命令行模式改变本地安全策略 |
前几天在X小组的论坛上逛,看到有人出过一道题目,是这样的: ********************************************************* 题目:本地安全设置里设置为不允许任何人从本地登陆 有输入法漏洞 可以物理的使用电脑,但机箱打不开,光驱软驱不能用 不知道计算机里面有多少帐号 局域网没有主域控制器, 要求:拿到最高权并从本地登陆到计算机 ********************************************************** 关于这个问题,我首先是想到的是更改本地安全策略。改注册表,于是开了regsnap观察,拷,修改的项目太多了。根本没法改。还有一种办法,利用secedit.exe这个工具,2k自带的,位于/winnt/system32下面。在命令提示符下打secedit,看一下帮助文件吧。不错很详细: secedit /export [导出安全性设置] secedit /configure [配置安全性设置] ......... 用法还有很多,我们这里只谈这两个。 语法 secedit /export [/mergedPolicy] [/DB filename ] [/CFG filename ] [/areas area1 area 2...] [/log logPath] [/verbose] [/quiet] 语法 secedit /configure [/DB filename ] [/CFG filename ] [/overwrite][/areas area1 area2...] [/log logpath] [/verbose] [/quiet] 先来解决上面那道题。它说有输入法漏洞,这就好办了,先建立一个快捷方式->属性->目标,在里面写: c:/winnt/system32/secedit.exe /configure /DB c:/winnt/security/database/secedit.sdb /CFG "c:/winnt/security/templates/setup security.inf"(此处我们设它的系统目录为C:) OK!现在运行刚才建立的那个快捷方式,本地安全策略已经改为系统初装时的设定。这道题就算是解了。 我们现在再来看看刚才做了些什么。secedit首先调用secedit.sdb引擎数据库,然后将setup security.inf策略模板格式化,再将其导入。setup security.inf这个策略模板是在系统初装时生成的本地安全设置模板。将"c:/winnt/security/templates/setup security.inf"加上引号是因为setup security.inf文件名中包含空格。/DB c:/winnt/security/database/secedit.sdb 这个一定不能少,否则会导入不成功。 我们再来看看,在命令提示符下输入:secedit /export /DB c:/winnt/security/database/secedit.sdb /CFG c:/temp/security.inf 我们打开来看看这个security.inf。 [Version] signature="$CHICAGO$" Revision=1 [Profile Description] Description=全新安装系统的默认安全设置 [System Access] MinimumPasswordAge = 0 MaximumPasswordAge = 42 MinimumPasswordLength = 0 PasswordComplexity = 0 PasswordHistorySize = 0 LockoutBadCount = 0 RequireLogonToChangePassword = 0 ClearTextPassword = 0 [Event Audit] AuditSystemEvents = 0 AuditLogonEvents = 0 AuditObjectAccess = 0 AuditPrivilegeUse = 0 AuditPolicyChange = 0 AuditAccountManage = 0 AuditProcessTracking = 0 AuditDSAccess = 0 AuditAccountLogon = 0 CrashOnAuditFull = 0 [Registry Values] machine/system/currentcontrolset/services/netlogon/parameters/signsecurechannel=4,1 machine/system/currentcontrolset/services/netlogon/parameters/sealsecurechannel=4,1 machine/system/currentcontrolset/services/netlogon/parameters/requirestrongkey=4,0 machine/system/currentcontrolset/services/netlogon/parameters/requiresignorseal=4,0 machine/system/currentcontrolset/services/netlogon/parameters/disablepasswordchange=4,0 machine/system/currentcontrolset/services/lanmanworkstation/parameters/requiresecuritysignature=4,0 machine/system/currentcontrolset/services/lanmanworkstation/parameters/enablesecuritysignature=4,1 machine/system/currentcontrolset/services/lanmanworkstation/parameters/enableplaintextpassword=4,0 machine/system/currentcontrolset/services/lanmanserver/parameters/requiresecuritysignature=4,0 machine/system/currentcontrolset/services/lanmanserver/parameters/enablesecuritysignature=4,0 machine/system/currentcontrolset/services/lanmanserver/parameters/enableforcedlogoff=4,1 machine/system/currentcontrolset/services/lanmanserver/parameters/autodisconnect=4,15 machine/system/currentcontrolset/control/session manager/protectionmode=4,1 machine/system/currentcontrolset/control/session manager/memory management/clearpagefileatshutdown=4,0 machine/system/currentcontrolset/control/print/providers/lanman print services/servers/addprinterdrivers=4,1 machine/system/currentcontrolset/control/lsa/restrictanonymous=4,0 machine/system/currentcontrolset/control/lsa/lmcompatibilitylevel=4,0 machine/system/currentcontrolset/control/lsa/fullprivilegeauditing=3,0 