We have our Windows 2003 servers fairly locked down by NTFS, and when a user
browses the Internet they are logged in as an ordinary user with minimal
access to the file system. So imagine my horror to see that a virus was
able to change every single file and folder on the file system to be
read-only and hidden, apparently using the attributes for files that are
affected by the ATTRIB commandline command.
Is the ability to use ATTRIB controlled by NTFS permissions? Or is this
the Write Attributes permission in NTFS? Unfortunately we probably did
enable that because it was generating too many false positive audit
attrib -h -r *.* /s /d
apparently does NOT affect all folders under the current folder. Is there
a command that can be used that would change every file and folder from the
current location and down all subtrees?
Is there any utility that would restore any critical system files and
folders to their original attributes?