Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing batch files in startup scripts... (basic question)

Status
Not open for further replies.

1LUV1T

IS-IT--Management
Nov 6, 2006
231
US
This may be a very basic question but I just want to confirm;
I have OUs that are linked to a Logon script. So i.e. (NY > IT Dept then in User Config > Windows Settings > Logon > MyScript.bat.

MyScript.bat is written in the following way
net use x: \\server2\folder$ password /user:server2\userBob /PERSISTENT:YES

The problem is that if a user digs deep into a SYSVOL or netlogon folder they can find this batch fiel (depending upon where I place it). How do I restrict a user from opening the batch file (i dont want them to see the userBob/password credentials beacuse that user is an Administrator on server2).

In security do I just deny everybody except myself? Will the batch still execute when a user logs on to the domain?
 
As supportahm1980 says you could encrypt or compile vb files but this app might be able to help you with your .bat files.






When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Being that I am a scriptaholic, I would strongly urge you to abandon the old batch files and move to vbscript. Put the scripts in GPOs rather than in Netlogon and your users are highly unlikely to browse to them. There should be no reason to put the admin password in your script.

I have a very extensive FAQ you can use as a reference which includes plenty of code. faq329-5798

Regarding the advice given by supportahm1980, I want to clarify something as the advice is inaccurate.

Microsoft offers a Script Encoder. All it does is encode not encrypt. An encoded file can easily be decoded where an encrypted file should take several hundred years to crack. All that encoding does is prevent casual users from seeing the content of the file.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Hey Mark, I am reading your FAQ now and am considering your advice. Are .vbs files places in the same place as my batch files -- In GPMC: User Config > Windows Settings > Logon?

Thanks again!
 
Try avoiding such use of administrator accounts!
Although this is NOT good solution you may put that batch file in a folder that is not readable by users (while making that file explictly accessible).
 
AOConsulting, yes that is where to put them. The thing to keep in mind is to put your scripts into the GPO rather than navigate to a share for the scripts. That way the scripts are a few levels in and you can allow the DC to get to them.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Ok I apologize for not ending this thread but I'm still searching for my answer :(

I have a shared drive (d:/) on server1 . We have a second server that is the domain controller lets call it server2 (win2003).
All users authenticate through server1 to log into WindowsXP. When they log in, I'd like for them to be mapped to drive d:/ on server1. Share permissions for d:/ are set to Administrators (local/domain). The problem is, when mapping to d:/ you need to enter Adminsitrator credentials.

My original question is how do I map drive d:/ to all the users in my domain with the Administrator credentials automatically? Batch files work but leaves the username/password wide open for anyone to read. VBSscript is a good solution but [markdmac] I can't find what I need.
 
This is really an issue of setting up your shares and NTFS permissions properly.

Unless you have nothing but user data on the server D drive, I would advise creating a folder on that drive and share it.

If you are allowing users access to this drive/data then properly assign those rights using NTFS. This is what DavisNT was pointing out to you. If you assign rights to the users to the data then they should not be prompted for credentials. The prompt is only required because they don't have access.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
The prompt comes up because for whatever reason Windows forgets the credentials or something else. From a previous thread that you responded too, I changed the value of AutoDisconnect in the registry to FFFFFFFF but I know I will have more issues of users calling the Help Desk because they cannot access the mapped shared *drive*.

I am sharing the entire D drive as "\\server1\d$" with Adminsitrator credentials "admin\password" . Again, I'd like to automate this process through Group Policy with a VBScript so the credentials are not easily exposed if a user snoops through his/her Startup scripts.

Thanks and any advice is appreciated.
 
The D$ share is an administrative share. Don't give your users access to that. You can create a second share (hidden if you want) to that same drive. Call it DDRIVE$ if you want or something else. Assign the users rights to that new share and not the administrative share.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Create a new share on the drive and set up NTFS as you require them and sharing permissions set to Domain Users Full Control.

Good Luck,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Another way to do it is to use the utility cpau.exe. This product allows you to create encrypted files that can contain information about what to run, how to run it, and includes "runas". So, you could do a runas without being there to type in the password if you do not want. Even without runas, this will allow you to create a "job" file that you can use and its contents will be encrypted. The content can be anything you want, including bat or vbscript. If you are not a coder, I would highly suggest this utility. It is a jewel.


I hope this helps.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top