+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Windows 7 Thread, Pupils able to open CMD as an administrator in Technical; Hi, got a bit of a pickle and I'm lost. Kids are able to right-click on cmd.exe and simply "run ...
  1. #1
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Exclamation Pupils able to open CMD as an administrator

    Hi, got a bit of a pickle and I'm lost.

    Kids are able to right-click on cmd.exe and simply "run as administrator". No box for entering credentials, it just opens an elevated command prompt, allowing them run things such as shutdown.exe (which of course does allow them to remotely shutdown other computers).

    Obviously this is an issue, and I'd assumed I'd accidently given them an admin role or something, but nope - things such as Device Manager gives the message that kids are "standard users" and won't be able to make changes.

    Have I missed something obvious (it is that sort of day)?

    Help would be very much appreciated!
    Last edited by this_is_gav; 26th February 2014 at 05:30 PM.

  2. #2

    Join Date
    Sep 2013
    Location
    Wyoming
    Posts
    32
    Thank Post
    2
    Thanked 5 Times in 4 Posts
    Rep Power
    3
    Is UAC turned off? If you so that might be part of the issue.

  3. #3
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,314
    Thank Post
    53
    Thanked 172 Times in 152 Posts
    Rep Power
    50
    How do the kids have access to the cmd shortcut? Are they searching in the start menu?

  4. #4

    Join Date
    Apr 2010
    Posts
    2,104
    Thank Post
    95
    Thanked 189 Times in 156 Posts
    Rep Power
    84
    I remove cmd for the pupils using gpo.

  5. #5
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Deepening the plot, I'm trying another laptop (from an identical W7 image) with a cloned user account and while it allows me to run the command prompted elevated (I say that, but there's nothing indicating it is actually elevated - Win8 tells you prompts are elevated, not sure about 7), it gives me "access denied" when running the shutdown GUI.



    Quote Originally Posted by amckinley View Post
    Is UAC turned off? If you so that might be part of the issue.
    Yes, UAC is turned off. I wouldn't have thought it would allow some admin aspects to run while others are blocked though?



    Quote Originally Posted by fairm010 View Post
    How do the kids have access to the cmd shortcut? Are they searching in the start menu?
    Yes, though I've never blocked access to the Windows folder, so they could just launch it from there too. We've never had issues like these before (to be fair, the kid in question wasn't being malicious and showed his teacher and myself while having a bit of a chuckle), so I've never had the need to lock computers down excessively... but then they've never been able to open a program as an administrator either... :\
    Last edited by this_is_gav; 26th February 2014 at 05:49 PM.

  6. #6
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,909
    Thank Post
    954
    Thanked 451 Times in 380 Posts
    Blog Entries
    12
    Rep Power
    93
    Use group policy to deny running a command prompt.

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,932
    Thank Post
    3,464
    Thanked 1,090 Times in 1,005 Posts
    Rep Power
    371
    Quote Originally Posted by zag View Post
    Use group policy to deny running a command prompt.
    And script files ie vbs / bat / powershell etc ?

  8. #8


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,469
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    Do you have this GPO enabled (along with the one for RegEdit)?

    gpsearch.azurewebsites.net/#4755

  9. #9

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,932
    Thank Post
    3,464
    Thanked 1,090 Times in 1,005 Posts
    Rep Power
    371
    Quote Originally Posted by Arthur View Post
    Do you have this GPO enabled (along with the one for RegEdit)?

    gpsearch.azurewebsites.net/#4755
    That's a good point as it says in the comments if you use bat files for logon or log off scripts etc then don't disable bat file scripts otherwise they won't work ( obviously )

  10. #10
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,068
    Thank Post
    45
    Thanked 86 Times in 81 Posts
    Rep Power
    23
    Move your scripts to gpp. If students are in the local users group and the uac policy which fails silenlty for requests for elevation for standard users should be enabled. This prevents elevated command prompts. Any logon scripts should run in the user context. If you do need to run elevated scripts use startup scripts which run as the system account which does not require elevation.
    Last edited by free780; 26th February 2014 at 07:12 PM.

  11. #11
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    506
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    22
    Easy way to tell if cmd is elevated... Look at the starting path. If system32, elevated. If users home folder, not elevated.

  12. 3 Thanks to MordyT:

    Garacesh (27th February 2014), hallb15 (27th February 2014), zag (27th February 2014)

  13. #12


    Join Date
    Jan 2012
    Posts
    3,005
    Thank Post
    1,131
    Thanked 451 Times in 329 Posts
    Rep Power
    230
    Immediately, if they're heading to C:\Windows\, I can't honestly see why students need to be able to navigate the C:\ drive at all, I'd recommend making it not show up in Computer and stop them navigating through it in an explorer window. (Can be done by policy)
    To stop it showing up in the start menu, I'd say provide redirected start menus and disable start menu search bar. (Can also be done by policy)
    And definitely, definitely turn UAC back on. (Can probably be done by policy, but not certain on this one)

    Make sure your pupils aren't set to be local administrators on the machine (at one school I went to, everyone, from teachers, office staff, and even key stage 1 and 2 pupil accounts were local admins! shudder) and deny them the ability to browse to network paths to ensure they can't head to the command line of another PC.

    Also make sure any restrictions to cmd.exe are also applied to COMMAND.COM, too.

  14. #13
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Well... it turns out the pupil in question was able to shut down his own laptop (not a shock), but not other laptops (as I said, it was denying me trying to shut down others when logging on as a dummy user).

    Normally I'd thoroughly test something, but yesterday was rather fraught for several reasons, this landed on me in the last lesson, and by the time I came to test, the pupil had left for the day, so I couldn't log in as him (I could have changed his password of course, though that would have been a touch drastic considering I had theoretically identical dummy users I could use). Obviously with such an issue I wanted it sorted before the start of play today, as if a vulnerability had existed, it may have spread like wildfire through the school and caused chaos.

    Will probably look into enabling UAC through GPO (if you can) if it gives users more feedback on why something is denied. I'm slightly surprised it doesn't fall back to the XP method if UAC is disabled though. Does 7 still ask for admin privileges if you "run as administrator" with UAC disabled?

    Anyway, that's a relief. Today is a better day!

    Thanks again guys.
    Last edited by this_is_gav; 27th February 2014 at 10:14 AM.

  15. #14


    Join Date
    Jan 2012
    Posts
    3,005
    Thank Post
    1,131
    Thanked 451 Times in 329 Posts
    Rep Power
    230
    Still shouldn't have access to it anyway :P But at least the damage is limited!

    Also to add to my suggestion, stop any programs running from AppData or temp locations (such as if cmd was ran from inside a zip file, or WORD document)
    Last edited by Garacesh; 27th February 2014 at 10:14 AM.

  16. #15
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Garacesh View Post
    Still shouldn't have access to it anyway :P But at least the damage is limited!

    Also to add to my suggestion, stop any programs running from AppData or temp locations (such as if cmd was ran from inside a zip file, or WORD document)
    Hi Garacesh, I've edited my post since you replied. Do you know if disabling UAC allow programs to run elevated without entering credentials?

    When I'm setting up a computer for someone outside of school, I'd always enable UAC, but we had lots of problems with UAC on Vista in school, so I've always disabled it for network computers.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 11th January 2011, 11:37 PM
  2. [MS Office - 2007] Office 2007 / 2010 able to open OPenOffice docs
    By RabbieBurns in forum Office Software
    Replies: 7
    Last Post: 29th January 2010, 10:34 AM
  3. Problem trying to open graphics on an Open Office odt file
    By speckytecky in forum Office Software
    Replies: 2
    Last Post: 15th May 2009, 09:50 PM
  4. pupils able to access c drive via word 2000 web toolbar
    By projector1 in forum Office Software
    Replies: 22
    Last Post: 8th December 2005, 09:44 PM
  5. Replies: 9
    Last Post: 8th November 2005, 10:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •