Block users running a batch file to run command.com?

**reggiep** · 1st August 2009, 01:06 PM

Forgive me if I sound ignorant here but I have just moved from CC3 to a vanilla Windows 2008 environment.
One thing that a friendly work experience guy has pointed out is that if he creates a batch file with command.com inside it he can run it and then have the command prompt.
Is file screening the way to go with this or is there a better solution?
I have read that with file screening the users could just rename the extension and then use it whenever!

**CyberNerd** · 1st August 2009, 01:23 PM

deny users access to command.com by setting the ntfs permissions

**maniac** · 1st August 2009, 01:47 PM

Software restriction policies is the way forward here, you can deny access to specific programs by using a hash of them (so even if they renamed it it still wouldn't run) as well as stopping batch files being run from their home areas by denying executables on anything except the C:\

There is also a GPO 'deny access to command prompt' which if set should stop it being run as well.

Mike.

**reggiep** · 1st August 2009, 03:44 PM

Cheers Guys, I'll take a look on Monday.

LinkBack

Thread Tools

Search Thread

Block users running a batch file to run command.com?

Thanks to CyberNerd from:

Thanks to maniac from:

Similar Threads

[Arch] Run a command on the host

Running commands on a batch of computers

run a batch file on logon with a CC3 Network

executing a random command in a batch file

Running batch files in vista

Thread Information

Users Browsing this Thread

Posting Permissions