Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to hide the command prompt and RDP from accessories on a Windows 7  through AppLocker

Posted on 2014-01-04
10
Medium Priority
?
758 Views
Last Modified: 2014-01-19
Hi

I want to hide the command prompt and RDP from accessories on a windows 7  laptop.
Is it possible to achieve this through Applocker or any other method will be great.

Please post me some tutorial

Thanks
0
Comment
Question by:lianne143
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 39755802
You can do it through group policy.
0
 

Author Comment

by:lianne143
ID: 39755914
This laptop will be a standalone not on the domain.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39755920
Hi. Applocker comes with enterprise or ultimate editions of win7. Other editions can use ntds permissions. Executables are cmd.exe and mstsc.exe
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:lianne143
ID: 39755936
Do you mean denying NTFS permissions for users   for the below

C:\Windows\System32\mstsc.exe
C:\Windows\System32\cmd.exe
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39755942
Right. But don't use deny but simply remove the permissions for"unwanted" users.
0
 

Author Comment

by:lianne143
ID: 39755985
Finally

We do have Microsoft EES and I have licenses for enterprise and  ultimate editions as well .
If I install these versions on the laptops, will I be able to remove CMD prompt and RDP from accessories through Applocker.
Please post any tutorials as how to do this, if possible.

Thanks for you help
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 39756058
Applocker does not remove or hide applications or shortcuts. It will prevent an application from running with an error.

If you want to "hide" these things, you will need to create a new default profile for new user's, and edit the existing profiles of users that have already been on the machine.

Users could still launch applications if they found another way to reach them. Software restriction policies cannhelpnwith that (neater than applocker in this instance in my opinion.)

You'll likely need to combine the two methods above to really accomplish what you want.

---

Of course, this is where I will also point out that blocking the command  line and
RD seems like it is attacking a symptom instead of fixing an issue. If NTFS permissions are set properly, who cares if a user cannlaunch the command line? It can't get anywhere or do anything they can't do via windows explorer. Two interfaces to the same data and programs.

Similarly, if you lock down your network and firewalls, who cares if users start the remote desktop program. They can't GO anywhere with it.

I am of the mind that a workstation really needs to be locked down, default profiles and restriction policies aren't enough (public kiosks, for example) and a customized install image should be used. And in all other instances, following best practices in file and network permissions addresses those problems more neatly.

Hope that helps.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 39756117
> Software restriction policies cannhelpnwith that (neater than applocker in this instance in my opinion
Um... what are you talking about? Applocker is neater in every respect and is kind of the successor to software restriction policies. Apart from that, SRPs can be circumvented more easily then applocker as they run in the user space.

@lianne: I would not switch editions to prevent those two things from running. Much effort and with NTFS you have the same result. Applocker is better than NTFS because of the whitelisting option, but here, you want blacklisting.
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 39756221
"Um... what are you talking about?"

No need to be condescending, in will not get drawn into a debate over a purely subjective opinion. I will, however, explain my position.

Win7 allows multiple local policies, and it is not uncommon to see that feature used with non-domain-joined machines where control is desired. The desire to use applocker also clearly indicates that level of control IS desired.

Applockers merging logic is powerful, but complex, when multiple policies are involved. SRP is far more mundane in comparison,

Therefore, it is a valid opinion to believe that SRP is more elegant in some deployments.

You don't have to AGREE with that opinion. But you don't have to be a ...well...i've captained my position,
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 39758027
Dear cgaliher, it was not meant to be condescending or anything. I am sorry if I made that impression. I was simply interested what you could mean because I administer both and so far, I could not agree, quite the opposite even.
Thanks for telling me, maybe I will come across these merging scenarios some day.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question