Is there any reason not to have the Run command available to users?

Posted on 2011-10-03
Last Modified: 2012-05-12
We have an environment that is very locked down. We are considering putting the Run command back into the users Start bar for ease of IT use. Can anyone think of any possible exploit/security reason not to do this? Other than minimizing the potential of a user messing around with the Run commands.
Question by:CCB-Tech
    LVL 1

    Assisted Solution

    You could keep the run command out and just navigate manually to the command window. Or always use the task manager and do file new task and work from there.
    LVL 6

    Accepted Solution

    The only exception I can think of is that the MRU will keep the last 26 entries. May want to clean that upon reboot if you do not want user's seeing where IT is going...
    LVL 33

    Expert Comment

    As [pdantro] notes, there are alternatives.  That said, you should be able to set it up so IT users have the Run command while everyone else does not.

    Author Comment

    @ pdantro -

    Oh I know, that's what we do now. After all, everyone's commands are run in the security context of the user. I was just asked if there is any good reason not to enable the run box. IE, we are sacrificing convenience and speed, but what are we gaining by leaving it off?

    @ CanusRufus

    That's a good point! Any idea how to do that via GPO?

    @ paulmacd

    That's exactly what I told my boss, but his question was what is gained by not enabling it.
    LVL 6

    Expert Comment

    I have yet to see a group policy article on this however I do not control that part of the environment that I am in. Our network does not clear this list although this has been brought up in meetings before.
    You could perform a logon script type scenario and see if that helps.
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
    LVL 6

    Expert Comment

    The run staement for IT user's becomes an issue if you're in a networked environment that supports a remote management solution. ex: Windows remote assistance and/or VLC
    LVL 33

    Assisted Solution

    "...what is gained by not enabling it."
    A little bit of security, but how much depends a lot on what sort of authority users have over their own systems.  If you otherwise trust your users, there's probably no harm.  Anyone who's going to do somethng sneaky from the command line is probably going to know how to do it some other way.
    LVL 10

    Assisted Solution

    by:Arman Khodabande
    If you have limited user accounts, then you don't have to be afraid. because they have limited access to system commands.
    However you can add some limitations and open Run for them.
    For example our university used to leave Run open but applied below restrictions:

    1) Set permissions for all drives on the systems except the last drive for the users to save their data. (write denied)
    2) Disable Task manager via GPO
    3) Disable Display properties via GPO
    4) Disable Regedit/Regedt32/gpedit via GPO
    5) Disable Creating shortcuts via right click menu (New>Shortcut)
    6) Disable Navigation from Addressbar.
    7) Setting a password more that 25 characters(!) for administrator (This makes bruthforce impossible)

    However this is very bad and inconvenient, but you can take some of them only!

    Author Closing Comment

    Thanks! We enabled it as our environment is very locked down. So no real gain by blocking it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Integrate social media with email signatures

    Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now