Hi everyone, i am sure you have all seen what i am about to tell you but as there are so many senoir security guys i trust they can further explain why this works and how to prevent it..

1) open cmd.exe
2) type in "at (time) /interactive cmd.exe"
3) should be a time two or one minute ahead of the current time
4) at the specified time another box will popup ( SVCHOST will be in title bar)
5) once this has happened open up task manager and click on explorer.exe then end process
6) in the new cmd window type explorer.exe and you will now have system access.. ( It will not work on guest account but on power users etc)

Please correct me if i am wrong.. and i hope this is able to enlighten someone and i'll be watching for your replies(Thats to all the experts)

"SC" is the replacement for "at"

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\sc
DESCRIPTION:
        SC is a command line program used for communicating with the
        NT Service Controller and services.
USAGE:
        sc <server> [command] [service name] <option1> <option2>...

        The option <server> has the form "\\ServerName"
        Further help on commands can be obtained by typing: "sc [command]"
        Commands:
          query-----------Queries the status for a service, or
                          enumerates the status for types of services.
          queryex---------Queries the extended status for a service, or
                          enumerates the status for types of services.
          start-----------Starts a service.
          pause-----------Sends a PAUSE control request to a service.
          interrogate-----Sends an INTERROGATE control request to a service.
          continue--------Sends a CONTINUE control request to a service.
          stop------------Sends a STOP request to a service.
          config----------Changes the configuration of a service (persistant).
          description-----Changes the description of a service.
          failure---------Changes the actions taken by a service upon failure.
          qc--------------Queries the configuration information for a service.
          qdescription----Queries the description for a service.
          qfailure--------Queries the actions taken by a service upon failure.
          delete----------Deletes a service (from the registry).
          create----------Creates a service. (adds it to the registry).
          control---------Sends a control to a service.
          sdshow----------Displays a service's security descriptor.
          sdset-----------Sets a service's security descriptor.
          GetDisplayName--Gets the DisplayName for a service.
          GetKeyName------Gets the ServiceKeyName for a service.
          EnumDepend------Enumerates Service Dependencies.

        The following commands don't require a service name:
        sc <server> <command> <option>
          boot------------(ok | bad) Indicates whether the last boot should
                          be saved as the last-known-good boot configuration
          Lock------------Locks the Service Database
          QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
        sc start MyService

yeah pretty sure it can.

i'll have to go dig thru my GCIH notes to totally remember the syntax its definitely more involved that the at command syntax.

but google says:
http://blogs.msdn.com/adioltean/archive/2004/11/29/271987.aspx
http://blogs.msdn.com/adioltean/articles/271063.aspx

Both SANS and NIST have good policy templates to start with. Have a llok through those and tweak them for your own needs:

http://www.sans.org/resources/policies/?ref=3731
http://csrc.nist.gov/