Restricting AT from the command prompt
Posted on 2006-06-07
There is an interesting quirk in windows that allows a user who has administrative rights to schedule a command prompt to start using the “at” command without requiring a username or password, unlike the task scheduler GUI. The problem with this is that the new command window runs as “system” and thus gives it system/administrative rights. Having a command window with admin rights is very hazardous and I would like to remove that risk.
The risk itself is not that great because:
1. The task scheduler requires user name and password for the process to run under so only the “at” command can be used and it’s not common knowledge (a quick google search will tell you how though).
2. Admin rights are given to a small percentage of the employees within our organization, but enough to not be able to manually police them.
I would like to remove this risk anyways.
My question is how can I remove that functionality, or at least restrict it from the command prompt? I don’t want to get rid of the command prompt and policing individuals separately is not an option due to lack of resources. Any ideas would be great. Thanks.