The autorun.inf stuff (see first two posts) got me thinking about what other uses inifilemapping might have. It turns out that you can map to either the HKLM\Software or HKCU part of the registry. There are some details on a Microsoft page here.
The school I work at use some software called SIMS .net. This software connects to a SQL database backend. The connection information (SQL server name, method of authentication etc) is stored in a file called connect.ini on the hard drive of each PC. Alternatively the local connect.ini can redirect to another connect.ini file located on a server to allow the administrator to easily update the settings for everyone by changing one file.
The problem with this is that if you want to have a particular group of network users who use an alternative backend database for testing purposes, or if you want a specific user to use a different authentication method (type in a username and password rather than be automatically logged on with Windows credentials) then you have to either manually update the connect.ini on the machine that they are going to use, or you have to set them up with a log in script which overwrites the connect.ini on the machine with the settings you want. You then have to give all your other users a log in script to reset the alternative connect.ini to the normal one.
It occured to me that connect.ini could be mapped using inifilemapping, which would make it possible to configure the settings that would normally be in connect.ini with a user-based GPO.
Connect.ini files contain one section called [SIMSConnection], so if you make this per-computer registry change...
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Connect.ini]
"SIMSConnection"="USR:CapitaSIMSConnection"
...then you are telling Windows that whenever it needs to see what settings are held in the [SIMSConnection] part of connect.ini then it should instead look in:
HKEY_CURRENT_USER\CapitaSIMSConnection
So you can then make this per-user registry change:
REGEDIT4
[HKEY_CURRENT_USER\CapitaSIMSConnection]
"Redirect"=-
"ServerName"="mi1"
"DatabaseName"="SIMS"
"ServerType"="SIMSSQL"
"ConnectionType"="TrustedAuto"
Here is a group policy administrative template (.adm file) for the computer-based registry settings. Just save it and load it into group policy editor as an administrative template.
CLASS MACHINE
CATEGORY !!CustomIniFileMapping
POLICY !!ConnectIni
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Connect.ini"
EXPLAIN !!ConnectIni_Explain
VALUENAME "SIMSConnection"
VALUEON "USR:CapitaSIMSConnection"
VALUEOFF DELETE
END POLICY
POLICY !!DisableAutorunInf
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
EXPLAIN !!DisableAutorunInf_Explain
VALUENAME ""
VALUEON "@SYS:DoesNotExist"
VALUEOFF DELETE
END POLICY
END CATEGORY
[strings]
CustomIniFileMapping="Custom Ini File Mapping"
ConnectIni="Map connect.ini"
ConnectIni_Explain="Maps SIMSConnection section of connect.ini to HKCU\CapitaSIMSConnection"
DisableAutorunInf="Map autorun.inf"
DisableAutorunInf_Explain="Maps autorun.inf to DoesNotExist"
And here is an adm file for the user settings. You could create different policies for different users to allow them to connect to different servers or have different authentication types.
CLASS USER
CATEGORY !!STP
CATEGORY !!UserMappedIniFile
POLICY !!ConnectIni
KEYNAME "CapitaSIMSConnection"
EXPLAIN !!ConnectIni_Explain
PART !!ConnectIni_ServerName EDITTEXT
VALUENAME ServerName
DEFAULT "mi1"
REQUIRED
END PART
PART !!ConnectIni_DatabaseName EDITTEXT
VALUENAME DatabaseName
DEFAULT "SIMS"
REQUIRED
END PART
PART !!ConnectIni_ServerType EDITTEXT
VALUENAME ServerType
DEFAULT "SIMSSQL"
REQUIRED
END PART
PART !!ConnectIni_ConnectionType DROPDOWNLIST
VALUENAME ConnectionType
ITEMLIST
NAME "Automatic" VALUE "TrustedAuto" DEFAULT
NAME "Choose" VALUE "Trusted"
NAME "No domain authentication" VALUE DELETE
END ITEMLIST
REQUIRED
END PART
END POLICY
END CATEGORY ;; UserMappedIniFile
[strings]
UserMappedIniFile="User mapped ini files"
ConnectIni="Connect.ini (SIMS)"
ConnectIni_Explain="Values for connect.ini"
ConnectIni_ServerName="SIMS Server name"
ConnectIni_DatabaseName="Name of SIMS database"
ConnectIni_ServerType="Server type"
ConnectIni_ConnectionType="Login/connection method"
At some point I might write a tutorial on creating ADM files if I can't find a good one to link to.
Tuesday, 15 April 2008
Monday, 14 April 2008
Disabling autorun.inf - an adm file for group policy
I decided to implement the autorun.inf inifilemapping using a GPO.
Here is the adm file I made
CLASS MACHINE
CATEGORY !!CustomIniFileMapping
POLICY !!DisableAutorunInf
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
EXPLAIN !!DisableAutorunInf_Explain
VALUENAME ""
VALUEON "@SYS:DisableAutoRun"
VALUEOFF DELETE
END POLICY
END CATEGORY
[strings]
CustomIniFileMapping="Custom Ini File Mapping"
DisableAutorunInf="Map autorun.inf"
DisableAutorunInf_Explain="Maps autorun.inf to DisableAutoRun"
Don't forget to go to View and Filtering and turn off "Only show policy settings that can be fully managed" in the group policy object editor or you won't see the policy.
Here is the adm file I made
CLASS MACHINE
CATEGORY !!CustomIniFileMapping
POLICY !!DisableAutorunInf
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
EXPLAIN !!DisableAutorunInf_Explain
VALUENAME ""
VALUEON "@SYS:DisableAutoRun"
VALUEOFF DELETE
END POLICY
END CATEGORY
[strings]
CustomIniFileMapping="Custom Ini File Mapping"
DisableAutorunInf="Map autorun.inf"
DisableAutorunInf_Explain="Maps autorun.inf to DisableAutoRun"
Don't forget to go to View and Filtering and turn off "Only show policy settings that can be fully managed" in the group policy object editor or you won't see the policy.
Saturday, 12 April 2008
Protect Windows boxes by disabling autorun.inf
I discovered recently that you can protect yourself from security risks spread via USB sticks by preventing windows from reading autorun.inf files. Where I work this is a significant problem.
You use something called inifilemapping to make windows look in the registry for the contents of autorun.inf, rather than in the file itself. If you tell it to look in a non-existant part of the registry then windows just thinks that all autorun.inf files are empty.
Here is a reg file for it:
You use something called inifilemapping to make windows look in the registry for the contents of autorun.inf, rather than in the file itself. If you tell it to look in a non-existant part of the registry then windows just thinks that all autorun.inf files are empty.
Here is a reg file for it:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DisableAutoRun"
- SYS means look under HKLM\Software
- DisableAutoRun tells Windows to look for a registry key called DisableAutoRun
- The @ before SYS tells Windows not to resort back to the real autorun.inf when it finds no data in HKLM\Software\DisableAutoRun
So when Windows sees an autorun.inf it will look in HKEY_LOCAL_MACHINE\Software\DisableAutoRun to try to find the contents of the autorun.inf, and won't find the DisableAutoRun key so nothing will happen.
Subscribe to:
Posts (Atom)