?
Solved

Is there any reason not to have the Run command available to users?

Posted on 2011-10-03
9
Medium Priority
?
344 Views
Last Modified: 2012-05-12
We have an environment that is very locked down. We are considering putting the Run command back into the users Start bar for ease of IT use. Can anyone think of any possible exploit/security reason not to do this? Other than minimizing the potential of a user messing around with the Run commands.
0
Comment
Question by:CCB-Tech
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 1

Assisted Solution

by:pdantro
pdantro earned 124 total points
ID: 36904212
You could keep the run command out and just navigate manually to the command window. Or always use the task manager and do file new task and work from there.
0
 
LVL 6

Accepted Solution

by:
CanusRufus earned 124 total points
ID: 36904222
The only exception I can think of is that the MRU will keep the last 26 entries. May want to clean that upon reboot if you do not want user's seeing where IT is going...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36904228
As [pdantro] notes, there are alternatives.  That said, you should be able to set it up so IT users have the Run command while everyone else does not.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:CCB-Tech
ID: 36904234
@ pdantro -

Oh I know, that's what we do now. After all, everyone's commands are run in the security context of the user. I was just asked if there is any good reason not to enable the run box. IE, we are sacrificing convenience and speed, but what are we gaining by leaving it off?

@ CanusRufus

That's a good point! Any idea how to do that via GPO?

@ paulmacd

That's exactly what I told my boss, but his question was what is gained by not enabling it.
0
 
LVL 6

Expert Comment

by:CanusRufus
ID: 36904297
I have yet to see a group policy article on this however I do not control that part of the environment that I am in. Our network does not clear this list although this has been brought up in meetings before.
You could perform a logon script type scenario and see if that helps.
----
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
-----
0
 
LVL 6

Expert Comment

by:CanusRufus
ID: 36904311
PaulMacd:
The run staement for IT user's becomes an issue if you're in a networked environment that supports a remote management solution. ex: Windows remote assistance and/or VLC
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 124 total points
ID: 36904350
"...what is gained by not enabling it."
A little bit of security, but how much depends a lot on what sort of authority users have over their own systems.  If you otherwise trust your users, there's probably no harm.  Anyone who's going to do somethng sneaky from the command line is probably going to know how to do it some other way.
0
 
LVL 10

Assisted Solution

by:Arman Khodabande
Arman Khodabande earned 128 total points
ID: 36904586
If you have limited user accounts, then you don't have to be afraid. because they have limited access to system commands.
However you can add some limitations and open Run for them.
For example our university used to leave Run open but applied below restrictions:

1) Set permissions for all drives on the systems except the last drive for the users to save their data. (write denied)
2) Disable Task manager via GPO
3) Disable Display properties via GPO
4) Disable Regedit/Regedt32/gpedit via GPO
5) Disable Creating shortcuts via right click menu (New>Shortcut)
6) Disable Navigation from Addressbar.
7) Setting a password more that 25 characters(!) for administrator (This makes bruthforce impossible)

However this is very bad and inconvenient, but you can take some of them only!
0
 

Author Closing Comment

by:CCB-Tech
ID: 36980587
Thanks! We enabled it as our environment is very locked down. So no real gain by blocking it.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
MS Outlook undoubtedly is the most widely used email client.Its user-friendliness, cost effectiveness, and availability with Microsoft Office Suite make it the most popular email application.  Its compatibility with Microsoft applications like Exch…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question