On Thu, 6 Dec 2001, Gary Stainburn wrote:
It's been possible to work around almost all of these. For example, you can use NT's AT command to start up cmd.exe running as LocalSystem, which enables you to bypass all local machine access restrictions. They simply cause an irritating delay. Is this as seriously un-secure as it sounds? It is this simple to bypass all security features on NT? (This is a serious question - I've got no NT experience but may be having it forced on me soon)
You do need privileges to run the AT command in the first place, and you also need the Schedule service to be running (or have privileges to start the Schedule service). It's a way of elevating your privileges - if you end up trapped with a cut-down administrator-like account then you can quickly and easily grant yourself unrestricted access to the whole local machine. I have used this trick several times, particularly when Win2000 was playing up and refusing to believe that the local Administrator actually had full administrative rights. One neat side-effect is that this method allows you to directly edit the SAM database. NT usually prevents even administrators from directly reading and writing the SAM database with tools such as Registry Editor, but if you grant yourself LocalSystem privileges then you can just fire up regedt32 and browse into the 'forbidden' HKLM\SECURITY tree. In summary: it doesn't allow ordinary users to gain admin privileges but it does allow some restricted admin users to bypass their restrictions. Michael