tag:blogger.com,1999:blog-3734831698514984222024-03-14T15:38:59.263+00:00P TaylorEditing the registry is not dangerous if you know what you are doing.P Taylorhttp://www.blogger.com/profile/11515740313388474198noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-373483169851498422.post-52815272318794692232008-04-15T20:57:00.010+01:002008-04-16T10:36:13.403+01:00inifilemapping - Capita SIMS .net connect.iniThe autorun.inf stuff (see first two posts) got me thinking about what other uses inifilemapping might have. It turns out that you can map to either the HKLM\Software or HKCU part of the registry. There are some details on a Microsoft page <a href="http://www.microsoft.com/technet/archive/ntwrkstn/reskit/26_ini.mspx?mfr=true">here</a>.<br /><br />The school I work at use some software called SIMS .net. This software connects to a SQL database backend. The connection information (SQL server name, method of authentication etc) is stored in a file called connect.ini on the hard drive of each PC. Alternatively the local connect.ini can redirect to another connect.ini file located on a server to allow the administrator to easily update the settings for everyone by changing one file.<br /><br />The problem with this is that if you want to have a particular group of network users who use an alternative backend database for testing purposes, or if you want a specific user to use a different authentication method (type in a username and password rather than be automatically logged on with Windows credentials) then you have to either manually update the connect.ini on the machine that they are going to use, or you have to set them up with a log in script which overwrites the connect.ini on the machine with the settings you want. You then have to give all your other users a log in script to reset the alternative connect.ini to the normal one.<br /><br />It occured to me that connect.ini could be mapped using inifilemapping, which would make it possible to configure the settings that would normally be in connect.ini with a user-based GPO.<br /><br /><br /><img id="BLOGGER_PHOTO_ID_5189618602538920034" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRlU9hj37CacoKDx7L6_FVsBhqEhqTJ02d7SzNAER9GnWy7kF9HA_96wSjebaQumQc48cM4SnjtIiSKJfW9K-vzUuHEkdC5ke_gfbdtL7BMMXp1_dXBg0D52MOCHJjFjTPV8Xqucoa0Q/s400/policy.png" border="0" /><br />Connect.ini files contain one section called [SIMSConnection], so if you make this per-computer registry change...<br /><br /><span style="font-family:courier new;">REGEDIT4</span><br /><span style="font-family:courier new;">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Connect.ini]</span><br /><span style="font-family:courier new;">"SIMSConnection"="USR:CapitaSIMSConnection"</span><br /><br />...then you are telling Windows that whenever it needs to see what settings are held in the [SIMSConnection] part of connect.ini then it should instead look in:<br />HKEY_CURRENT_USER\CapitaSIMSConnection<br /><br />So you can then make this per-user registry change:<br /><br /><span style="font-family:courier new;">REGEDIT4</span><br /><span style="font-family:courier new;">[HKEY_CURRENT_USER\CapitaSIMSConnection]</span><br /><span style="font-family:courier new;">"Redirect"=- </span><br /><span style="font-family:courier new;">"ServerName"="mi1"</span><br /><span style="font-family:courier new;">"DatabaseName"="SIMS"</span><br /><span style="font-family:courier new;">"ServerType"="SIMSSQL"</span><br /><span style="font-family:courier new;">"ConnectionType"="TrustedAuto"</span><br /><br />Here is a group policy administrative template (.adm file) for the computer-based registry settings. Just save it and load it into group policy editor as an administrative template.<br /><br /><span style="font-family:courier new;">CLASS MACHINE<br />CATEGORY !!CustomIniFileMapping<br /><br />POLICY !!ConnectIni<br />KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Connect.ini"<br />EXPLAIN !!ConnectIni_Explain<br />VALUENAME "SIMSConnection"<br />VALUEON "USR:CapitaSIMSConnection"<br />VALUEOFF DELETE<br />END POLICY<br /><br />POLICY !!DisableAutorunInf<br />KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"<br />EXPLAIN !!DisableAutorunInf_Explain<br />VALUENAME ""<br />VALUEON "@SYS:DoesNotExist"<br />VALUEOFF DELETE<br />END POLICY<br /><br />END CATEGORY<br /><br />[strings]<br />CustomIniFileMapping="Custom Ini File Mapping"<br />ConnectIni="Map connect.ini"<br />ConnectIni_Explain="Maps SIMSConnection section of connect.ini to HKCU\CapitaSIMSConnection"<br />DisableAutorunInf="Map autorun.inf"<br />DisableAutorunInf_Explain="Maps autorun.inf to DoesNotExist" </span><br /><br />And here is an adm file for the user settings. You could create different policies for different users to allow them to connect to different servers or have different authentication types.<br /><br /><span style="font-family:courier new;">CLASS USER<br />CATEGORY !!STP<br />CATEGORY !!UserMappedIniFile<br /><br />POLICY !!ConnectIni<br />KEYNAME "CapitaSIMSConnection"<br />EXPLAIN !!ConnectIni_Explain<br /><br />PART !!ConnectIni_ServerName EDITTEXT<br />VALUENAME ServerName<br />DEFAULT "mi1"<br />REQUIRED<br />END PART<br /><br />PART !!ConnectIni_DatabaseName EDITTEXT<br />VALUENAME DatabaseName<br />DEFAULT "SIMS"<br />REQUIRED<br />END PART<br /><br />PART !!ConnectIni_ServerType EDITTEXT<br />VALUENAME ServerType<br />DEFAULT "SIMSSQL"<br />REQUIRED<br />END PART<br /><br />PART !!ConnectIni_ConnectionType DROPDOWNLIST<br />VALUENAME ConnectionType<br />ITEMLIST<br />NAME "Automatic" VALUE "TrustedAuto" DEFAULT<br />NAME "Choose" VALUE "Trusted"<br />NAME "No domain authentication" VALUE DELETE<br />END ITEMLIST<br />REQUIRED<br />END PART<br /><br />END POLICY<br /><br />END CATEGORY ;; UserMappedIniFile<br /><br />[strings]<br />UserMappedIniFile="User mapped ini files"<br />ConnectIni="Connect.ini (SIMS)"<br />ConnectIni_Explain="Values for connect.ini"<br />ConnectIni_ServerName="SIMS Server name"<br />ConnectIni_DatabaseName="Name of SIMS database"<br />ConnectIni_ServerType="Server type"<br />ConnectIni_ConnectionType="Login/connection method"<br /></span><br />At some point I might write a tutorial on creating ADM files if I can't find a good one to link to.P Taylorhttp://www.blogger.com/profile/11515740313388474198noreply@blogger.com0tag:blogger.com,1999:blog-373483169851498422.post-25307134337565973092008-04-14T20:32:00.000+01:002008-04-15T22:57:42.202+01:00Disabling autorun.inf - an adm file for group policy<div align="left">I decided to implement the autorun.inf inifilemapping using a GPO.<br /><br />Here is the adm file I made<br /><br /><span style="font-family:courier new;">CLASS MACHINE<br /><br />CATEGORY !!CustomIniFileMapping<br /><br />POLICY !!DisableAutorunInf<br />KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\</span><span style="font-family:courier new;">Autorun.inf"<br />EXPLAIN !!DisableAutorunInf_Explain<br />VALUENAME ""<br />VALUEON "@SYS:DisableAutoRun"<br />VALUEOFF DELETE<br />END POLICY<br /><br />END CATEGORY<br /><br />[strings]<br />CustomIniFileMapping="Custom Ini File Mapping"<br />DisableAutorunInf="Map autorun.inf"<br />DisableAutorunInf_Explain="Maps autorun.inf to DisableAutoRun"</span><br /><br />Don't forget to go to View and Filtering and turn off "Only show policy settings that can be fully managed" in the group policy object editor or you won't see the policy.</div>P Taylorhttp://www.blogger.com/profile/11515740313388474198noreply@blogger.com0tag:blogger.com,1999:blog-373483169851498422.post-70145092886002498122008-04-12T18:05:00.002+01:002008-04-16T10:25:31.118+01:00Protect Windows boxes by disabling autorun.infI <a href="http://www.google.co.uk/search?hl=en&q=IniFileMapping%5CAutorun.inf&meta=">discovered</a> recently that you can protect yourself from security risks spread via USB sticks by preventing windows from reading autorun.inf files. Where I work this is a significant problem.<br /><br />You use something called inifilemapping to make windows look in the registry for the contents of autorun.inf, rather than in the file itself. If you tell it to look in a non-existant part of the registry then windows just thinks that all autorun.inf files are empty.<br /><br />Here is a reg file for it:<br /><br /><p><span style="font-family:courier new;">REGEDIT4</span></p><p><span style="font-family:courier new;">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]</span></p><p><span style="font-family:courier new;">@="@SYS:DisableAutoRun"</span></p><ul><li>SYS means look under HKLM\Software</li><li>DisableAutoRun tells Windows to look for a registry key called DisableAutoRun</li><li>The @ before SYS tells Windows not to resort back to the real autorun.inf when it finds no data in HKLM\Software\DisableAutoRun</li></ul><p>So when Windows sees an autorun.inf it will look in HKEY_LOCAL_MACHINE\Software\DisableAutoRun to try to find the contents of the autorun.inf, and won't find the DisableAutoRun key so nothing will happen.</p>P Taylorhttp://www.blogger.com/profile/11515740313388474198noreply@blogger.com0