andyward007
asked on
Disable access to command.com
I work in a school and I am trying to disable access to command.com using Windows Server 2003 with XP clients. I can disable access to cmd but can’t seem to find a way to disable access to command. I have been working on this issue for quite some time but cannot find an answer. I am thinking about deleting the file but am not sure of the outcome. Even if I did delete the file, a user could possibly run it from a floppy. Has anyone else encountered this problem and if so how did they solve it? Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was just what I was looking for. Thanks.
The answers are great, but IMHO you need more security measures than just disabling command.com
Shhhhhhh... The students have to have SOME secrets! :-)
ASKER
Thanks to Dave8555. I have blocked command.com via hash.
AllocationError - Thanks for your comment but I have tried renaming command.com and as I have blocked the hash, it still cannot run. We unfortunately run some 16 bit apps so blocking these is not an option.
IMHO - Thanks for the concern. I have used GPOs to configure the security settings and lockdown but have not played with Software Restriction Policies before. I assumed, incorrectly, that software restriction policies prevented all software running except that if it has been given a valid certificate or has been specified as allowed.
JRS_50 - I am sure the students have plenty of secrets and some of which i'm sure I don't want to know :)
Thanks alot for everyones feedback.
AllocationError - Thanks for your comment but I have tried renaming command.com and as I have blocked the hash, it still cannot run. We unfortunately run some 16 bit apps so blocking these is not an option.
IMHO - Thanks for the concern. I have used GPOs to configure the security settings and lockdown but have not played with Software Restriction Policies before. I assumed, incorrectly, that software restriction policies prevented all software running except that if it has been given a valid certificate or has been specified as allowed.
JRS_50 - I am sure the students have plenty of secrets and some of which i'm sure I don't want to know :)
Thanks alot for everyones feedback.
ASKER
Sorry wpadron - IMHO stuck in my mind
ASKER
Time to leave work.
User Configuration\Administrati
Prevent access to 16-bit applications -> Enabled
Relogon with the user, and you will see, command.com cannot be started.