Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hide files in NETLOGON but still allow execution

Status
Not open for further replies.
aker

aker

Programmer
Mar 27, 2002
52
US
Hi. Server: Windows NT 4.0 SP6a. Clients: Windows 3.11/9x.

In the NETLOGON directory (%WINDIR%\System32\Repl\Import\Scripts) I have some basic but necessary logon batch files which, for example, set DOS environment variables.

Anybody can simply enter \\SERVER_NAME\NETLOGON more-or-less anywhere and be faced with all the files in the directory. As I have a personal batch per user, it is an easy way (for hackers ) to see a list of users in the domain. From here they can open the batch files in NotePad and read all the information contained within.

I have experimented with Special File Access and Special Directory Access and Share Permissions but have had no luck in stopping access to execute but not list.

Thanks in advance.
 
Sort by date Sort by votes
System Policy Editor...




and dozens more... see your favorite search engine for more...

I definitely recommend the O'reilly book JTB
Solutions Architect
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSA, MCSE-W2K, MCIWA, SCSA, SCNA in progress)
 
Upvote 0 Downvote
jtb- thanks for the suggestion. I am familiar with the system policy editor, but can't find anything about not letting people see files in a shared (read only) directory.
Maybe you could be a tad more specific.
Regards.
 
Upvote 0 Downvote
When you say hackers do you think someone inside the company or outside. Because if it is someone outside, you could give permission to Authenticated Users or Domain Users\Administrator and that will take care of most of the problems (Also, it is always good to have a firewall). If inside, then I would try:

Give permissions to each file for only that user and the Administrators.
Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
globalstrata- my question was a general 'how do you' with the intention of hiding files from users but still letting their machines run the specified files. I don't even want the designated user to see his/her logon script, let alone anybody else see a list of the users in the domain.
With regards to hacking, it was both internal and external. I don't trust users or firewalls and am not sure to what extent an external hacker can access the server once he/she gets though the firewall, for example, will he/she be able to see/access the shared directories or is that only possible on LANs?
Regards.
 
Upvote 0 Downvote
Go to Winnt\system32\repl\import\ this is where you should fing your login script. Right click the batch file or script and give it "read only,archive and hidden permission. This stops users from browsing network neighborhood to find the login script. Depending if you are running it in the foreground or background will determine if your users see the command prompt window with the script running.
 
Upvote 0 Downvote
In regards to external hackers, you can set permissions (either share and/or NTFS) to allow only "Authenticated Users" to access the directory. That way you'd need to log on before you can actually look in the directory.

As for hiding the files, I don't think it's possible. As captnstiles suggests, you can turn on the "hidden" attribute, but anyone who has set their PC to "Show all files/folders" will display those hidden files anyway. [auto] MCSE NT4/W2K
 
Upvote 0 Downvote
System Policy Editor clues...

1. Make hidden files invisible to normal users...

2. Don't let them change it...

3. Make NETLOGON contents hidden...

4. Make security policy that states penalties for circumenting, bypassing, reengineering, or otherwise tampering with the system policies a capital offense, i.e., punishable with death of some privilege...

5. If you know who the culprits are already, suggest to them that use of the organizations computers is not a God-given right and they are in danger of losing access...

JTB
Solutions Architect
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSA, MCSE-W2K, MCIWA, SCSA, SCNA in progress)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
229
microsGuy16
microsGuy16
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
467
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
259
Aquiles Vidal
Aquiles Vidal
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
438
mangentle
mangentle
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
205
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top