+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Windows 7 Thread, Pupils able to open CMD as an administrator in Technical; Hi, got a bit of a pickle and I'm lost. Kids are able to right-click on cmd.exe and simply "run ...
  1. #1
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Exclamation Pupils able to open CMD as an administrator

    Hi, got a bit of a pickle and I'm lost.

    Kids are able to right-click on cmd.exe and simply "run as administrator". No box for entering credentials, it just opens an elevated command prompt, allowing them run things such as shutdown.exe (which of course does allow them to remotely shutdown other computers).

    Obviously this is an issue, and I'd assumed I'd accidently given them an admin role or something, but nope - things such as Device Manager gives the message that kids are "standard users" and won't be able to make changes.

    Have I missed something obvious (it is that sort of day)?

    Help would be very much appreciated!
    Last edited by this_is_gav; 26th February 2014 at 04:30 PM.

  2. #2

    Join Date
    Sep 2013
    Location
    Wyoming
    Posts
    32
    Thank Post
    2
    Thanked 5 Times in 4 Posts
    Rep Power
    2
    Is UAC turned off? If you so that might be part of the issue.

  3. #3
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,175
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    How do the kids have access to the cmd shortcut? Are they searching in the start menu?

  4. #4

    Join Date
    Apr 2010
    Posts
    2,038
    Thank Post
    83
    Thanked 187 Times in 154 Posts
    Rep Power
    83
    I remove cmd for the pupils using gpo.

  5. #5
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Deepening the plot, I'm trying another laptop (from an identical W7 image) with a cloned user account and while it allows me to run the command prompted elevated (I say that, but there's nothing indicating it is actually elevated - Win8 tells you prompts are elevated, not sure about 7), it gives me "access denied" when running the shutdown GUI.



    Quote Originally Posted by amckinley View Post
    Is UAC turned off? If you so that might be part of the issue.
    Yes, UAC is turned off. I wouldn't have thought it would allow some admin aspects to run while others are blocked though?



    Quote Originally Posted by fairm010 View Post
    How do the kids have access to the cmd shortcut? Are they searching in the start menu?
    Yes, though I've never blocked access to the Windows folder, so they could just launch it from there too. We've never had issues like these before (to be fair, the kid in question wasn't being malicious and showed his teacher and myself while having a bit of a chuckle), so I've never had the need to lock computers down excessively... but then they've never been able to open a program as an administrator either... :\
    Last edited by this_is_gav; 26th February 2014 at 04:49 PM.

  6. #6
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 417 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87
    Use group policy to deny running a command prompt.

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,762
    Thank Post
    3,271
    Thanked 1,053 Times in 974 Posts
    Rep Power
    365
    Quote Originally Posted by zag View Post
    Use group policy to deny running a command prompt.
    And script files ie vbs / bat / powershell etc ?

  8. #8


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,897
    Thank Post
    226
    Thanked 2,674 Times in 1,971 Posts
    Rep Power
    786
    Do you have this GPO enabled (along with the one for RegEdit)?

    gpsearch.azurewebsites.net/#4755

  9. #9

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,762
    Thank Post
    3,271
    Thanked 1,053 Times in 974 Posts
    Rep Power
    365
    Quote Originally Posted by Arthur View Post
    Do you have this GPO enabled (along with the one for RegEdit)?

    gpsearch.azurewebsites.net/#4755
    That's a good point as it says in the comments if you use bat files for logon or log off scripts etc then don't disable bat file scripts otherwise they won't work ( obviously )

  10. #10
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    976
    Thank Post
    42
    Thanked 82 Times in 78 Posts
    Rep Power
    21
    Move your scripts to gpp. If students are in the local users group and the uac policy which fails silenlty for requests for elevation for standard users should be enabled. This prevents elevated command prompts. Any logon scripts should run in the user context. If you do need to run elevated scripts use startup scripts which run as the system account which does not require elevation.
    Last edited by free780; 26th February 2014 at 06:12 PM.

  11. #11
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    464
    Thank Post
    44
    Thanked 73 Times in 68 Posts
    Rep Power
    19
    Easy way to tell if cmd is elevated... Look at the starting path. If system32, elevated. If users home folder, not elevated.

  12. 3 Thanks to MordyT:

    Garacesh (27th February 2014), hallb15 (27th February 2014), zag (27th February 2014)

  13. #12


    Join Date
    Jan 2012
    Posts
    2,615
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212
    Immediately, if they're heading to C:\Windows\, I can't honestly see why students need to be able to navigate the C:\ drive at all, I'd recommend making it not show up in Computer and stop them navigating through it in an explorer window. (Can be done by policy)
    To stop it showing up in the start menu, I'd say provide redirected start menus and disable start menu search bar. (Can also be done by policy)
    And definitely, definitely turn UAC back on. (Can probably be done by policy, but not certain on this one)

    Make sure your pupils aren't set to be local administrators on the machine (at one school I went to, everyone, from teachers, office staff, and even key stage 1 and 2 pupil accounts were local admins! shudder) and deny them the ability to browse to network paths to ensure they can't head to the command line of another PC.

    Also make sure any restrictions to cmd.exe are also applied to COMMAND.COM, too.

  14. #13
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Well... it turns out the pupil in question was able to shut down his own laptop (not a shock), but not other laptops (as I said, it was denying me trying to shut down others when logging on as a dummy user).

    Normally I'd thoroughly test something, but yesterday was rather fraught for several reasons, this landed on me in the last lesson, and by the time I came to test, the pupil had left for the day, so I couldn't log in as him (I could have changed his password of course, though that would have been a touch drastic considering I had theoretically identical dummy users I could use). Obviously with such an issue I wanted it sorted before the start of play today, as if a vulnerability had existed, it may have spread like wildfire through the school and caused chaos.

    Will probably look into enabling UAC through GPO (if you can) if it gives users more feedback on why something is denied. I'm slightly surprised it doesn't fall back to the XP method if UAC is disabled though. Does 7 still ask for admin privileges if you "run as administrator" with UAC disabled?

    Anyway, that's a relief. Today is a better day!

    Thanks again guys.
    Last edited by this_is_gav; 27th February 2014 at 09:14 AM.

  15. #14


    Join Date
    Jan 2012
    Posts
    2,615
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212
    Still shouldn't have access to it anyway :P But at least the damage is limited!

    Also to add to my suggestion, stop any programs running from AppData or temp locations (such as if cmd was ran from inside a zip file, or WORD document)
    Last edited by Garacesh; 27th February 2014 at 09:14 AM.

  16. #15
    this_is_gav's Avatar
    Join Date
    May 2009
    Location
    Shilbottle, Northumberland
    Posts
    43
    Thank Post
    19
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Garacesh View Post
    Still shouldn't have access to it anyway :P But at least the damage is limited!

    Also to add to my suggestion, stop any programs running from AppData or temp locations (such as if cmd was ran from inside a zip file, or WORD document)
    Hi Garacesh, I've edited my post since you replied. Do you know if disabling UAC allow programs to run elevated without entering credentials?

    When I'm setting up a computer for someone outside of school, I'd always enable UAC, but we had lots of problems with UAC on Vista in school, so I've always disabled it for network computers.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 11th January 2011, 10:37 PM
  2. [MS Office - 2007] Office 2007 / 2010 able to open OPenOffice docs
    By RabbieBurns in forum Office Software
    Replies: 7
    Last Post: 29th January 2010, 09:34 AM
  3. Problem trying to open graphics on an Open Office odt file
    By speckytecky in forum Office Software
    Replies: 2
    Last Post: 15th May 2009, 08:50 PM
  4. pupils able to access c drive via word 2000 web toolbar
    By projector1 in forum Office Software
    Replies: 22
    Last Post: 8th December 2005, 08:44 PM
  5. Replies: 9
    Last Post: 8th November 2005, 09:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •