Shadid February 2016

How to make a Logon script secure in windows

I have a logon batch script that runs a .reg file for all user when they log in. here's my script

@echo running
REGEDIT.EXE /S "C:\user_files\user.reg"

Now my concern is that the batch file itself is located in

C:\Windows\System32\GroupPolicy\User\Scripts

Every user has access to this directory. So anyone can change the batch and may cause security threat. Is there a way to make it more secure. or is can I do something similar with PowerShell scripting so there's no batch. If someone could point me to the right direction would be very helpful.

Answers


Marcus Müller February 2016

your script needs to be readable by your users, but you can take away their rights to modify it -- that's a typical file system feature that every Windows since NT has (aside from windows 9x, of course).

Hence, simply remove the write privileges from the user group in which your users are, and you're fine.

Post Status

Asked in February 2016
Viewed 1,222 times
Voted 12
Answered 1 times

Search




Leave an answer