Can not log on locally to the system of the Telnet solution-vulnerability warning-the black bar safety net

ID MYHACK58:62200713684
Type myhack58
Reporter 佚名
Modified 2007-01-10T00:00:00


In Windows 2 0 0 0 environment, is Group Policy to deny logon locally has been relatively headache thing. This article will introduce one to all users denied to log on locally after the solve method.

In Windows2000, if a user is to cancel the log on locally permission, when the user locally logs on to the computer, the system will prompt“the system of local policy does not allow you to use the interactive logon”, causing the login to fail. This is the case, usually please the administrator in Group Policy to re-set it, will the user from the“Deny logon locally”list, delete or Add to the“log on locally”list. But if, because of operational errors or other reasons, we will all users the log on locally permission is prohibited. (usually banned users group a non-domain environment or the domain users group domain environment below), then a little trouble. This case looks like a untied the“knot”: to lift the ban log on locally Group Policy settings, you must be an administrator to log on locally; to in as the administrator to log on locally, you must first lift the ban log on locally Group Policy settings.

But in fact, things did not we imagine so bad. After the query relevant information and the test,I found with network help, this“knot”or you can unlock. Because the Domain Security Policy and local security policy of the data storage mechanism is different, the following two cases will be described separately.

Be a domain policy to deny logon locally when the solutions

Domain policy the Security Settings section are stored in a named“the GptTmpl. inf”security template, which is a text file, stored in the DC domain controller's SYSVOL physical directory to point to the DC“c:\winnt\sysvol\sysvol”share. To the lifting of all the user's local login restrictions, can not log on locally to the case, the most efficient way possible is to directly edit the text file.

The specific operation is as follows:

  • In another computer Win9X/2 0 0 0/XP can be on, using domain administrator account to connect to the DC's SYSVOL share, at the“\\ sysvol\Policies\MACHINE\Microsoft\Windows NT\SecEdit”find the text file“GptTmpl. inf of”. (Path“DC name”is you placed the Group Policy of the domain controller's name,“Domain name”is your domain name,“Policy GUID”is you want to edit the Group Policy object GUID, similar to the“{31B2F340-016D-11D2-945F-05C04FB98439}”)。

  • Use Notepad to open the“GptTmpl. inf”file, locate the file in the“Privilege Rights”Section under the “SeDenyInteractiveLogonRight”keyword, its value is the Deny log on locally user or group SID, these SIDS are removed, so that the “SeDenyInteractiveLogonRight”keyword, the value is empty. The modification is completed save the file back to the original position.

  • Use Notepad to open is located in“\\ sysvol\Policies\under the GPT. INI”file, to improve the“General”section under the“Version”keyword value, usually plus 1 0 0 0 it. This is we modified this Group Policy object version number, the version number is increased after the can ensure that our changes are replicated to the other DC. The modification is completed save the file back to the original position.

  • Domain policy refresh, the problem namely resolved it.

  • Log on locally to the DC to re-set the domain policy related projects.

Is the Local Security Policy deny log on locally when the solutions

Since Windows2000 is not supported on the local computer policy Security Settings section remote management, see the Group Policy white paper, and the Local Security Policy security settings are usually stored in a binary the security database secedit. sdb, the security of the database structure we have no way of knowing, so like the first part as directly edit the secedit. sdb file way are powerless, we need to take a circuitous offensive strategy,“curve salvation” is.

The specific operation is as follows:

  • Assume that the failure of the computer IP address is“”in. On another computer(Windows9X/2 0 0 0/XP), use the“Telnet”command using an administrator account connected to the failed computer. If the fault of the computer the telnet“service not started”, can through the network using the Services MMC starts, the specific method is not described in detail)

  • Via Telnet at fault on the computer implementation of“net share tmp$=d:\tmp”command, the fault on the computer“d:\tmp”hidden share for“tmp$”, share permissions the default is everyone, full control at this time to pay special attention to network security. Of course you can also share other directories.

  • Via Telnet at fault on the computer execute the“secedit /export /CFG d:\tmp\sec.inf”command, the failure of the computer's local security policy configuration into“d:\tmp\sec.inf”security template file, which is a text file.

  • Connect to computer failure on tmp$share, use Notepad to open the shared folder in the“sec. inf”file. Find the file in the“Privilege Rights”Section under the“SeDenyInteractiveLogonRight”keyword, its value is the Deny log on locally user or group SID, these SIDS are removed, so that the“SeDenyInteractiveLogonRight”keyword, the value is empty or is just another set up an independent value. File modification is completed save it back to the original position.

  • Via Telnet at fault on the computer execute the“secedit /configure /db c:\secedit.sdb /CFG d:\tmp\sec.inf”command, use the new security templates and the security database re-configuration fault the computer's local security policy.

  • Via Telnet at fault on the computer execute the“secedit /refreshpolicy machine_policy /enforce”command, forcing the fault on the computer to refresh policy settings, the problem namely resolved it.

  • Local login failure after computer, delete we set Tmp$share, re-set the local security policy of the relevant project.

The Secedit introduction

Secedit.exe, Windows2000 comes with automated Security Configuration Tasks command-line tool, powerful. We can use it to analyze the security of the system, configuration, system security, refresh security settings, export the security settings and verify the security configuration file. Its specific usage, please use“secedit /?” See its help file.

Added note

The above said two methods, is to have the right to limit the user, such as an administrator is not banned from the network login as a precondition, if your strategy from the network login is also prohibited, so a failure of the computer became a real“loner”, that problem is solved up to trouble, but the same is not a untied the“knot” of.