning A CMD Prompt From MS Word or Excel

October 15th, 2009

This is an old trick, but I still see a number of Administrators that think they have locked users out of the command prompt by simply removing the icon from the menu and disabling the Start–> Run option. In this post I’ll discuss how to create a command prompt with Visual Basic for Applications (VBA), as well as how to mitigate (although never completely eliminate) the risk of someone achieving access to the prompt.

Creating a command prompt with VBA

This technique will work with any application that supports VBA, but I’m specifically going to use Microsoft Word in my example. Here’s what you need to do:

  1. Launch Microsoft Word
  2. Press “ALT-F11” to launch the VBA editor
  3. Double click “ThisDocument” in the left pane
  4. When the editor window appears, type in the text shown in Figure #1
  5. Press the “F5” key
Figure 1: Our simple VB script

Figure 1: Our simple VB script

You should see a command prompt window appear in your task bar. Here’s a copy of the code you need in step 4 so you can copy/paste:

Sub GetCMD()

Shell “cmd.exe cmd.exe”

End Sub

How to prevent VBA from spawning a command prompt

Execution of the command prompt can be disabled with the Group Policy Editor tool. Here are the steps:

  1. Click Start –> Run
  2. Type in “gpedit.msc” (without the quotes)
  3. Click User Configuration –> Administrative Templates –> System
  4. Search down the list for “Prevent access to the command prompt” and double click it

You have two options available to you:

  • Enable/Disable access to the command prompt
  • Yes/No Disable command prompt scripting process

If you only disable the first option, direct access to cmd.exe is prevented but a smart user can still get to it via a batch file. To prevent script access, need to disable the second option as well. This prevents ALL scripting however and can play havoc in many environments. Also, both of these settings will apply to the Administrator account as well. This can make admin and troubleshooting far more difficult.

Even with both options disabled, a user can still get around these settings by using command.com instead of cmd.exe. To fix this, you need to restrict access to command.com via user permissions. If you are still running some old 16-bit apps, this fix will break them.

All of these steps do not completely solve the problem however. A user who knows what they are doing with debug can simply copy cmd.exe to another location and modify it so a prompt is achieved when using it to run a bogus command. So we also have to delete “debug.exe”.

Even then, a savvy programmer can create an executable to get around all of the above security checks. So we need to remove all ability to copy or write to the drive as well. Needless to say we have a pretty useless computer at that point.

Exec Summary

If someone smart has access to your system, it is doubtful you will be able to prevent him or her from getting to the command line. The Group Policy Editor can most certainly make it more difficult, but the tool simply reduces the risk of attack. You cannot completely eliminate the risk without severely hampering the system’s operation and usefulness.

No comments »

Posted in 4-notice, Windows Security

Tags:

Leveraging the Windows “runas” command

July 28th, 2009

Sometimes we can be our own worst enemy. I’ve written a bit about Malware and how infection rates are through the roof. If you look at the one thing you can do to make a Malware author’s life easier, its logon to your Windows system as an Administrator equivalent.

This problem was solved long ago on UNIX and Linux systems via tools like su and sudo. You used to have an excuse for running Admin equivalent on Windows. Microsoft made it extremely difficult to perform IT functions unless you were a high level account. This problem was resolved years ago with the runas command however, so its time we took control of this potential security hole.

Why is it important to use runas

When you are logged on as an Administrator equivalent, you have full god/goddess rights to the local system, and possibly the whole network. This means that your credentials are capable of doing anything. If a Malware author drops something nasty on your system, they have the same level of access that you do. Administrators used to mitigate this threat by being careful about what they clicked on. Today however Malware can come at you through trusted sites. By running with a lower level of permissions, you can help reduce the magnitude of a Malware attack.

What does runas do for me?

When you execute the runas command, only applications running beneath it have high level permissions. So for example let’s say we leverage runas to launch the User Manager. The User Manager application will have Administrator level privileges but the rest of our system environment will not. If User Manager is open when an attacker delivers nasty Malware via your browser, the Malware will be constrained to the level of access granted by your regular user account because the browser is still running with lower level permissions.

Using runas via the GUI

One of the simplest ways to leverage the runas command is via shortcuts. In my last post I gave a list of common Windows administrator tools. Simply create a shortcut on your desktop for each tool you need to use. When you need to run the tool, right click the icon and select “Run as…” from the pop up menu (it should be the second option). This will produce the window shown in Figure #1. Simply supply the credential for your high level account and the tool will launch as it normally does.

runas

Note that in Figure #1 I’m logging on as Administrator. In an ideal world, each admin will have a dedicated administrator account (like cbrenton-admin or similar). This will make it much easier to create a proper audit trail of changes.

