Tosca Posted April 21, 2006 Share Posted April 21, 2006 Hi everyone Here's the situation - a stand alone laptop (connected to ADSL via a router) with XP Pro SP2, CD/DVD and floppy attached, along with 2 USB 2.0 ports. I would like to restrict users from accessing the command screen. I know that I can take <Run> from the Start menu and I can set the permissions of cmd.exe so that only Administrators can use it, but what if someone had a copy of cmd.exe on a floppy, CD or USB memory stick? Users need access to USB or floppy so disabling these (along with the CD) is not an option. Basically, I'd like to prevent limited users from running cmd.exe, *whatever the source* of the file (i.e. they could e-mail a copy to themself). Can this be done? A lot of harm (and prying) can be done from the command screen and I'd like to prevent it. The situation is a stand alone at present, but I may increase the number of PCs to a small home network behing the router or a hub. I doubt that I'd get to the state of a large network with a server, MS Server 2003 etc. Thank you for your time. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/ Share on other sites More sharing options...
arma Posted April 21, 2006 Share Posted April 21, 2006 (edited) Something like this? http://www.beyondlogic.org/solutions/trust...rust-no-exe.htm Also there is a registry hack here which might do the same job. Theres also further information here. Edited April 21, 2006 by arma Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435365 Share on other sites More sharing options...
Tosca Posted April 21, 2006 Author Share Posted April 21, 2006 Thank you. I'd prefer to avoid using third-party software and like the idea of altering the registry, but I think that these registry settings affect all users. If there was some way of limiting access to only some users, that would be ideal. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435418 Share on other sites More sharing options...
John Veteran Posted April 21, 2006 Veteran Share Posted April 21, 2006 You can set permissions on cmd.exe itself (Y) Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435527 Share on other sites More sharing options...
Tosca Posted April 21, 2006 Author Share Posted April 21, 2006 John said: You can set permissions on cmd.exe itself (Y) Yes, but that wouldn't stop a Limited user having a copy on a floppy or USB memory stick, or e-mailing another copy of cmd.exe to himself, would it? I've been thinking about the earlier option of using a registry tweak, for instance DisallowRun or RestrictRun. If a user had another copy of cmd.exe (as above) and renamed it, I suspect that neither of these registry tweaks would prevent it from running. I just wonder if cmd.exe accesses some other file(s) (such as a .dll) and, if so, would altering the permission of that file help in any way? I'm thinking aloud now. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435803 Share on other sites More sharing options...
betasp Posted April 21, 2006 Share Posted April 21, 2006 Setup a Group Policy http://www.windowsdevcenter.com/pub/a/wind...acks_runas.html http://www.jsifaq.com/SUBH/tip3600/rh3699.htm Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435831 Share on other sites More sharing options...
MPH Posted April 21, 2006 Share Posted April 21, 2006 This can be done through Group Policy. Click Start and then click run and type:"gpedit.msc" without quotes to launch Group Policy. Click System under Administrative Templates in User Configuration on the left pane and select "Prevent access to the command prompt" in the main window. Click on "Enabled" and then click OK and close Group Policy. EDIT: betasp was faster than me. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587435853 Share on other sites More sharing options...
Tosca Posted April 21, 2006 Author Share Posted April 21, 2006 Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587436059 Share on other sites More sharing options...
arma Posted April 21, 2006 Share Posted April 21, 2006 Personally I would just disable cmd full stop on the machine and use an alternative command line processor which isnt subject to such restrictions, however that wont stop your errant users accessing a similar utility. It might just delay them slightly if theyre not so techical. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587436265 Share on other sites More sharing options...
Japlabot Posted April 21, 2006 Share Posted April 21, 2006 There is nothing malicous that can be done with Command Prompt anyway (To affect change beyond the scope of the user account), if they are in the 'Users' group (Limited User account). Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587436282 Share on other sites More sharing options...
MPH Posted April 21, 2006 Share Posted April 21, 2006 (edited) Tosca said: Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need. With the modification I suggested you, all users including those with administrative privileges can't use CMD.EXE, with the exception of Administrator. If you want to use CMD.EXE and have modified Group Policy as I suggested you, open Start menu, click "All Programs", navigate to "Command Prompt" then right click it and select "Run as..." from context menu. A new window will open: From here you can run CMD as Administrator providing you know the password. Edited April 21, 2006 by MPH Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587436299 Share on other sites More sharing options...
Tosca Posted April 21, 2006 Author Share Posted April 21, 2006 That's great. In a way, I'm a little surprised that a Policy can't be set to do what I want. I was under the impression that the Group Policy Editor could be very flexible in creating Policies to fit with required circumstances. The suggestion that you've made regarding running it as Administrator works well. I just came across command.com on my PC which works similar to cmd. I've not tried it yet, but I *hope* that the setting in Group Policy will disable this too. If not, I dare say that I'll be back asking if that can be disabled! Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587436539 Share on other sites More sharing options...
Tosca Posted April 22, 2006 Author Share Posted April 22, 2006 Bah - setting the Policy doesn't disable command.com! Is there any way of disabling an "imported" copy, whether by floppy, e-mail etc.? Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587438922 Share on other sites More sharing options...
mujjuman Posted April 23, 2006 Share Posted April 23, 2006 use the Policy Editor if you have XP Pro or the Fortres 101 software Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587440832 Share on other sites More sharing options...
Tosca Posted April 23, 2006 Author Share Posted April 23, 2006 Thank you. I prefer to avoid third party software. I understand that bespoke policies can be set, but I don't know how. It's a very powerful utility so, rather than floundering, can you give me a nudge in the right direction about setting a policy specifically to prevent command.com from running? Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587441003 Share on other sites More sharing options...
mujjuman Posted April 23, 2006 Share Posted April 23, 2006 i have no idea because i havent made a new policy myself... Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587442389 Share on other sites More sharing options...
Tosca Posted April 23, 2006 Author Share Posted April 23, 2006 I've done some googling and have come across Software Restriction Policy (SRP). There are several ways to implement this - one uses the MD5 hash of the file. I think this should allow me to authorise only an Admin user to run command.com. I don't think there's any way to prevent a "foreign" copy of command.com or some other command.com-like utility being run. I suppose the other way around is to set SRP, based upon the MD5 hash, of those files to which I wish to grant a Limited user access. Everything else would be set to Deny for this group. I anticipate that this would prevent their using extenal applications, running batch files etc. I'm thinking aloud here so will have to try it to see how it works. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587442829 Share on other sites More sharing options...
John Veteran Posted April 24, 2006 Veteran Share Posted April 24, 2006 You really don't want people running a command window, huh? ;) Consider the implications of restricting ALL programs except the ones you specify... A command prompt itself isn't that dangerous. The only thing you can do with it is launch other programs, and you're better off restricting those programs instead of the command prompt. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587443546 Share on other sites More sharing options...
majortom1981 Posted April 24, 2006 Share Posted April 24, 2006 You can do a lot of damage with cmd.exe . A lot of things that are restricted in the windows gui are not using cmd.exe. I use software restriction policies on my network at work. I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs. I say try it its great. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587443567 Share on other sites More sharing options...
John Veteran Posted April 24, 2006 Veteran Share Posted April 24, 2006 Yes, but you're doing it differently from what he's suggesting. You block certain programs and allow everything else not specified. He's talking about blocking everything by default and specifying programs to allow. That list would fill up rather quickly. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587443578 Share on other sites More sharing options...
mujjuman Posted April 24, 2006 Share Posted April 24, 2006 ^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587443979 Share on other sites More sharing options...
Tosca Posted April 24, 2006 Author Share Posted April 24, 2006 majortom1981 said: You can do a lot of damage with cmd.exe. ........ I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs. I know that command.com and cmd.exe aren't identical, but I want to be able to block both. I'm not keen on users, for instance, accessing any network commands. I've not looked at simply blocking the .exe as you suggest. How exactly do you go about blocking chat and p2p programs? mujjuman said: ^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol. <LOL> I'd already thought about that - I'd be sure to leave myself a backdoor to apps such as gpedit.msc, regedit, cmd.exe, command.com etc. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587444973 Share on other sites More sharing options...
mujjuman Posted April 25, 2006 Share Posted April 25, 2006 is this for a school or something? becuase if it is, then its pretty easy MOST of the time to find loopholes... i know because i was one of those kids :p Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587446289 Share on other sites More sharing options...
c.grz Posted April 25, 2006 Share Posted April 25, 2006 All you need to do is rename it to something like cmd1.exe and then you can run it as cmd1. Don't know if Group Policy/Permissions will prevent that. Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587448546 Share on other sites More sharing options...
The Lege Posted April 25, 2006 Share Posted April 25, 2006 mujjuman said: is this for a school or something? becuase if it is, then its pretty easy MOST of the time to find loopholes... i know because i was one of those kids :p Lol admin at our school tryed to ban that but every1 still knows how to use it :laugh: :laugh: Link to comment https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/#findComment-587448557 Share on other sites More sharing options...
Recommended Posts