Alberto,
What you describe in your post is more on the order of an
intrusion-prevention component than an authorization mechanism. As I’m sure
you already know, Windows itself doesn’t provide anything close to that
level of protection. On the contrary, Microsoft’s fascination with
“[Hyper]Active Everything” tends to make executing arbitrary code a little
bit too easy (in my opinion).
-Art Baker
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, August 09, 2002 12:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Is it possible to prevent any .exe file from gett
ing executed?What I may need is to make sure that some .exe files don’t get executed,
even by accident. For example, I may not want to execute any .exe
files that
come attached to an email; I may want to prevent anyone from outside my
machine to launch cmd.exe; I may want to make sure no rogue
process can fork
out the execution of an executable file; and so on. In a
nutshell: I may not
know the name of the file in advance, just the circumstances
under which the
file was launched. In fact, I may not even care which file we’re talking
about; for example, it’s ok if I run cmd.exe from my keyboard,
but it’s not
necessarily ok if someone else manages to run it from somewhere
else in the
network.What’s needed is an authorization mechanism that is attached to contexts,
not to specific files or pathnames. “No running certain .exe
files from the
network, please”. “No executing anything from inside an unzip operation”.
“No executing certain files from inside .bat files”. “No running
executables
by doubleclicking on some website links”.And so on, user- or admin-selectable. Can Windows do that ?
Alberto.
To unsubscribe send a blank email to %%email.unsub%%