+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
Windows 7 Thread, Pupils able to open CMD as an administrator in Technical; Originally Posted by this_is_gav When I'm setting up a computer for someone outside of school, I'd always enable UAC, but ...
  1. #16


    Join Date
    Jan 2012
    Posts
    2,613
    Thank Post
    934
    Thanked 349 Times in 266 Posts
    Rep Power
    212
    Quote Originally Posted by this_is_gav View Post
    When I'm setting up a computer for someone outside of school, I'd always enable UAC, but we had lots of problems with UAC on Vista in school, so I've always disabled it for network computers.
    Huh. Y'know, good question. I honestly couldn't tell you - going to have to look into that one!
    According to this page, having UAC disabled automatically grants elevated permissions to any program that requests them - however it doesn't mention if the account doesn't have admin privileges anyway. Going to jump on a test account and test this out.
    So I'd definitely recommend UAC enabled - Besides having a UAC prompt pop up tells you it's a permissions error. Having nothing at all is just confusing Having it allow elevated privileges without authentication is just daft.
    UAC was terrible in Vista but I've never had issue with it on Win7.
    Last edited by Garacesh; 27th February 2014 at 09:27 AM.

  2. Thanks to Garacesh from:

    this_is_gav (27th February 2014)

  3. #17

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This is easy to resolve -

    User Config > Policies > Admin Templates > System - Prevent access to the command prompt - Enabled, then specify No for script processing.

    Whilst you're at it do the same for Prevent access to registry editing tools as well.

  4. #18


    Join Date
    Jan 2012
    Posts
    2,613
    Thank Post
    934
    Thanked 349 Times in 266 Posts
    Rep Power
    212
    Tested it with a machine that's off the domain:
    With UAC enabled a 'Standard User' (as per Windows 7 default) is given a UAC prompt when trying to run C:\Windows\System32\cmd.exe as an administrator (right click menu) but can launch it normally, too.
    With UAC disabled, no UAC prompt is shown when selecting run as administrator, but the command line still launches. 'net stop spooler' returns Error 5: Access is denied. Command line can still be ran 'normally' by double-clicking it too.

    With that, I am assuming if UAC is disabled, the program is still launched with their current privileges. Still, I'd say turn it on anyway.

  5. Thanks to Garacesh from:

    this_is_gav (27th February 2014)

  6. #19

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    These are the results from my tests -

    Pupil user with a shortcut to cmd.exe in their home area running Windows 7 x86 with UAC disabled.

    Simply double clicking it displays the command window with the message "The command prompt has been disabled by your administrator" Press any key to continue and it disappears.

    I then right clicked the shortcut and selected Run as administrator. Again the same message as above appears. UAC makes absolutely no difference, it's all to do with the correct policies applied in this context.

  7. #20


    Join Date
    Jan 2012
    Posts
    2,613
    Thank Post
    934
    Thanked 349 Times in 266 Posts
    Rep Power
    212
    That's why I did it on a non-domain test machine - we can assume that @this_is_gav doesn't have the right policies in place (no offence intended) as they can already get to a command prompt, administrative or not.

  8. #21
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I don't mind kids having access to the command prompt - indeed, in one sense I prefer it, as I can go into a class and just run gpupdate quickly if needs be (we had the "wait for network on boot" (or setting to that effect) disabled, so sometimes it took 2 reboots for computer settings to take effect). So long as they have no control they shouldn't have, I don't mind leaving the command prompt available, but I'll disable it for now, see if there's any ill-effects and see if I can enable UAC through Group Policy.

  9. #22
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    54
    I agree with others on here. No access to command prompt for standard users, however I have a loophole here that I can exploit if necessary to troubleshoot.

    There are some advanced security option you can set for this as well. It means that you can have UAC enables for student account but in effect disabled for your use if you find it a little annoying. In group policy under Security Setting/Security Options at the bottom are some UAC options.

    The interesting ones here are about Admin Approval Mode so you can prevent the consent box from appearing and just elevate anyway. You can also deny standard user from receiving any prompts and automatically deny requests however I have found this can be a little restrictive if you need an elevated cmd to troubleshoot a problem.

  10. #23
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    464
    Thank Post
    44
    Thanked 73 Times in 68 Posts
    Rep Power
    19
    Quote Originally Posted by Garacesh View Post
    Immediately, if they're heading to C:\Windows\, I can't honestly see why students need to be able to navigate the C:\ drive at all, I'd recommend making it not show up in Computer and stop them navigating through it in an explorer window. (Can be done by policy)
    If you think you have the hard drive blocked fully, try this....

    Make a shortcut to c:\windows\system32\cmd.exe. if while making the shortcut you get an error, try again. ( hit okay in the error and then hit next again)

    Or, make a shortcut to \\localhost\c$
    Suddenly the high HDD got a lot harder to block

  11. #24


    Join Date
    Jan 2012
    Posts
    2,613
    Thank Post
    934
    Thanked 349 Times in 266 Posts
    Rep Power
    212
    Quote Originally Posted by MordyT View Post
    Or, make a shortcut to \\localhost\c$
    Suddenly the high HDD got a lot harder to block
    Quote Originally Posted by Garacesh View Post
    and deny them the ability to browse to network paths
    We do it here, they can't browse anywhere that starts with '\\' or by IP Address (even if they can connect to it anyway, for example, they can't browse to \\printserver\ even though they can print to printers on \\printserver\)

  12. #25

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,262
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Quote Originally Posted by this_is_gav View Post
    Well... it turns out the pupil in question was able to shut down his own laptop (not a shock), but not other laptops (as I said, it was denying me trying to shut down others when logging on as a dummy user).

    Normally I'd thoroughly test something, but yesterday was rather fraught for several reasons, this landed on me in the last lesson, and by the time I came to test, the pupil had left for the day, so I couldn't log in as him (I could have changed his password of course, though that would have been a touch drastic considering I had theoretically identical dummy users I could use). Obviously with such an issue I wanted it sorted before the start of play today, as if a vulnerability had existed, it may have spread like wildfire through the school and caused chaos.

    Will probably look into enabling UAC through GPO (if you can) if it gives users more feedback on why something is denied. I'm slightly surprised it doesn't fall back to the XP method if UAC is disabled though. Does 7 still ask for admin privileges if you "run as administrator" with UAC disabled?

    Anyway, that's a relief. Today is a better day!

    Thanks again guys.
    Sounds to me as though he's in the local 'Administrators' group on the laptop and you have UAC disabled.

  13. #26
    kevin_lane's Avatar
    Join Date
    Mar 2007
    Location
    Derby
    Posts
    506
    Thank Post
    23
    Thanked 20 Times in 20 Posts
    Blog Entries
    5
    Rep Power
    20
    Yea sounds like you have some weird setup as we have uac turned off and a bunch of policies set in place and they have mandatory profiles too we also have it set that every time a computer boots up and logs off delprof2 is ran and all profiles get deleted

    I dont see the point in giving them access to cmd ok maybe useful to you but if they know what they are doing and the students are clear enough they could do damage e.g first point of attack is to gather data about the network and that can be done with cmd by using a net view command will give you a list of computers on the work and I know these are just kids but should still be savvy and not leave holes open.

    also aslong as ur students are just domain users then not alot they can do. I would creating a test ou and practice on how to use gp and secure the systems

    And as for uac well nice feature but can over kill esp if you need a driver installing

  14. #27
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    464
    Thank Post
    44
    Thanked 73 Times in 68 Posts
    Rep Power
    19
    Quote Originally Posted by Garacesh View Post
    We do it here, they can't browse anywhere that starts with '\\' or by IP Address (even if they can connect to it anyway, for example, they can't browse to \\printserver\ even though they can print to printers on \\printserver\)
    That why I said make a shortcut... Not browse with explorer.

    Right click, new shortcut...

  15. #28
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    970
    Thank Post
    41
    Thanked 80 Times in 76 Posts
    Rep Power
    20
    Uac is fine. If you want to update a driver use sccm or a script as system.

  16. #29
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by psydii View Post
    Sounds to me as though he's in the local 'Administrators' group on the laptop and you have UAC disabled.
    No, first thing I checked was the local admin group (obviously have staff as local admins, but students only on netbooks they took home years ago).

  17. #30


    Join Date
    Jan 2012
    Posts
    2,613
    Thank Post
    934
    Thanked 349 Times in 266 Posts
    Rep Power
    212
    Quote Originally Posted by MordyT View Post
    That why I said make a shortcut... Not browse with explorer.

    Right click, new shortcut...
    Yeah, I saw that - but denying them the ability to browse to any '\\' location stops that working because the shortcut points to a network path.
    Or so I thought... Testing it just to be sure show me that isn't the case.

    Thank you for bringing that to my attention. I'll explore further into this and see what 'damage' I can do on my test account.

    Edit: If you navigate to the command prompt it declares it has been disabled by the administrator. So that's good.
    Last edited by Garacesh; 28th February 2014 at 11:53 AM.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 3
    Last Post: 11th January 2011, 10:37 PM
  2. [MS Office - 2007] Office 2007 / 2010 able to open OPenOffice docs
    By RabbieBurns in forum Office Software
    Replies: 7
    Last Post: 29th January 2010, 09:34 AM
  3. Problem trying to open graphics on an Open Office odt file
    By speckytecky in forum Office Software
    Replies: 2
    Last Post: 15th May 2009, 08:50 PM
  4. pupils able to access c drive via word 2000 web toolbar
    By projector1 in forum Office Software
    Replies: 22
    Last Post: 8th December 2005, 08:44 PM
  5. Replies: 9
    Last Post: 8th November 2005, 09:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •