andyward007
asked on
Disable access to command.com
I work in a school and I am trying to disable access to command.com using Windows Server 2003 with XP clients. I can disable access to cmd but can’t seem to find a way to disable access to command. I have been working on this issue for quite some time but cannot find an answer. I am thinking about deleting the file but am not sure of the outcome. Even if I did delete the file, a user could possibly run it from a floppy. Has anyone else encountered this problem and if so how did they solve it? Any ideas?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
That was just what I was looking for. Thanks.
The answers are great, but IMHO you need more security measures than just disabling command.com
Shhhhhhh... The students have to have SOME secrets! :-)
ASKER
Thanks to Dave8555. I have blocked command.com via hash.
AllocationError - Thanks for your comment but I have tried renaming command.com and as I have blocked the hash, it still cannot run. We unfortunately run some 16 bit apps so blocking these is not an option.
IMHO - Thanks for the concern. I have used GPOs to configure the security settings and lockdown but have not played with Software Restriction Policies before. I assumed, incorrectly, that software restriction policies prevented all software running except that if it has been given a valid certificate or has been specified as allowed.
JRS_50 - I am sure the students have plenty of secrets and some of which i'm sure I don't want to know :)
Thanks alot for everyones feedback.
AllocationError - Thanks for your comment but I have tried renaming command.com and as I have blocked the hash, it still cannot run. We unfortunately run some 16 bit apps so blocking these is not an option.
IMHO - Thanks for the concern. I have used GPOs to configure the security settings and lockdown but have not played with Software Restriction Policies before. I assumed, incorrectly, that software restriction policies prevented all software running except that if it has been given a valid certificate or has been specified as allowed.
JRS_50 - I am sure the students have plenty of secrets and some of which i'm sure I don't want to know :)
Thanks alot for everyones feedback.
ASKER
Sorry wpadron - IMHO stuck in my mind
ASKER
Time to leave work.
User Configuration\Administrati
Prevent access to 16-bit applications -> Enabled
Relogon with the user, and you will see, command.com cannot be started.