any idea how to do this?
have disabled cmd.exe via gpo , but command.com still runs (as one little chappy gleefully pointed out to me today)
if I delete it from hd's , I guess they can still run it from a pendrive - so any suggestions welcome.
(w2k server, XPSP1 wkstns)
change the NTFS permissions
..and set command.com as a denied app in GPO
I set it as a denied app in gpo, but it's not a windows app so still runs
We've done this a while ago, I'll see if i can dig the notes out for it.
just change its file security settings in the relevant section of the computer gpo.
Or you could just rename it - problem is - we found - quite a few old educational type programs won't run without it - Estarters for example and some of the installer programs - so make sure you test it out thoroughly.
thanks for replies - but command.com is a 50k app which can be run from any location, so setting permissions etc on the hd copy doesn't stop 'em bringing it in.
what can they do with it anyway? (apart from annoying me by mentioning it!)
look at post below as it wouldnt let me delete this one
I think I found what you need
The following table lists the Group Policy Machine settings and associated registry keys for application compatibility. These settings are found in these locations:
•
Group Policy Location: MACHINE\Administrative Templates\Windows Components\Application Compatibility
•
Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows
Group Policy Settings for Application Compatibility (Machine)
Setting Description
Turn Off Application Compatibility Engine
Controls the state of the application compatibility engine in the system.
Turn Off Program Compatibility Wizard
Controls the state of the Program Compatibility Wizard. When enabled, this setting disables the start page of the wizard in Help and Support, and in the Start menu.
Remove Program Compatibility Property Page
Controls the visibility of the Program Compatibility property page shell extension.
Turn On Application Help Log Events
Blocks known incompatible applications and displays a dialog to the end-user regarding the problem.
Prevent access to 16-bit applications
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
http://technet2.microsoft.com/Window....mspx?mfr=true
Its near the bottom of the page and it shows you where it is IN GPO
Thanks , gecko - only problem is we're still on W2k server and that setting isn't there
[edited]
sorted it - I added this to logon script instead
CACLS %SystemRoot%\System32\ntvdm.exe /E /D Student
[edited]
does this work?
Within MMC Group Policy, Click on user configuration, Next click on Administrative Templates, Then click on System. Within system you'll see "Disable the command prompt". Enable that policy.
did that work and it stopped them from running command.com / cmd etc ?Originally Posted by pinemarten
Thanks , gecko - only problem is we're still on W2k server and that setting isn't there
[edited]
sorted it - I added this to logon script instead
CACLS %SystemRoot%\System32\ntvdm.exe /E /D Student
[edited]
@Browolf;yeah, did that, only works for cmd.exeWithin MMC Group Policy, Click on user configuration, Next click on Administrative Templates, Then click on System. Within system you'll see "Disable the command prompt". Enable that policy.
@gecko;
yes, it seems to have worked ok (ntvdm.exe controls the 16 bit processes so denying access stops it running for the denied group.)
I wondered if it might stop the logon.bat from running , but seems ok - I am monitoring the system for any other undesirable effects , but none so far....
Sorry to pick this thread up again but we recently had this problem not with users running on the PC but on pendrives, solved the problem this way:
Within our Student GPO: User Config -> Windows Settings -> Security Settings ->Software restriction Policies -> Additional Rules
Path rule
A path rule identifies programs by their file path. For example, if you have a computer that has a Disallowed default policy, you can still grant unrestricted access to a specific folder for each user. Some common paths for this type of rule would be %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%.
Since these rules are specified by path, if a program is moved, then the path rule will no longer apply.
AND
Hash rule
A hash is a series of bytes with a fixed length that uniquely identifies a program or file. The hash is computed by a hash algorithm. Software restriction policies can identify files by their hash, using both the SHA-1 (Secure Hash Algorithm) and the MD5 hash algorithm.
For example, you can create a hash rule and set the security level to Disallow to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any tampering with the file will change its hash value and allow it to bypass restrictions.
Software restriction policies will only recognize hashes that have been calculated using software restriction policies.
with both of these in place even if the file is on the USB it is still stopped from running.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote