Blocking Command.com

[Jamie_a]

Kids have been getting into a command prompt by running a batch file linking to command.com,

I`ve tried blocking command.com through group policy with no luck, any ideas how I could do it.

[j17sparky]

Not a great deal of help i know but ours is blocked regardless of how you open it. It comes back with "CMD is restricted..." then exits. Atleast you know it is possible to block it, so keep looking

[DMcCoy]

You can alter the security for the file with group policy instead so students can't open it. I've not found that its used for anything. The block on cmd unfortunatly doesn't apply to command.com.

[j17sparky]

Sorry my bad, i read that as cmd

[mrforgetful]

Have you set that option in Group Policy?

User Config > Admin Templates > System > Prevent Access to the Command Prompt

[Oops_my_bad]

Have you set that option in Group Policy?

User Config > Admin Templates > System > Prevent Access to the Command Prompt

This works well, but doesn't stop them being run from USB sticks :?

[CyberNerd]

I've always blocked access to this with NTFS file permissions on our terminal servers. What I've never really got to the bottom of is why I need to? What is it thats inherently insecure about windows that requires us to block access to cmd? surely the standard user permissions are secure on xp/2003 ? Whats the worst that can happen, I'd like to understand the threat.

[srochford]

I think it's just one of those things that worries people. Realistically, if they can do it from a command prompt they can do it from (eg) a macro in Word.

Kids may try doing things like "del *.*" but if your permissions are OK then they won't cause much harm and if your permissions are not OK then a quick macro will cause the same destruction.

[Oops_my_bad]

Indeed, but our kids are somehow sending messages to each other via dos window. I'm not sure how they're being carried but the messenger service is disabled on ALL pc's via GP (which I thought is what the utility used to send messages) however despite this they can still send and receive messages via the dos box (there is a video on youtube showing how it's done).

[CyberNerd]

It's probably still a good idea to disable it, otherwise the kids might get funny ideas about how to be 'hackers' - this could lead to an interest in computing, and they may learn more useful skills. Ultimately our jobs could be at risk with a new influx of skilled workers into the IT workforce.

[mrforgetful]

If it's being run from memory sticks you need a software restriction policy. Hash based would probably be the best option so it will still be effective if the file is renamed.

[srochford]

Indeed, but our kids are somehow sending messages to each other via dos window. I'm not sure how they're being carried but the messenger service is disabled on ALL pc's via GP (which I thought is what the utility used to send messages) however despite this they can still send and receive messages via the dos box (there is a video on youtube showing how it's done).

I think you need to disable messenger and alerter services to stop messages being received. I think a computer will receive a message if the alerter service is running and there are lots of examples of how you do a bit of VB to send such messages.

If they're using a VB program then they'll be able to run it from almost anywhere; if they're using "net send" then you just need to set perms on net.exe and net1.exe so that normal users can't read/execute them.

[mrforgetful]

The messenger service should be disabled already, it was changed to that a default state of Disabled with Windows XP Service Pack 2.