Fully Disable Command Prompt

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

We have a problem I hope someone can help us with.

In an OU group policy for a group of users we have
enabled the User Configuration-Admin Templates-System-
"Prevent access to the command prompt". We have also
added cmd.exe to the "Don't run specified windows
applications". However we have found that if a user runs
a .bat file with say, ipconfig as the text, Windows is
quite happy to allow the user to open the command prompt
window. From here, the user can view and delete files on
the hard drive.

If the user types cmd.exe from the command prompt, this
is in fact disallowed. How do we stop the user from
opening the command prompt.

Regards
P Basham
4 answers Last reply
More about fully disable command prompt
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    That is going to be difficult to do in W2K. If you use XP Pro you can use
    Software Restriction Policies to lock down a computer. One thing you could
    try is to remove the users group from ntfs permissions for every instance of
    cmd.exe and command.com on the computer. You will have to search the
    computer for those files as they may be located in more than one place such
    as in the dllcache folder or service pack files folder. Even so that will
    not stop a user from copying a cmd.exe from a floppy to their user profile
    to access if they are that determined. As far as users being able to delete
    files from the hard drive, you may have to review your ntfs permissions for
    the users. If they are local administrators or power users fro some reason
    that will be next to impossible to do. -- Steve


    "Pbas" <anonymous@discussions.microsoft.com> wrote in message
    news:3f0a01c4ac6f$3774df10$a501280a@phx.gbl...
    > Hi
    >
    > We have a problem I hope someone can help us with.
    >
    > In an OU group policy for a group of users we have
    > enabled the User Configuration-Admin Templates-System-
    > "Prevent access to the command prompt". We have also
    > added cmd.exe to the "Don't run specified windows
    > applications". However we have found that if a user runs
    > a .bat file with say, ipconfig as the text, Windows is
    > quite happy to allow the user to open the command prompt
    > window. From here, the user can view and delete files on
    > the hard drive.
    >
    > If the user types cmd.exe from the command prompt, this
    > is in fact disallowed. How do we stop the user from
    > opening the command prompt.
    >
    > Regards
    > P Basham
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve

    Thanks for the reply.

    I suspected it was going to be difficult. We need to
    allow cmd.exe to run when a user logs on to allow scripts
    to run. I found if I disable the command prompt script
    processing in the "prevent access to the command prompt"
    policy discussed earlier, the user gets nothing but a
    blue desktop. Obviously this is not good.

    As for ntfs permissions, hows this for an odd one. I
    created a file, temp.txt on the root of C:\. Permissions,
    Everyone-Read, Dom Admins-Full control. Logged on as a
    user, ran a .bat script to open command prompt, and was
    able to delete the file. BTW, this action was performed
    over a terminal service session from a thin client.

    Now I'm very worried

    Regards
    P Basham
    >-----Original Message-----
    >That is going to be difficult to do in W2K. If you use
    XP Pro you can use
    >Software Restriction Policies to lock down a computer.
    One thing you could
    >try is to remove the users group from ntfs permissions
    for every instance of
    >cmd.exe and command.com on the computer. You will have
    to search the
    >computer for those files as they may be located in more
    than one place such
    >as in the dllcache folder or service pack files folder.
    Even so that will
    >not stop a user from copying a cmd.exe from a floppy to
    their user profile
    >to access if they are that determined. As far as users
    being able to delete
    >files from the hard drive, you may have to review your
    ntfs permissions for
    >the users. If they are local administrators or power
    users fro some reason
    >that will be next to impossible to do. -- Steve
    >
    >
    >"Pbas" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:3f0a01c4ac6f$3774df10$a501280a@phx.gbl...
    >> Hi
    >>
    >> We have a problem I hope someone can help us with.
    >>
    >> In an OU group policy for a group of users we have
    >> enabled the User Configuration-Admin Templates-System-
    >> "Prevent access to the command prompt". We have also
    >> added cmd.exe to the "Don't run specified windows
    >> applications". However we have found that if a user
    runs
    >> a .bat file with say, ipconfig as the text, Windows is
    >> quite happy to allow the user to open the command
    prompt
    >> window. From here, the user can view and delete files
    on
    >> the hard drive.
    >>
    >> If the user types cmd.exe from the command prompt, this
    >> is in fact disallowed. How do we stop the user from
    >> opening the command prompt.
    >>
    >> Regards
    >> P Basham
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    If you need to run logon scripts your options to limit cmd.exe are limited
    as you mentioned. The ntfs permissions problem is perplexing. I would check
    the permissions and ownership to that file before you delete it to see if
    they are what you expected. Keep in mind that when you are setting ntfs
    permissions always check advanced permissions also to make sure that users
    or groups are not listed in there that you do not want to have permissions.
    The other issue if the creator owner is present the creator owner of a file
    folder will have those permissions applied to them. Enabling of first object
    access and then auditing permissions to a file or folder can help track down
    how file and folders are being accessed. I don't recommend leaving auditing
    of object access enabled all the time though because it can fill up the
    security log quickly. --- Steve


    "P Basham" <anonymous@discussions.microsoft.com> wrote in message
    news:2ad801c4ad42$0a5eac80$a601280a@phx.gbl...
    > Steve
    >
    > Thanks for the reply.
    >
    > I suspected it was going to be difficult. We need to
    > allow cmd.exe to run when a user logs on to allow scripts
    > to run. I found if I disable the command prompt script
    > processing in the "prevent access to the command prompt"
    > policy discussed earlier, the user gets nothing but a
    > blue desktop. Obviously this is not good.
    >
    > As for ntfs permissions, hows this for an odd one. I
    > created a file, temp.txt on the root of C:\. Permissions,
    > Everyone-Read, Dom Admins-Full control. Logged on as a
    > user, ran a .bat script to open command prompt, and was
    > able to delete the file. BTW, this action was performed
    > over a terminal service session from a thin client.
    >
    > Now I'm very worried
    >
    > Regards
    > P Basham
    >>-----Original Message-----
    >>That is going to be difficult to do in W2K. If you use
    > XP Pro you can use
    >>Software Restriction Policies to lock down a computer.
    > One thing you could
    >>try is to remove the users group from ntfs permissions
    > for every instance of
    >>cmd.exe and command.com on the computer. You will have
    > to search the
    >>computer for those files as they may be located in more
    > than one place such
    >>as in the dllcache folder or service pack files folder.
    > Even so that will
    >>not stop a user from copying a cmd.exe from a floppy to
    > their user profile
    >>to access if they are that determined. As far as users
    > being able to delete
    >>files from the hard drive, you may have to review your
    > ntfs permissions for
    >>the users. If they are local administrators or power
    > users fro some reason
    >>that will be next to impossible to do. -- Steve
    >>
    >>
    >>"Pbas" <anonymous@discussions.microsoft.com> wrote in
    > message
    >>news:3f0a01c4ac6f$3774df10$a501280a@phx.gbl...
    >>> Hi
    >>>
    >>> We have a problem I hope someone can help us with.
    >>>
    >>> In an OU group policy for a group of users we have
    >>> enabled the User Configuration-Admin Templates-System-
    >>> "Prevent access to the command prompt". We have also
    >>> added cmd.exe to the "Don't run specified windows
    >>> applications". However we have found that if a user
    > runs
    >>> a .bat file with say, ipconfig as the text, Windows is
    >>> quite happy to allow the user to open the command
    > prompt
    >>> window. From here, the user can view and delete files
    > on
    >>> the hard drive.
    >>>
    >>> If the user types cmd.exe from the command prompt, this
    >>> is in fact disallowed. How do we stop the user from
    >>> opening the command prompt.
    >>>
    >>> Regards
    >>> P Basham
    >>
    >>
    >>.
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve

    Thanks again for the input. I think I will set up a test
    server/client to see how much damage a user can do using
    the command prompt. I see what you are saying about
    logging, however I would like to stop users making my
    life a misery, not just see which user has:-)

    If I make any significant progress, I will post in this
    site. Once again, many thanks.