Using runas from the command line

Along with the GUI interface, you can leverage runas from the command line as well. The simplest solution is to place a command prompt shortcut on your desktop and launch it as specified above. If you already have a command prompt session going, you can leverage the runas command directly. The syntax is:

runas /user:<high level account name> <command we wish to run>

If we wish to generate a new command prompt with high permissions, we can do that too. The syntax is:

runas /user:<high level account name> c:\windows\system32\cmd.exe

This will produce output similar to Figure #2. Note that we have simply leveraged runas to spawn a new command prompt session. Now anything run within this new command prompt will be executed with higher permissions.

runas-command-line

Exec Summary

Today there is no excuse for logging into Windows as an administrator equivalent. By leveraging the runas command along with some shortcuts, IT folks can still get the job done while refraining from being their own worst enemy.

No comments »

Posted in 3-err, Windows Security

Tags:

Helpful Shortcuts For The Windows IP Geek

July 25th, 2009

Many of us do testing with our Windows systems which inevitably require us to change firewall settings and IP info. While Windows has given us a pretty GUI for performing these tasks, it can be cumbersome to navigate the menu options. In this post I’ll show you how creating a few icons can help you take better control of this problem.

Dealing with the Windows firewall

One of the common tasks I need to perform is disabling and enabling the Windows firewall. I sometimes need to shut it off for testing, but of course want it turned back on again if I’m connected to a potentially hostile network. This introduces the additional problem that I can never remember if I had it turned on or off the last time the system was booted.

Disabling the Windows firewall

Open up a text editor and create a file named disable-firewall.bat. Type the following line into the file:

netsh firewall set opmode disable

Now save the file and create a desktop shortcut that points to it. Whenever you double click the icon, the Windows firewall will shut down.

Enabling the Windows firewall

Open up a text editor and create a file named enable-firewall.bat. The file will contain only a single line:

netsh firewall set opmode enable

Now save the file and create a desktop shortcut that points to it. Whenever you double click the icon, the Windows firewall will turn on.

Checking the Windows firewall status

Open up a text editor and create a file named fw-status.bat. Type the following three lines into the file:

netsh firewall show state
pause
exit

Now save the file and create two shortcuts pointing to it. One on the desktop and one in your startup group. When your system first boots up, a command prompt will open showing the current state of the Windows firewall. It will then pause on the screen until you press a key. Anytime you need to check the current status, simply double click the shortcut you placed on the desktop.

Dealing with IP settings

If every network used DHCP, dealing with IP would be much easier. When we work in a lab however, we typically have to manually configure IP for communications. Obviously we can use the GUI for this, but its easy to streamline the process with a couple of shortcuts.

Manually setting a wired IP address

For the purpose of this exercise I’ll assume the IP address you want to assign is 192.168.1.10. Change this IP address as needed.
Open up a text editor and create a file named 192-168-1-10.bat. The file will contain only a single line:

netsh interface ip set address local static 192.168.1.10 255.255.255.0

Now save the file and create a desktop shortcut that points to it. When ever you double click the icon, the IP address on your wired interface will be changed.

Adding a default gateway

If there is a default gateway you need to specify, we can do that as well. Assuming the gateway is at 192.168.1.1, we would change the above command to read:

netsh interface ip set address local static 192.168.1.10 255.255.255.0 192.168.1.1 1

Specifying a DNS server

If you need to specify DNS servers, we’ll need to add a few extra lines to the batch file. Let’s build on the last example and assume we have two DNS servers, one at 10.1.1.1 and another at 172.30.1.10. In this case our batch file would contain the following:

netsh interface ip set address local static 192.168.1.10 255.255.255.0 192.168.1.1 1
netsh interface ip set dns local static 10.1.1.1
netsh interface ip set dns local static 172.30.1.10

Reverting back to DHCP

Open up a text editor and create a file named reset-dhcp.bat. The file will contain only a single line:

netsh interface ip set address local dhcp

Now save the file and create a desktop shortcut that points to it. When ever you double click the icon, Windows will look to a local DHCP server for the IP info it will use.

What if I use multiple IP addresses?

The above example works great provided you consistently use the same IP address. What if you need a bit more flexibility to change it on the fly? Luckily we can handle that problem through the use of variables.

Open up a text editor and create a file named varip.bat. The file will contain only a single line:

netsh interface ip set address local static %1 255.255.255.0

Now save the file to a directory in your path statement. The Windows directory itself is usually a good last ditch option. If you don’t know which directories are in your path, simply open a command prompt and type the command “path”. This will produce a semi-colon ( ; ) separated list of all directories in your path. This tip will not work if the file is not saved to a directory in your path statement.
Whenever you need to set your IP address simply click Start–> Run and type in:

varip 192.168.50.25

or what ever IP address you wish to use. If you commonly need to change the subnet mask, change the command to read:

netsh interface ip set address local static %1 %2
Now when you click Start–> Run you would type:

varip 192.168.50.25 255.255.255.128

or whatever IP address/subnet mask combination you wish to use.

Exec Summary

While the Windows GUI is relatively easy to navigate, it can be cumbersome for common tasks like changing IP address or firewall settings. This can easily be rectified by creating a few batch files and placing shortcuts to them on the desktop.

1 comment »

Posted in 4-notice, Windows Security

Tags: