+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, How to stop kids running bat files when logon script is bat? in Technical; one of our kids has found the old trick of saving shutdown -i into a bat file and then browsing ...
  1. #1

    Join Date
    Jan 2012
    Location
    Auckland
    Posts
    41
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    6

    How to stop kids running bat files when logon script is bat?

    one of our kids has found the old trick of saving shutdown -i into a bat file and then browsing the network.

    Our logon script is a bat file - so if I put a blanket ban on bat files then the drives don't map to the pcs, there's a restriction on them installing and running executables anyway, but the bat file is obviously dangerous as they could potentially shut down the systems...

  2. #2
    bondbill2k2's Avatar
    Join Date
    Jan 2011
    Location
    West Midlands
    Posts
    1,015
    Thank Post
    81
    Thanked 66 Times in 51 Posts
    Blog Entries
    2
    Rep Power
    42
    Put a ban in their homepaths and anywhere they are able to save to using software path restrictions(one per location GPOs User Config > Policies > Windows Settings > Security Settings > software restriction policies. Then add all the file types you wish to ban in designated file types


    Id also use resource manager on your server to prevent .bat files from being saved and alert you of those trying to do so and ban .bat files on your web filter. Stopped the problems we were having
    Last edited by bondbill2k2; 19th March 2012 at 11:45 AM.

  3. Thanks to bondbill2k2 from:

    speckytecky (19th March 2012)

  4. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    User Config > Policies > Admin Templates > System - Prevent access to the command prompt - Enabled

    On this policy, specify No to - Disable the command prompt script processing also?

  5. Thanks to Michael from:

    speckytecky (19th March 2012)

  6. #4
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,541
    Thank Post
    362
    Thanked 263 Times in 215 Posts
    Rep Power
    100
    User Config > Policies > Windows Settings > Security Settings > software restriction policies

    Edit the designated file types to include .bat .cmd and so on

    then go to > Additional rules and add in the location of the users home paths and any other location the kids can save files to where you wouldn't want them running batch files from E.G H:\

    Job done

  7. Thanks to mrbios from:

    speckytecky (19th March 2012)

  8. #5
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,801
    Thank Post
    215
    Thanked 265 Times in 215 Posts
    Rep Power
    68
    You could also setup mapped drives using GPP. It's very easy.

  9. Thanks to chazzy2501 from:

    speckytecky (19th March 2012)

  10. #6

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,824
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    Then map network drivers using Group Policy Preferences, so you don't need the logon script to do it (if you have the necessary extensions and server management to do this - so XP onwards and Windows Server 2008 onwards)

  11. #7
    bondbill2k2's Avatar
    Join Date
    Jan 2011
    Location
    West Midlands
    Posts
    1,015
    Thank Post
    81
    Thanked 66 Times in 51 Posts
    Blog Entries
    2
    Rep Power
    42
    I know its easy to setup mapped drives, we currently still use a logon script, would mapping improve logon times?

  12. #8

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,824
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    I never noticed much difference between the two, but it certainly shouldn't increase. Tend to find that these scripts run fast anyway as it's pretty simple.

  13. #9
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    813
    Thank Post
    88
    Thanked 179 Times in 147 Posts
    Rep Power
    66
    What are they running in their bat files?

    If you network has the correct file permissions, this shouldn't really be a problem should it? With everyone banging on about coding in the classroom, if they can do no damage, why stop them coding a script? It's how I learnt when I was at school!

  14. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by IrritableTech View Post
    What are they running in their bat files?

    If you network has the correct file permissions, this shouldn't really be a problem should it? With everyone banging on about coding in the classroom, if they can do no damage, why stop them coding a script? It's how I learnt when I was at school!
    I'm with you on this. Having just installed a python interpreter on all student workstations I'm waiting to see what's the worst that can happen.

  15. Thanks to CyberNerd from:

    IrritableTech (19th March 2012)

  16. #11

    Join Date
    Jan 2012
    Location
    Auckland
    Posts
    41
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    6
    Ok let me explain more clearly, there may be a couple of misunderstandings.
    The students log on with a logon script that redirects to a bat file which refers to Desktop Authority which is where we have mappings of printers, folder shares and shortcuts etc so the students, when bat file is not allowed to run by GPO (which is the first thing I put into place when I realised they could run the bat files which they're running from memory sticks or saving in notepad and running), their drives are not mapped, and DA is unable to run it's scripts. It's a shoddy setup, I know, but rather than having to redesign all our logon scripts and permissions, and domain policy, how can I stop the users actually executing their own bat files? They're running things like shutdown /i and browsing, so they can see the network, and there were a couple just identifying the primary server. They can't do that much with them, I know, but when the kids bring up a list of networked computers and say 'look miss, I can hack into the netwoirk', then you have a bunch of teachers running round worrying about their security to the senior leadership team saying that the pupils are able to hack the network. It's just less hassle if they can't have access to this at all. They don't have permissions to access the drives of these machines, but can actually run the shutdown, so therefore can cause trouble by shutting down machines at the very least...

  17. #12

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Michael gave you the answer, above. Follow his instructions to restrict their access to the command shell, then you won't get the problems you're getting. Your login scripts will still run.

  18. #13

    Join Date
    Jan 2012
    Location
    Auckland
    Posts
    41
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    6
    With this GPO implemented on the pupil users OU I can still save a bat file to the desktop and run it as a pupil - I tried this before I posted my thread, and have just tried it again to make sure I wasn't being stupid...

  19. #14

    Join Date
    Jan 2012
    Location
    Auckland
    Posts
    41
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    6
    Apologies, after a gpupdate /force the gpo did kick in. But when logging on as a user with this implemented, the DA Script logon window that normally pops up when applying DA scripts now reads 'The command prompt has been disabled by your administrator', and as I stated in the first post, wouldn't map any drives or printers which are allocated through DA's logon bat file

  20. #15
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,541
    Thank Post
    362
    Thanked 263 Times in 215 Posts
    Rep Power
    100
    Quote Originally Posted by Lora View Post
    Apologies, after a gpupdate /force the gpo did kick in. But when logging on as a user with this implemented, the DA Script logon window that normally pops up when applying DA scripts now reads 'The command prompt has been disabled by your administrator', and as I stated in the first post, wouldn't map any drives or printers which are allocated through DA's logon bat file
    Go back to my previous post and do that instead. Software restriction policies is exactly what you want.

  21. Thanks to mrbios from:


SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 21st March 2012, 12:10 PM
  2. RM CC4 - How to stop students running .jar files in the RMMC?
    By tj2419 in forum Educational Software
    Replies: 6
    Last Post: 17th December 2011, 08:08 PM
  3. Replies: 14
    Last Post: 11th March 2008, 01:54 PM
  4. Stop kids running programs from their USB key
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 28th September 2006, 02:12 PM
  5. how to stop hotmail...(and google chat)
    By beeswax in forum How do you do....it?
    Replies: 7
    Last Post: 18th September 2006, 09:51 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •