Kids saving notepad files as command.bat

[Kyle]

On one of my visits to a year 8 class today the teacher pointed out a little problem that she was worried about,

The kids are opening notepad, typing command.com and then saving the file as a .bat file.

This worried me a little is there a way this can be stopped? The run command is removed in GP and i am sure that i read R2 can stop these files from being saved.

Suggestions please?

[CyberNerd]

remove the user read permission from command.com

[ChrisH]

R2 file screens would stop this kind of nonsense definately. I have re4cently implemented it and it works well.

[NetworkGeezer]

What you should be more worroed about is them being able to excute arbitrary batch scripts. They don't need to bother with command.com why not just use VBS. Get more done.

Use software restriction policy so that the only executables (exe, cmd or bat) are the ones you yourself have created or deployed.

[Kyle]

Use software restriction policy so that the only executables (exe, cmd or bat) are the ones you yourself have created or deployed.

How?

[Ric_]

@Kyle: If you search the forums there's been lots of stuff on software restriction policies. An easier way would be to use File Screening Filters on R2 - there's a pre-defined template for just this!

[plexer]

Kyle what os are the clients running?
Does setting prevent access to command line in gpo not prevent this?

Ben

[mrforgetful]

Sounds like the Prevent Access to Command line option isn't specified, just that Run is removed from the Start Menu.

Could be wrong - has been know

[sidewinder]

Sounds like the Prevent Access to Command line option isn't specified, just that Run is removed from the Start Menu.

Could be wrong - has been know

Nope, we're having this same problem and we've got that policy enabled

Does anyone know how to ban all .bat and .exe from a users documents with software restriction policies? Ive blocked command.com and cmd.exe but id like to block all batch files

Getting R2 sorted near christmas but would like to stop this now

[CyberNerd]

Does anyone know how to ban all .bat and .exe from a users documents with software restriction policies? Ive blocked command.com and cmd.exe but id like to block all batch files

We do this by whitelisting software that we want to run in Win 2000 GPO - user config - Admin templates - system - run only allowed windows applications. Then combining this with McAfee to ban users saving .exe .bat files.

Samba can do this natively.

[Alex]

Sounds like the Prevent Access to Command line option isn't specified, just that Run is removed from the Start Menu.

Could be wrong - has been know

Nope, we're having this same problem and we've got that policy enabled

Does anyone know how to ban all .bat and .exe from a users documents with software restriction policies? Ive blocked command.com and cmd.exe but id like to block all batch files

Getting R2 sorted near christmas but would like to stop this now

Presumably they can only save these files to their 'home' drives & public file areas?

In which case add a DENY permission under security (in advanced)for :

Traverse Folder / Execute

they then cannot execute any files stored in this location.


so right-click root of students home drives folder, properties / security / advanced. Add Students group with explicit DENY for Traverse / Execute.

repeat for any area where they can save files.

You can also explicitly dney them access to notepad as an executable within AD blocked exe files (forget where exactly),

the traverse folders / execute one is useful - stops alot of their nefarious type activities.

Only way round it is for them to find somewhere they can save to, that you havent applied that permission.

[Kyle]

Right, an update today.
The command prompt and run command are blocked in GPO, and the setting to stop command or bat files is enabled as well, they have even have all vbs log on scripts to keep this working. They have no access to the c:drive at all.

The kids have a mandatory roaming profile and they are saving this file to their desktops which found weird has they have no access to the c:drive. Roaming profiles are set not o be cached and do clear when they log off. BUT this is what i noticed, when the user logs on it creates a temp profile on the local computer. While they are logged on i checked the security permissions of the temp profile and they have full control, so this is why they can save temporarily to the c: drive in the documents and settings/desktop folder.

Should this happen? Should the temp profile have full control for the user.

Please help .....?

[ICTNUT]

@Kyle

While I do have a mandatory profile mine are not roaming and with a combination of desktop lockdowns via GPO they can NOT save or change anything on the desktop.

With regard to stopping file types in home directories I currently do not have R2 so the file screening is not an option but for the last 18 months I have been using a server product called SRM SpaceGuard via policies which can be setup for the students is filetype control simply specify the filetypes apply the policy and hey presto no more file saving.

You can get info from http://www.tools4ever.com/products/spaceguard/ and at a cost of £399 less educational discount (ask for or you won't get it) it was a no brainer for me.

[Kyle]

I do have a mandatory profile mine are not roaming

How do you set this up?

[john]

I can only guess that he has the profile stored on the local machine perhaps?? I always thought that mandatory profiles "roamed" as it were IE loading and unloading like a Roaming should do, hence why you can destroy your mandatory but when you log off it ignores your changes and deletes them, but I may be miss-understanding.