Q182367: Possible to Circumvent ZAK Using Explorer.exe as Embedded Object
Article: Q182367
Product(s): Microsoft Windows NT
Version(s): WinNT:4.0
Operating System(s):
Keyword(s):
Last Modified: 05-FEB-1999
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Zero Administration Kit for Windows NT Workstation 4.0
-------------------------------------------------------------------------------
SYMPTOMS
========
After you install Windows NT using the Zero Administration Kit (ZAK) with a
desktop setup that does not permit users to launch Windows NT Explorer, you can
still gain access to Windows NT Explorer when in a Microsoft Office application.
This is achieved by inserting an object into the document and typing in the path
and file name from the import box.
CAUSE
=====
The Explorer.exe file has Read & Execute (RX) special permissions, which
enable the folder to be opened from within the application. The file is first
read before it can be run. These permissions are set during the ZAK install when
Acls.cmd is run.
RESOLUTION
==========
To resolve this issue, remove the Read (R) special permission from the Everyone
Group. If the file cannot be read, it cannot be run. However, you must retain
the Execute (X) special permission so that Explorer remains as the active
desktop. Use one of the following methods.
Method One
----------
1. Start Explorer and locate Explorer.exe in the %SystemRoot% folder.
2. Right-click the executable file and select Properties.
3. Select the Security tab from the Properties window and click the Permissions
button.
4. Double-click the Everyone Group and view the Special Access dialog box.
5. Remove (clear) the Read(R) attribute and confirm the changes.
Method Two
----------
Edit Acls.cmd and change the following line from:
cacls.exe explorer.exe /t /e /g everyone:r
to:
xcacls.exe explorer.exe /t /e /p everyone:x
where:
xcacls is used because special permissions are being set
/p is used to replace existing permission
x is used to grant execute permission
NOTE: xcacls is a resource kit utility and should be accessible through the path
or referenced explicitly.
For additional information, please see the following article(s) in the Microsoft
Knowledge Base:
ARTICLE-ID: Q170400
TITLE : Unauthorized Program Can Be Installed and Run on ZAK Workstation
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are
researching this problem and will post new information here in the Microsoft
Knowledge Base as it becomes available.
Additional query words: Office Word Excel
======================================================================
Keywords :
Technology : kbWinNTWsearch kbAudDeveloper kbZAWNTW400
Version : WinNT:4.0
Issue type : kbbug
Solution Type : kbpending
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.