.BAT files in XP

[joeb]

We have a Windows 2003 server and XP clients and are using policies t
lock down the users, but today found out even though we are blockin
access to the command prompt so the users have no access to it, the
still are able to make a batch file with all the commands they like
run it!! therefore allowing them to run any dos command they like!

Any ideas for banning the use of .bat files with Policies or anythin
else in XP?

Many thanks

Jo

 

[cquirke (MVP Win9x)]

We have a Windows 2003 server and XP clients and are using policies to
lock down the users, but today found out even though we are blocking
access to the command prompt so the users have no access to it, they
still are able to make a batch file with all the commands they like a
run it!! therefore allowing them to run any dos command they like!

It's worse, because XP's command interpreters will run code within
files, irrespective of the .ext, e.g...

Copy Notepad.exe Notbad.txt
Notbad.txt
Rem Above line runs the "text" file as code

....which makes type-aware management tricky.

Any ideas for banning the use of .bat files with Policies or anything
else in XP?

I'd think along the lines of:
- removing CMD.EXE and COMMAND.COM
- blocking use of the above
- mangling the .BAT -> batfile file association

Expect SFP to interfere with deleting CMD.EXE and COMMAND.COM, which
is why some sort of permissions blocking may be cleaner.

-------------- ---- --- -- - - - -

"I think it's time we took our
friendship to the next level"
'What, gender roles and abuse?'