Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to disable batch file execution?

Posted on 2010-11-13
13
Medium Priority
?
4,190 Views
Last Modified: 2013-12-04
I have a Windows Server 2008. How do I disable users ability to execute batch files?
0
Comment
Question by:deming
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +3
13 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 34128999
Change the file association for .bat/.cmd to notepad....

Add it to a Machine Startup Script....
reg add "HKEY_CLASSES_ROOT\batfile\shell\open\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\batfile\shell\runas\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\batfile\shell\runasuser\command" /ve /d "c:\windows\system32\notepad.exe %1" /f

reg add "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\cmdfile\shell\runas\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\cmdfile\shell\runasuser\command" /ve /d "c:\windows\system32\notepad.exe %1" /f

Open in new window

0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 34129009
Did you test that on the command line?

Because on the command line, I would expect you'll need to alter your system wide environment variables so that PATHEXT no longer lists .BAT or .CMD.
0
 

Author Comment

by:deming
ID: 34129027
Is there a Group Policy I could change to prevent batch/command files?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 34129040
Out of curiousity... WHY are you doing this?  It doesn't make much sense to me.  Batch files are important network administration tools and can make things easier for users... Perhaps there's a better way of accomplishing your end goal, if you can define what, exactly, the end goal of disabling batch scripts is.

(And I know of no group policy to disable batch files... never looked into it... )
0
 

Author Comment

by:deming
ID: 34129077
My server has a security app running which I do not want shut down. Users are downloading batch files via FTP to the server and then executing these batch files which then are trying to kill my security app.

So I am trying to shut down FTP access (in another question) and shut down the ability to execute batch files.  
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 34129084
A batch file is just commands... In my opinion, you are focusing on the wrong thing.

Who are these users?  Why are your own users attacking you?  Or do you mean hackers are hacking your system?

Your USERS should not have the right to terminate the process stop the service.  Then the batch file becomes irrelevant.  Why do you give your users admin rights?  Take those away and the batch file won't matter.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129099
I tested launching a .bat file, and it opened it notepad......

I do agree with leew though, it is not the right way to prevent what you are trying to do..... Does anwer the actual question though...

:)
0
 

Author Comment

by:deming
ID: 34129159
I am looking at worst case and thinking ahead. They are my users (standard rights) but they may have bad intentions at some point. One user pointed out that he could download batch files via FTP and execute them and thought I should close that hole.

So I am working on disabling FTP access. But I also wanted to prevent execution of batch files in case some gets one onto the computer.

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129170
And leew, you were correct, the cmd line still ran the batch files......

Standard users shouldnt be able to close processes running on a server though.....
0
 
LVL 80

Expert Comment

by:arnold
ID: 34129305
Limit the users on the server (limited/restricted user) and maintain the system with the most current updates.

You can as others mentioned define a rule for IE not to download items.

that match a certain patern i.e. no vbs, bat, exe, etc.  if you have a firewall/porxy, you can define the rule on those There would be a load impact for URL rejection on the firewall/router..
0
 
LVL 5

Expert Comment

by:balmasri
ID: 34130626
-Using Group policy , disable *.bat [ Enable GPO>User configuration>Administrative Templates>System >Don't run specified Windows applications >*.bat

OR
- GPO>User configuration>Administrative Templates>System >Prevent access to the command prompt
0
 
LVL 5

Accepted Solution

by:
xylog earned 2000 total points
ID: 34139158
GPO should work, but failing that you can also adjust ntfs ACL's on cmd.exe to deny a particular user group or only allow administrators.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question