My security tip for the evening
(morning): Create a program called Program.exe
and place it in the root of your C:
drive. This program should take its command-line arguments and the name of the
logged-in user, and write this info to the event log. Then if it is running
under an interactive account, it should display this information in a dialog.
The file should be ACLed so only Administrators can change it. In JScript, the
core code is as easy as:
args : String = Environment.GetCommandLineArgs()
var command : String = args.join(" ")
var e : EventLog = new EventLog("Application")
e.Source = "Insecure CreateProcess call"
var name : String = WindowsIdentity.GetCurrent().Name
e.WriteEntry(command + "rnrnRunning as: "
What's the purpose of this file? Well, anytime
you run some software that has an insecure
CreateProcess call (page 677), you will get notified and can send a bug
report to the vendor.