Prevent a user from running cmd.exe

[Guest]

Hi everyone

This is the setup - a stand alone PC connected to ADSL via a router. The OS
is XP Pro SP2 and there's a floppy, CD/DVD as well as a number of 2.0 USB
ports.

I'd like to prevent Limited users from being able to run cmd.exe. I know
that I can remove <Run> from the Start menu and I can set permissions of
cmd.exe to prevent Limited users running it. I also know about a registry
tweak (RestrictRun or DisallowRun) to prevent a particular program being run,
but what if a user has a copy of cmd.exe on a floppy etc.? Users need access
to a floppy or USB port, so disabling these isn't an option. Even if I did
disable the floppy/CD/USB, a user could e-mail a copy of cmd.exe to himself
and may, even, rename it. I suspect that would get around the DisallowRun or
RestrictRun registry setting.

Does anyone have any suggestions about this? I just wonder if cmd.exe
accesses some ofter file, such as a .dll, the permissions of which could be
modified? I'm thinking aloud and don't know if that would be an option.

Thanks in advance.

 

[Wesley Vogel]

Disable the command prompt
User Configuration\Administrative Templates\System

DisableCMD
HKCU\Software\Policies\Microsoft\Windows\System
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93465.asp

Prevent access to the command prompt
http://www.boyce.us/gp/gpcontent.asp?ID=495

HKLM\Software\Policies\Microsoft\Windows\System
DisableCMD

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Thank you Wes.

I've been doing some investigating and stumbled across the setting in the
Policy Editor but it applies to all users. I don't know how bespoke Policies
can be made. Ideally, I'd want the setting to apply only to Limited users.
I guess that I could disable it and then, if I need access, go into GPE,
re-enable it, do what I need to do with cmd.exe and then disable it again,
but this seems very fiddly. Do you know if I can create a Policy to do
exactly as I want?

Thanks once again for your time.

 

[Wesley Vogel]

You could use
HKEY_USERS\SID#\Software\Policies\Microsoft\Windows\System
instead of
HKCU\Software\Policies\Microsoft\Windows\System
where SID# is the SID for whatever limited user(s).

That way the policy would apply only to whatever SID #s.

I do not know how to create a Policy to do exactly as you want. Someone
more versed in Group Policy might.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Hi Wes

That's great - thank you.

I've been doing some further investigating and have found command.com on the
system, as well as cmd.exe. I realise that they're similar and had hoped
that the Policy would prevent command.com from working but it doesn't.

I'll post a similar question in the Group Policy newsgroup to see if anyone
has any further comments. If so, I'll post back here for everyone's benefit.
Please don't let this stop folks responding here though if anyone knows how
to disable command.com!

 

[Wesley Vogel]

Actually, even with cmd.exe disabled it can still be run by using
command.com by someone who knows their way around.

[[COMMAND.COM is a 16-bit DOS application which is used for older DOS
compatibility and actually runs inside the NTVDM (NT Virtual DOS Machine)
due to its 16-bit nature.]]

Any command typed into command.com is actually executed by cmd.exe.

What is the difference between cmd.exe and command.com?
http://www.windowsitpro.com/Article/ArticleID/13578/13578.html?Ad=1

COMMAND.COM vs. CMD.EXE:
http://www.computerhope.com/issues/ch000395.htm

CMD.EXE or COMMAND.COM
http://www.acky.net/tips/windows/windows/wt054.sht

See...
CMD.EXE and COMMAND.COM
here....
The Windows NT Command Shell
[[The difference between CMD.EXE and COMMAND.COM is explained.]]
http://www.microsoft.com/technet/archive/winntas/deploy/shellscr.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Leythos]

Hi Wes

That's great - thank you.

I've been doing some further investigating and have found command.com on the
system, as well as cmd.exe. I realise that they're similar and had hoped
that the Policy would prevent command.com from working but it doesn't.

I'll post a similar question in the Group Policy newsgroup to see if anyone
has any further comments. If so, I'll post back here for everyone's benefit.
Please don't let this stop folks responding here though if anyone knows how
to disable command.com!

Why not just apply NTFS security so that only the Administrators group
can access both files, and then don't make the users part of that group?

 

[Guest]

I thought of applying NTFS security, but what if a user had a copy of cmd.exe
or command.com on a floppy, USB memory stick or e-mailed a copy to himself?
Would that prevent these "imported" files being run?

 

[Leythos]

I thought of applying NTFS security, but what if a user had a copy of cmd.exe
or command.com on a floppy, USB memory stick or e-mailed a copy to himself?
Would that prevent these "imported" files being run?

If you've got Physical security issues, well, that's another problem to
address. You can disable the floppy, disable USB/Firewire ports, etc...
Most computer users don't need them at work.

As for email - assuming you have your own email server, just delete any
attachment you don't want to allow at the SMTP server before the users
get them - most good firewalls do this. You can stop them from accessing
web mail by not allowing web access except to white-listed or other
approved sites.

Nothing will stop someone with physical access if they can reach the
hardware inside the case.