● [转载] 来自国外的讨论（1）(转寄) - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: jjksam (Linux,c/c++,java), 信区: Security
标  题: [转载] 来自国外的讨论（1）(转寄)
发信站: 荔园晨风BBS站 (Tue Nov 27 08:51:12 2001), 转信

【以下文字转载自 jjksam 的信箱】
【原文由 jjksam@smth.org 所发表】
发信人: lfan (豆豆), 信区: Security
标  题: 来自国外的讨论（1）
发信站: BBS 水木清华站 (Mon Nov 26 13:01:11 2001)

从今天开始，我将不定期的从国外的一些安全讨论列表上选取文章贴到这来

如果有时间的话偶就翻译一下，不过这一篇就算啦:)

限于个人水平，对选题和翻译可能都会有很多问题，也希望大家多多参与

                    Disable task manager

Hello all............

I administer a network with 200 users on it running win2k,
but I have this problem, there are a few very computer-security savvy
users on the network with an intent to make my life difficult

I currently use Radmin to remotely access different workstations etc...
on my network yet these guys always know when I'm watching because of
the jump of processor power the R_server.exe service uses when it is
active and I'm monitoring there activities.....they notice almost
instantly when I connect to their machine because of the info. task
manager provides.....my question is

Is there any way to disable them (specifically these users) from viewing
the task manager ?? in other words, stoping them from pressing CTRL +
ALT + DEL and clicking on Task manager?

If anyone knows how then I would also like to know if
there is any way these users can reverse it within there
simple 'USERS' privileges and access rights ?

Thanks in advance for any suggestions,

Laterz

Dan B.

－－－－－－－－－－－－－－－－－－－－－－－－－

You can take away their implied rights for the file taskmgr.exe and set
explicit NTFS file permissions at the file level which do not allow the
user to execute that file.

－－－－－－－－－－－－－－－－－－－－－－－－－

Go to start run and type in gpedit.msc and open the policy editor and turn
it on from there, then you can edit all that information as well as several
other functions.

－－－－－－－－－－－－－－－－－－－－－－－－－－－－

First of all, if these people are causing your problems, you should probably
just put an end to it, instead of attempting to spy on them. Usually in a
computerized environment, when one causes trouble one typically is breaking
some rules and someone will be in the position to end this officially.

Answering your question, the answer would be: "Uhm, not really no." Task
manager is just a win32 application and you can yourself start it from the
windows system32 directory. Even if you remove it and find some way to keep
it off the system, then still on www.sysinternals.com and many other sites
there are plenty of freeware task manager and process viewer utilities.

Maybe you should consider spying on them some other way? If you want to build
a case, you might just sniff and log network traffic and that way gather proof
of their misbehaviour.

If you insist on using this server, what you basically should do is hide the
process. You could for example consider renaming the executable. Sometimes
names like INDEXER.EXE, QoSvr.exe etc. do not arouse suspision with your
users. If you really want to spy on them. Most probably though by now they
also have remembered the other characteristics [process size etc.] of this
server, so this may not work. You can also really hide processes on windows.
Try searching for a utility to do that, and when you are at that, maybe check
out http://www.securityfocus.com/cgi-bin/tools.pl?platid=9&cat=10 for an
alternative to your spy-server. [speaking about QoS, you might also look for a
utility to limit processor use of the process (if possible)]

Oh, and finally if you are really desperate to find out what is going on, you
can always get yourself a pair of shoes with soft rubber soles...

Good luck,

  Pieter-Bas

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

Disabling Task Manager isn't the answer...there are
other tools they can easily download and use.

I'm not intimately familiar w/ the laws regarding
privacy in the UK, but in the US, if you want to
monitor your network, you need the inform the users of
such.  Since you are monitoring their individual
boxes, I assume that you have some sort of policy
statement informing the users of this action.  If that
is the case, then your policy should also state that
the users are not allowed to circumvent security
measures.  This would prevent them from doing things
like privilege escalation to get local Admin status,
disabling the process for remote admin connections,
etc.  The policy should also include statements
regarding what will happen if an employee violates the
policy, and then be signed by someone authorized to
enforce the policy.

It sounds as if you've got a people issue to deal
with, not a technology one.

--

※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.136.114]
--
※ 转载:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.146]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店