    Regards
    P Basham
    >-----Original Message-----
    >If you need to run logon scripts your options to limit
    cmd.exe are limited
    >as you mentioned. The ntfs permissions problem is
    perplexing. I would check
    >the permissions and ownership to that file before you
    delete it to see if
    >they are what you expected. Keep in mind that when you
    are setting ntfs
    >permissions always check advanced permissions also to
    make sure that users
    >or groups are not listed in there that you do not want
    to have permissions.
    >The other issue if the creator owner is present the
    creator owner of a file
    >folder will have those permissions applied to them.
    Enabling of first object
    >access and then auditing permissions to a file or folder
    can help track down
    >how file and folders are being accessed. I don't
    recommend leaving auditing
    >of object access enabled all the time though because it
    can fill up the
    >security log quickly. --- Steve
    >
    >
    >"P Basham" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:2ad801c4ad42$0a5eac80$a601280a@phx.gbl...
    >> Steve
    >>
    >> Thanks for the reply.
    >>
    >> I suspected it was going to be difficult. We need to
    >> allow cmd.exe to run when a user logs on to allow
    scripts
    >> to run. I found if I disable the command prompt script
    >> processing in the "prevent access to the command
    prompt"
    >> policy discussed earlier, the user gets nothing but a
    >> blue desktop. Obviously this is not good.
    >>
    >> As for ntfs permissions, hows this for an odd one. I
    >> created a file, temp.txt on the root of C:\.
    Permissions,
    >> Everyone-Read, Dom Admins-Full control. Logged on as a
    >> user, ran a .bat script to open command prompt, and was
    >> able to delete the file. BTW, this action was performed
    >> over a terminal service session from a thin client.
    >>
    >> Now I'm very worried
    >>
    >> Regards
    >> P Basham
    >>>-----Original Message-----
    >>>That is going to be difficult to do in W2K. If you use
    >> XP Pro you can use
    >>>Software Restriction Policies to lock down a computer.
    >> One thing you could
    >>>try is to remove the users group from ntfs permissions
    >> for every instance of
    >>>cmd.exe and command.com on the computer. You will have
    >> to search the
    >>>computer for those files as they may be located in more
    >> than one place such
    >>>as in the dllcache folder or service pack files folder.
    >> Even so that will
    >>>not stop a user from copying a cmd.exe from a floppy
    to
    >> their user profile
    >>>to access if they are that determined. As far as users
    >> being able to delete
    >>>files from the hard drive, you may have to review your
    >> ntfs permissions for
    >>>the users. If they are local administrators or power
    >> users fro some reason
    >>>that will be next to impossible to do. -- Steve
    >>>
    >>>
    >>>"Pbas" <anonymous@discussions.microsoft.com> wrote in
    >> message
    >>>news:3f0a01c4ac6f$3774df10$a501280a@phx.gbl...
    >>>> Hi
    >>>>
    >>>> We have a problem I hope someone can help us with.
    >>>>
    >>>> In an OU group policy for a group of users we have
    >>>> enabled the User Configuration-Admin Templates-
    System-
    >>>> "Prevent access to the command prompt". We have also
    >>>> added cmd.exe to the "Don't run specified windows
    >>>> applications". However we have found that if a user
    >> runs
    >>>> a .bat file with say, ipconfig as the text, Windows
    is
    >>>> quite happy to allow the user to open the command
    >> prompt
    >>>> window. From here, the user can view and delete files
    >> on
    >>>> the hard drive.
    >>>>
    >>>> If the user types cmd.exe from the command prompt,
    this
    >>>> is in fact disallowed. How do we stop the user from
    >>>> opening the command prompt.
    >>>>
    >>>> Regards
    >>>> P Basham
    >>>
    >>>
    >>>.
    >>>
    >
    >
    >.
    >
Ask a new question

Read More

Command Prompt Windows