Is there any reason not to have the Run command available to users?

We have an environment that is very locked down. We are considering putting the Run command back into the users Start bar for ease of IT use. Can anyone think of any possible exploit/security reason not to do this? Other than minimizing the potential of a user messing around with the Run commands.
CCB-TechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pdantroCommented:
You could keep the run command out and just navigate manually to the command window. Or always use the task manager and do file new task and work from there.
CanusRufusCommented:
The only exception I can think of is that the MRU will keep the last 26 entries. May want to clean that upon reboot if you do not want user's seeing where IT is going...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul MacDonaldDirector, Information SystemsCommented:
As [pdantro] notes, there are alternatives.  That said, you should be able to set it up so IT users have the Run command while everyone else does not.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

CCB-TechAuthor Commented:
@ pdantro -

Oh I know, that's what we do now. After all, everyone's commands are run in the security context of the user. I was just asked if there is any good reason not to enable the run box. IE, we are sacrificing convenience and speed, but what are we gaining by leaving it off?

@ CanusRufus

That's a good point! Any idea how to do that via GPO?

@ paulmacd

That's exactly what I told my boss, but his question was what is gained by not enabling it.
CanusRufusCommented:
I have yet to see a group policy article on this however I do not control that part of the environment that I am in. Our network does not clear this list although this has been brought up in meetings before.
You could perform a logon script type scenario and see if that helps.
----
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
-----
CanusRufusCommented:
PaulMacd:
The run staement for IT user's becomes an issue if you're in a networked environment that supports a remote management solution. ex: Windows remote assistance and/or VLC
Paul MacDonaldDirector, Information SystemsCommented:
"...what is gained by not enabling it."
A little bit of security, but how much depends a lot on what sort of authority users have over their own systems.  If you otherwise trust your users, there's probably no harm.  Anyone who's going to do somethng sneaky from the command line is probably going to know how to do it some other way.
Arman KhodabandeIT Manager and ConsultantCommented:
If you have limited user accounts, then you don't have to be afraid. because they have limited access to system commands.
However you can add some limitations and open Run for them.
For example our university used to leave Run open but applied below restrictions:

1) Set permissions for all drives on the systems except the last drive for the users to save their data. (write denied)
2) Disable Task manager via GPO
3) Disable Display properties via GPO
4) Disable Regedit/Regedt32/gpedit via GPO
5) Disable Creating shortcuts via right click menu (New>Shortcut)
6) Disable Navigation from Addressbar.
7) Setting a password more that 25 characters(!) for administrator (This makes bruthforce impossible)

However this is very bad and inconvenient, but you can take some of them only!
CCB-TechAuthor Commented:
Thanks! We enabled it as our environment is very locked down. So no real gain by blocking it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.