Thursday, February 3, 2011

Vista cmd.exe fails to run if users and/or auditors group not present

Hi all,
In the current environment there exists a policy where files within %system32% are only allowed to be owned by System and Administrators. An issue has arisen where after converting these permissions cmd.exe is unable to execute. The addition of the user that is currently logged in resolves this, however adding a group myGroup with the user contained fails. The command prompt informs me that I do not have the permissions which seems odd. Am I missing a registry edit or is there something else that I should be looking for here?

From serverfault Woot4Moo

  • Under Win7 (should be similar to Vista)

    Run gpedit.msc to start the Group Policy Editor

    Navigate to: User Config -> Admin Templates -> System

    Check the settings for: "Prevent access to the command prompt"

    Woot4Moo : it says that it is not configured
    jftuga : Did you try setting it to disabled?
    Woot4Moo : Setting it to disabled also fails, the only difference is now I am able to edit the objects properties outright instead of only being able to view them.
    From jftuga

  • First of all - I don't think it is the uac. The uac will only prevent you starting cmd.exe as admin. But please try executing cmd as admin. This should work.

    I would switch to another cmd:

    http://www.powercmd.com/

    And place it in %ProgramFiles%

    Adding a group to cmd.exe should work like adding a user. I don't think that a gpo fixes your issue. Only if you don't modify all files in %system32%.

    You've added a new group to cmd.exe - but why? You said that you just modified the owner - but by the way - there can only be one owner... I suppose that you modified the access rights to be only System and Administrators. Maybe your policy overwrites your changes?

    Another question is - does this make sense? Why would I try to tighten rights that are already safe? And why would I allow more right to specific files without Admin rights?

    Edit: Access rights needed for cmd.exe

    • Administrators all rights
    • System all rights
    • YOURGROUP Read,Execute

    Works on my system...

    Edit2

    Please try to run cmd.exe and analyse what failed with Process Monitor:

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Woot4Moo : I cannot place outside programs to do the work of system files. Yes I modified the owner and reverted it back to its original owner. The only users with access on cmd.exe to begin with in my scenario are System and Administrators. It does not work when I run it as an admin, only if I am explicitly on the file when users and/or auditors is missing. I am not tightening the rights, I am loosening them. I need to add a specific user group to them that in this case is not users. Adding certain groups to the file is needed because of applications that reside on the box and certain users need
    Woot4Moo : these permissions
    Andreas Rehm : I've tried this own my system. It works fine - the only difference is your system32 lockdown. Do you really need it?
    Woot4Moo : I see your edit, whom is the owner of this file in your scenario?
    Woot4Moo : Andreas yes this is utilizing NVD SRRs and following STIGs
    Andreas Rehm : TrustedInstaller is the owner - and i think it needs to be the owner. You should be aware that messing around with access rights could prevent Windows Updates from installing properly.
    Woot4Moo : Correct I am aware of this. I will try to use process monitor in hopes of digging deeper.
    Woot4Moo : I would upvote if I had the necessary rep :)
    From Andreas Rehm
Posted by Mu Cat at 8:51 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)