How do I run login scripts and not allow batch files or command line being run?

Students are creating text document from the desktop, putting command.com in the first line of the file and saving the file as a batch file, .bat extension. Then their running it and getting to teacher files. I'm running a Windows Server 2003 Domain with XP clients. I need to 1) stop students from running the command line  2) stop the command line from running when a batch file is started 3) map shared printers for the students, and 4) map 1 shared network drive. Here's what I've done (with alot help from searching the knowledgebase at this site).

1) Under studentusers OU - I enabled "Prevent access to the command prompt" under User Config --> Administrative Templates --> System. The toggle for "Disable the command prompt processing also?" I have set to "Yes".

This fixes the problem with the command prompt AND the batch file on the desktop. The command prompt cannot be run either way. This takes care of the first 2 problems I'm having. But by not allowing a batch file to run I had no printers or shared drives being mapped for the students to use, because I was use a batch file with netuse to map the drives. So....

2) Under studentcomputers OU I went to Computer Configuration --> Windows Settings --> Scripts --> Startup. I added 2 scripts, 1 that maps network printers once a user logs in, and another one that maps one shared network drive. I then went into the properties of the individual user and deleted the logon_script on the "User Profile" page. This forces the 2 scripts to run at logon under computer config and should set everything up for the user - my problem it is not.

The printers show up, but if a teacher needed access to her printer, the teacher printers won't show up. Following is a vbscript that works for adding the student printers.

Script 1

' VBScript.
Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\CCHSFP1\MCIBM1130"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABHPLJ4200"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABCOLOR"

'Set default printer based on first 3 letters of computer name

Select Case left(net.ComputerName,3)

  Case "LAB"
    net.SetDefaultPrinter "\\CCHSFP1\LABHPLJ4200"

  Case "MED"
    net.SetDefaultPrinter "\\CCHSFP1\MCIBM1130"  

End Select

Script 2 - net use command I use for adding the drives in a batch file.
net use s: \\cchsfp1\shared

I also need this to work or switch it to a vbscript so it works when a student logs on. Teachers will log onto the same machine and their drives and printers need to be completely different.
jim34Asked:
Who is Participating?
 
DonNetwork AdministratorCommented:
I would then use software restriction policies
 
How To Use Software Restriction Policies in Windows Server 2003
0
 
jim34Author Commented:
I moved the 2 vbscripts - 1 adding the printers and 1 for adding the networked share drive) from the computer config side to the user config side under User Config --> Windows Settings --> Scripts --> Logon and it works fine.

vbscripts don't need the command.exe to execute. It's only startup scripts using the command line that I blocked under computer config. So...I'm good.

Thanks
0
 
oBdACommented:
You actually have another problem that is only partially covered up by blocking the command shell. If your students can access the teacher files by using the command shell, then your NTFS security is incorrect. You should not block how they accessed - you should block access as such. With missing NTFS permissions, there are more ways than just the command shell to access files they shouldn't have access to.

And you need to differentiate between logon scripts and startup scripts. Logon scripts are run during user logon, in the user's security context. Startup script are run during the computer's boot, and will be executed in the local system's security context.
Anything user related (mapped drives, network printers, access to HKCU, ...) has to be done in logon scripts, not in startup scripts.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jim34Author Commented:
I should have said teacher folders instead of files. No students have gotten inside the teacher folders, I just want to make sure every way I can to secure the teacher files. The harder it is for them to get there the more secure everything is I figure. Only the domain user, administrator group, creater owner group, and system group have any access at all to files inside that folder.
0
 
oBdACommented:
That sounds okay then. Assuming that these folders are on a server (running W2k3 SP1 or later) somewhere, you can activate Access Based Enumeration (http://www.microsoft.com/Downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en) for the share; this will hide folders that they don't have access for.
Note that the ABE download above only installs the management tools (a new tab in the share properties in Explorer and abecmd.exe, plus some documentation), the ABE functionality itself is included in W2k3 since SP1.
0
 
jim34Author Commented:
This says the supported OS is Windows Server 2003 Service Pack 1, but I have Service Pack 2. Will this still work for me? I know your comment says SP1 or later. I just wanted to double-check. Will this stop students seeing the folders even in a command line interface?
0
 
oBdACommented:
Yes, that will work on SP2 as well.
It will completely block enumeration of files and folders on a network drive (not for local drives, though!) for which the user does not have permissions (that is, any file/folder for which the user would get an "Access denied" should he try to open it).
0
 
jim34Author Commented:
I used Software Restricition Policies. The only thing that bugs me about it is I used a path restricition for getting to cmd.exe. Well, by default, the students can access the file on that path and copy and paste it to another location - thus defeating the software restriction policy. I do have to deny the student group any rights to that file so they can't copy/move it, before the software restriction works.

I also used the shared folder enumeration.

I'm much more secure than last week. Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.