blueplastic
asked on
How do I fully block the command prompt including .bat files in Windows XP machines on domain?
Here is a question that I've been scratching my head on for the desktop/domain rights experts here. This is urgent, so I really appreciate quick answers!
In a Windows 2003 domain with Windows XP computers, how does an administrator effectively block the command prompt? Even though it is blocked by Group Policies, users can still access it from command.com, loadfix.com or creating a .bat text file with the word command in it.
If there is no way to block access to files mentioned above, are there are ways to block execution of specific commands such as net, netsh etc in the command prompt?
In a Windows 2003 domain with Windows XP computers, how does an administrator effectively block the command prompt? Even though it is blocked by Group Policies, users can still access it from command.com, loadfix.com or creating a .bat text file with the word command in it.
If there is no way to block access to files mentioned above, are there are ways to block execution of specific commands such as net, netsh etc in the command prompt?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
KCTS, your solution is not valid, b/c I have already used group policies to restrict command prompt, usage and as I explained in my question, it is not enough to fully block it.
glen_1984 and jazzllllove,
The following registry does not exist on my Windows XP SP2 computer:
HKEY_CURRENT_USER\Software \Policies\ Microsoft\ Windows\Sy stem
The "System" folder after Windows does not exist. Under Windows, I only see "Current Version" and under Current Version are two folders: "Internet Settings" and "Trusted Sites Settings".
Also, please check out this TechNet article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
According to the article, the DisableCMD key "stores the setting of the Disable the command prompt Group Policy. Group Policy adds this entry to the registry when you enable the policy. If you disable the policy or set it to Not configured, Group Policy deletes this entry from the registry."
So, using the DisableCMD key is not a valid solution, because even if the CMD prompt is disabled this way, a user can still create a text file with just the word command and then save that file as file.bat and launch it. This would launch a command prompt for the user. A user can still also use loadfix.com or command.com to get to the cmd prompt.
glen_1984 and jazzllllove,
The following registry does not exist on my Windows XP SP2 computer:
HKEY_CURRENT_USER\Software
The "System" folder after Windows does not exist. Under Windows, I only see "Current Version" and under Current Version are two folders: "Internet Settings" and "Trusted Sites Settings".
Also, please check out this TechNet article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
According to the article, the DisableCMD key "stores the setting of the Disable the command prompt Group Policy. Group Policy adds this entry to the registry when you enable the policy. If you disable the policy or set it to Not configured, Group Policy deletes this entry from the registry."
So, using the DisableCMD key is not a valid solution, because even if the CMD prompt is disabled this way, a user can still create a text file with just the word command and then save that file as file.bat and launch it. This would launch a command prompt for the user. A user can still also use loadfix.com or command.com to get to the cmd prompt.
thanks for your response...very satisfactory for me...i reinvestigate the issue...
ASKER
By the way, I exported my full registry to a text file and the only location where DisableCMD is mentioned is here:
Key Name: HKEY_USERS\S-1-5-21-124290 9238-21595 8010-79456 3710-23757 5\Software \Microsoft \Windows\C urrentVers ion\Group Policy Objects\{12CBB7A1-75A0-4B1 9-8770-EDC DD0F24C17} User\Softw are\Polici es\Microso ft\Windows \System
Class Name: <NO CLASS>
Last Write Time: 11/3/2008 - 7:13 PM
Value 0
Name: DisableCMD
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_USERS\S-1-5-21-124290
Class Name: <NO CLASS>
Last Write Time: 11/3/2008 - 7:13 PM
Value 0
Name: DisableCMD
Type: REG_DWORD
Data: 0x1
ASKER
jazzllllove and everyone else, I do really appreciate your responses and help and am bumping up the point value of this question from 300 to 400.
Thanks so much guys!
Thanks so much guys!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you try to deny use of those files with ACL's. Deny normal user's access to those files cmd.exe, command.com etc.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Glenn_1984,
What does #302 in the first link you sent me do?
Here is the reg key that site wants me to run to block cmd line:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.cmd]
@="cmdfile"
[HKEY_CLASSES_ROOT\.cmd\Pe rsistentHa ndler]
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
What does #302 in the first link you sent me do?
Here is the reg key that site wants me to run to block cmd line:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.cmd]
@="cmdfile"
[HKEY_CLASSES_ROOT\.cmd\Pe
@="{5e941d80-bf96-11cd-b57
ASKER
Okay, thanks for everybody's help. The Software Restriction Policies with hash rules against command.com and cmd.exe seems to have effectively blocked the command prompt.
After you create a hash rule for command.com and cmd.exe in the C:\windows\system32 directory and activate the rule, if a user tries to run command.com, a Windows popup error will show: "Windows cannot open this program because it has been prevented by a software restriction policy."
Also, after the command.com hash rule is activated, if a user tries to create a txt file with the word command in it and renames the file to something.bat, when the user tries to run this file, the following error will show up in the cmd prompt and it will quickly disappear: "The system cannot execute the specified program."
After you create a hash rule for command.com and cmd.exe in the C:\windows\system32 directory and activate the rule, if a user tries to run command.com, a Windows popup error will show: "Windows cannot open this program because it has been prevented by a software restriction policy."
Also, after the command.com hash rule is activated, if a user tries to create a txt file with the word command in it and renames the file to something.bat, when the user tries to run this file, the following error will show up in the cmd prompt and it will quickly disappear: "The system cannot execute the specified program."
User Configuration->Administrat
You can also use software restriction policies http://support.microsoft.com/kb/324036