machine/system/currentcontrolset/control/lsa/crashonauditfail=4,0 machine/system/currentcontrolset/control/lsa/auditbaseobjects=4,0 machine/software/microsoft/windows/currentversion/policies/system/shutdownwithoutlogon=4,0 machine/software/microsoft/windows/currentversion/policies/system/legalnoticetext=1, machine/software/microsoft/windows/currentversion/policies/system/legalnoticecaption=1, machine/software/microsoft/windows/currentversion/policies/system/dontdisplaylastusername=4,0 machine/software/microsoft/windows/currentversion/policies/system/disablecad=4,1 machine/software/microsoft/windows nt/currentversion/winlogon/scremoveoption=1,0 machine/software/microsoft/windows nt/currentversion/winlogon/passwordexpirywarning=4,14 machine/software/microsoft/windows nt/currentversion/winlogon/cachedlogonscount=1,10 machine/software/microsoft/windows nt/currentversion/winlogon/allocatefloppies=1,0 machine/software/microsoft/windows nt/currentversion/winlogon/allocatedasd=1,0 machine/software/microsoft/windows nt/currentversion/winlogon/allocatecdroms=1,0 machine/software/microsoft/windows nt/currentversion/setup/recoveryconsole/setcommand=4,0 machine/software/microsoft/windows nt/currentversion/setup/recoveryconsole/securitylevel=4,0 [Privilege Rights] seassignprimarytokenprivilege = seauditprivilege = sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 sebatchlogonright = *S-1-5-21-1292428093-1563985344-1708537768-1002,*S-1-5-21-1292428093-1563985344-1708537768-1001 sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 secreatepagefileprivilege = *S-1-5-32-544 secreatepermanentprivilege = secreatetokenprivilege = sedebugprivilege = *S-1-5-32-544 sedenybatchlogonright = sedenyinteractivelogonright = sedenynetworklogonright = sedenyservicelogonright = seenabledelegationprivilege = seincreasebasepriorityprivilege = *S-1-5-32-544 seincreasequotaprivilege = *S-1-5-32-544 seinteractivelogonright = *S-1-5-21-1292428093-1563985344-1708537768-1001,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-21-1292428093-1563985344-1708537768-501,*S-1-5-21-1292428093-1563985344-1708537768-1000,*S-1-5-32-545 seloaddriverprivilege = *S-1-5-32-544 selockmemoryprivilege = semachineaccountprivilege = senetworklogonright = *S-1-5-21-1292428093-1563985344-1708537768-1002,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0,*S-1-5-21-1292428093-1563985344-1708537768-1001 seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 seremoteshutdownprivilege = *S-1-5-32-544 serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 sesecurityprivilege = *S-1-5-32-544 seservicelogonright = seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547 sesyncagentprivilege = sesystemenvironmentprivilege = *S-1-5-32-544 sesystemprofileprivilege = *S-1-5-32-544 sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 setakeownershipprivilege = *S-1-5-32-544 setcbprivilege = seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 里面记录了本地安全设置里的所有设置,可以看出[Privilege Rights]这一组就是本地策略里的用户权利指派 ,下面是一些与用户登陆有关的项: sedenyinteractivelogonright 拒绝从本地登陆 sedenynetworklogonright 拒绝从网络访问这台计算机 sedenyservicelogonright 拒绝作为服务登陆 sedenybatchlogonright 拒绝作为批处理作业登陆 seinteractivelogonright 在本地登陆 senetworklogonright 从网络访问此计算机 seservicelogonright 作为服务登陆 sebatchlogonright 作为批处理作业登陆 每一项后面的值是用户或用户组的SID号,每个用户的SID号用逗号隔开,要知道用户的SID号可以用getsid.exe这个工具。注意,拒绝的优先级最高。以前总是有人发现,得到了一个用户的密码,想登陆上去却发现此用户不允许交互式登陆。现在就可以用此方法来更改安全策略,至于怎么改就不在本文的讨论范围了。 由于本人水平有限,关于本地策略通过secedit.exe配置的方法就谈到这里,其中有错误及不足之处望高手指正。 |