+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Kids bypassing dos restrictions in Technical; Kids have just discovered that they can write an msdos batch file containing just "command" to bypass the GPO restrictions ...
  1. #1
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,479
    Thank Post
    351
    Thanked 260 Times in 213 Posts
    Rep Power
    99

    Kids bypassing dos restrictions

    Kids have just discovered that they can write an msdos batch file containing just "command" to bypass the GPO restrictions on command prompt, does anyone know of a way (without disabling script access) that we can lock this down?

    It's so simple so im sure someone has delt with it before

  2. #2

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,406
    Thank Post
    368
    Thanked 639 Times in 521 Posts
    Rep Power
    158
    Disable command prompt
    Disable .bat (file storage)
    Software security policy - stop executable from running outside of C:\, then hide access to C: to the end user.

  3. #3
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,479
    Thank Post
    351
    Thanked 260 Times in 213 Posts
    Rep Power
    99
    Quote Originally Posted by matt40k View Post
    Disable command prompt
    Disable .bat (file storage)
    Software security policy - stop executable from running outside of C:\, then hide access to C: to the end user.
    1. done already
    2. Set but doesn't appear to be taking effect properly, will look into that
    3. done already

  4. #4
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30
    Quote Originally Posted by matt40k View Post
    Software security policy - stop executable from running outside of C:\, then hide access to C: to the end user.
    Can I ask how you do this?

  5. #5

    Join Date
    May 2007
    Location
    Hull, UK
    Posts
    256
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    17
    Quote Originally Posted by matt40k View Post
    Disable .bat (file storage)
    Software security policy - stop executable from running outside of C:\, then hide access to C: to the end user.

    Ditto, would also like to know how to disable saving bat files and other file types for that matter.

  6. #6
    DSapseid's Avatar
    Join Date
    Feb 2007
    Location
    West Sussex
    Posts
    1,152
    Thank Post
    130
    Thanked 54 Times in 47 Posts
    Rep Power
    38
    If you use 2003 R2 its got it builtin file screens to stop saving certain file types.

  7. #7

    Join Date
    Sep 2006
    Posts
    19
    Thank Post
    5
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi as a follow up to this we use a program on our file server called Spaceguard that does folder restrictions by extension and also sets folder size limits from what i can remember it was quite reasonably priced very simple to setup and does what it says on the tin we got it from PNL tools just google them


    Embazzy

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,936
    Thank Post
    886
    Thanked 1,692 Times in 1,471 Posts
    Blog Entries
    12
    Rep Power
    446
    Quote Originally Posted by Embazzy View Post
    Hi as a follow up to this we use a program on our file server called Spaceguard that does folder restrictions by extension and also sets folder size limits from what i can remember it was quite reasonably priced very simple to setup and does what it says on the tin we got it from PNL tools just google them


    Embazzy
    You can do that with GPO.

    I would block all .bat .cmd files apart from the path of your scripts.

  9. #9


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Kids have just discovered that they can write an msdos batch file containing just "command" to bypass the GPO restrictions on command prompt, does anyone know of a way (without disabling script access) that we can lock this down?
    it may also help to remove user execute permissions from command.com

  10. #10

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,593
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181
    Of course, thinking about it logically, can the little darlings do anything particularly bad when they get to the command prompt?

    Make sure your file permissions are set right and that you have relevant GPOs to prevent access to anywhere that they shouldn't be.

    It isn't just .bat files that will allow the command prompt to run. You also need to include .cmd, .vbs, .js and quite a few more. R2 file screens has a list of script types built in by default.

SHARE:
+ Post New Thread

Similar Threads

  1. Pupils bypassing proxy...
    By indie in forum Windows
    Replies: 15
    Last Post: 23rd December 2008, 01:01 PM
  2. DOS USB Driver
    By robontheroad in forum Hardware
    Replies: 6
    Last Post: 15th March 2008, 08:48 AM
  3. Students Bypassing GPO
    By Richie1972 in forum Wireless Networks
    Replies: 10
    Last Post: 21st February 2008, 06:35 PM
  4. Bypassing BIOS passwords
    By indie in forum Hardware
    Replies: 6
    Last Post: 10th July 2006, 01:09 PM
  5. ARP overwritten DOS
    By CyberNerd in forum Wireless Networks
    Replies: 1
    Last Post: 24th May 2006, 12:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •