+ Post New Thread
Results 1 to 13 of 13
Windows Thread, Blocking Command.com in Technical; Kids have been getting into a command prompt by running a batch file linking to command.com, I`ve tried blocking command.com ...
  1. #1
    Jamie_a's Avatar
    Join Date
    Dec 2006
    Location
    Sheffield
    Posts
    82
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Blocking Command.com

    Kids have been getting into a command prompt by running a batch file linking to command.com,

    I`ve tried blocking command.com through group policy with no luck, any ideas how I could do it.

  2. #2


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148

    Re: Blocking Command.com

    Not a great deal of help i know but ours is blocked regardless of how you open it. It comes back with "CMD is restricted..." then exits. Atleast you know it is possible to block it, so keep looking

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111

    Re: Blocking Command.com

    You can alter the security for the file with group policy instead so students can't open it. I've not found that its used for anything. The block on cmd unfortunatly doesn't apply to command.com.

  4. #4


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148

    Re: Blocking Command.com

    Sorry my bad, i read that as cmd

  5. #5
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,637
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: Blocking Command.com

    Have you set that option in Group Policy?

    User Config > Admin Templates > System > Prevent Access to the Command Prompt

  6. #6
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Re: Blocking Command.com

    Quote Originally Posted by mrforgetful
    Have you set that option in Group Policy?

    User Config > Admin Templates > System > Prevent Access to the Command Prompt
    This works well, but doesn't stop them being run from USB sticks :?

  7. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: Blocking Command.com

    I've always blocked access to this with NTFS file permissions on our terminal servers. What I've never really got to the bottom of is why I need to? What is it thats inherently insecure about windows that requires us to block access to cmd? surely the standard user permissions are secure on xp/2003 ? Whats the worst that can happen, I'd like to understand the threat.

  8. #8

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123

    Re: Blocking Command.com

    I think it's just one of those things that worries people. Realistically, if they can do it from a command prompt they can do it from (eg) a macro in Word.

    Kids may try doing things like "del *.*" but if your permissions are OK then they won't cause much harm and if your permissions are not OK then a quick macro will cause the same destruction.

  9. #9
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Re: Blocking Command.com

    Indeed, but our kids are somehow sending messages to each other via dos window. I'm not sure how they're being carried but the messenger service is disabled on ALL pc's via GP (which I thought is what the utility used to send messages) however despite this they can still send and receive messages via the dos box (there is a video on youtube showing how it's done).

  10. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: Blocking Command.com

    It's probably still a good idea to disable it, otherwise the kids might get funny ideas about how to be 'hackers' - this could lead to an interest in computing, and they may learn more useful skills. Ultimately our jobs could be at risk with a new influx of skilled workers into the IT workforce.

  11. #11
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,637
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: Blocking Command.com

    If it's being run from memory sticks you need a software restriction policy. Hash based would probably be the best option so it will still be effective if the file is renamed.

  12. #12

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123

    Re: Blocking Command.com

    Quote Originally Posted by TeddyKGB
    Indeed, but our kids are somehow sending messages to each other via dos window. I'm not sure how they're being carried but the messenger service is disabled on ALL pc's via GP (which I thought is what the utility used to send messages) however despite this they can still send and receive messages via the dos box (there is a video on youtube showing how it's done).
    I think you need to disable messenger and alerter services to stop messages being received. I think a computer will receive a message if the alerter service is running and there are lots of examples of how you do a bit of VB to send such messages.

    If they're using a VB program then they'll be able to run it from almost anywhere; if they're using "net send" then you just need to set perms on net.exe and net1.exe so that normal users can't read/execute them.

  13. #13
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,637
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: Blocking Command.com

    The messenger service should be disabled already, it was changed to that a default state of Disabled with Windows XP Service Pack 2.

SHARE:
+ Post New Thread

Similar Threads

  1. Command to lookup public IP
    By thegrassisgreener in forum Windows
    Replies: 5
    Last Post: 4th December 2007, 01:31 PM
  2. Command Line ISO Creator
    By russdev in forum Windows
    Replies: 1
    Last Post: 27th September 2007, 08:04 PM
  3. Running Win Updates as command?
    By donkeykong in forum How do you do....it?
    Replies: 2
    Last Post: 21st June 2007, 11:42 AM
  4. how to disable command.com ?
    By pinemarten in forum How do you do....it?
    Replies: 17
    Last Post: 15th May 2007, 11:24 PM
  5. Command LIne
    By wesleyw in forum Windows
    Replies: 4
    Last Post: 12th October 2006, 11:10 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •