+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Deny access to RDP & CMD in Technical; Hi all, I have a small problem, kids are able to run .bat and .cmd files. 1 kid in particular ...
  1. #1

    Join Date
    May 2007
    Location
    Hull, UK
    Posts
    256
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    18

    Deny access to RDP & CMD

    Hi all,

    I have a small problem, kids are able to run .bat and .cmd files. 1 kid in particular has figured out how to run programs from them and is running mstsc(RPD client) and trying to logon to the servers.

    I have the group policy setting set that should be denying access to the command prompt which should also disable running of bat and cmd files according to the description, but its not. I have also added mstsc to the deny running of apppliations list which also isnt being applied.

    If i run a bat file as a kid and put the program to run as cmd.exe then it pops up saying it is denied, so something is being applied somewhere.

    Basically i dont want to be able to run any bat files and deny users from connecting to the terminal servers, im sure this can be done but its monday after all....

    Any ideas?

  2. #2

    Join Date
    Dec 2007
    Location
    Nottinghamshire
    Posts
    206
    Thank Post
    62
    Thanked 26 Times in 22 Posts
    Rep Power
    19
    we had this last term we found that students were creating bat files on the desktop and running them from there (writing the files as they go) we put a stop to it using gpo adding the path %USERPROFILE%\Desktop

  3. #3

    Join Date
    May 2007
    Location
    Hull, UK
    Posts
    256
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    18
    Put it in where in group policy?

  4. #4
    Unvalidated User
    Join Date
    Nov 2007
    Location
    the Pub
    Posts
    255
    Thank Post
    7
    Thanked 11 Times in 10 Posts
    Rep Power
    0
    Not sure if this is what you want but one way..

    You could also write a batch to use 'xcacls' to set the permissions on 'cmd.exe' and 'mstsc.exe' to be admin only.

    put xcacls in netlogon and run the batch file with a domain based logon script (not a user as not admin rights).

    This will run for every machine every time it boots but you can do some other tricks to speed that up if need be ie. Creating an empty file to show its already been done and checkig for that file before running xcacls etc...

    Ive had so many intermittent GP problems that I rather use scripts half the time. Might be me though as I know my DNS is a bit inaccurate..

  5. #5
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    Ye you'd think blocking cmd would stop .bat files wouldn't you :P but ye not the case... Anyway when i first joined this school i'm working for now they didn't have any security really against students they could run anything so at the first time i was able to sit down and sort the security i went straight into the students GPO

    User Config\Windows Settings\Software Restrictions\

    Once in there i decided to set Security levels default to disallowed (This stops anything running unless its set as allowed in additional rules)

    Although if you want you could keep it to the normal unrestricted and just put in additional rules deny *.bat that should do it. We decided just to go straight for default block everything though as kids will soon realise they could just use .vbs or make there own .exe's etc etc, Also if you want to block them from running RDT just put in additional rules as well deny C:\WINDOWS\system32\mstsc.exe

    But anyway if you do decide to disallow all by default, i reccomend then putting in additional rules the following (We only added these because these areas the students can't write to):

    C:\program files\ - This allows all locally installed programs to run of which only admins can write into this folder.
    \\DC-Names\netlogon\ - This allows the student logon scripts to run for thigns like add printers and only allow one logon
    \\server-name\apps\ - We have some applications stored on a network share so it can easily be deployed, this allows the students to run these applications.
    C:\windows\ - Well i dont think this needs explaining much

    Think i've covered most of the useful things let me know if you have any problems, i'm more than willing to give any help.

    Aaron

  6. #6

    Join Date
    May 2007
    Location
    Hull, UK
    Posts
    256
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    18
    Ok the software restrictions looks like it could be very useful. So i could just add a path rule in for the users home folder and put P:\*.bat ???

    would this stop bat files running fromo the P:\ drives?

    Obviously im gonna test this on a virtual PC first.

    Cheers

    Mike

  7. #7
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,007
    Thank Post
    124
    Thanked 286 Times in 263 Posts
    Rep Power
    109
    Quote Originally Posted by mcloum View Post
    Ok the software restrictions looks like it could be very useful. So i could just add a path rule in for the users home folder and put P:\*.bat ???

    would this stop bat files running fromo the P:\ drives?

    Obviously im gonna test this on a virtual PC first.

    Cheers

    Mike
    That would work. A better approach for file servers is to use R2 as this is a little more intuitive for you and you can set it up to email you when a violation occurs.

  8. #8

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,269
    Thank Post
    55
    Thanked 285 Times in 191 Posts
    Rep Power
    136
    Restriction policies don't affect command.com either - which was a problem for us - as several old programs used a call to it - in the end we had to stop the use of the old programs so that coomand.com could be got rid of.

  9. #9
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    Ye that should work although it was awhile ago so give it a shot make sure it also blocks the sub directories, the only problem with doing it that way is any students with a usb stick will still be able to run it off there usb sticks hence why we just block everything as default and have set allowed to what we want them to run. And ye ChrisH has a point if you use file server resource manager with R2 it has some good file screenings on it, although the main reason i wouldn't opt for it is yet again students can still use usb sticks to get around it

    Aaron

  10. #10
    AngryITGuy's Avatar
    Join Date
    Oct 2007
    Location
    County Durham
    Posts
    314
    Thank Post
    55
    Thanked 73 Times in 44 Posts
    Rep Power
    31
    Quote Originally Posted by mcloum View Post
    Ok the software restrictions looks like it could be very useful. So i could just add a path rule in for the users home folder and put P:\*.bat ???

    would this stop bat files running fromo the P:\ drives?

    Obviously im gonna test this on a virtual PC first.

    Cheers

    Mike
    For advice on using software restriction policies, there is an excellent post here that you can follow. It will block all sub folders within the drive not just the root directory.

    Used it msyelf to apply software restriction to both student home directories and usb drives too.

    If you want to restrict access from usb devices I recommend using USBDLM alongside your software policies.
    Last edited by AngryITGuy; 12th January 2009 at 02:21 PM.

  11. Thanks to AngryITGuy from:

    OverWorked (19th March 2010)

  12. #11
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,007
    Thank Post
    124
    Thanked 286 Times in 263 Posts
    Rep Power
    109
    Quote Originally Posted by Azhibberd View Post
    although the main reason i wouldn't opt for it is yet again students can still use usb sticks to get around it

    Aaron
    You still have to use SRP for them. Just because you use file screening, it doesnt mean you cant use SRPs as well.



SHARE:
+ Post New Thread

Similar Threads

  1. SIMS.net & Lesson Monitor over RDP/Terminal Services.
    By markwilliamson2001 in forum MIS Systems
    Replies: 24
    Last Post: 5th January 2009, 10:42 AM
  2. 2008 Server remote app & rdp dropping
    By garym2000 in forum Windows Server 2008
    Replies: 2
    Last Post: 11th November 2008, 12:40 PM
  3. Allowing RDP access to ISA Server
    By adamf in forum Windows
    Replies: 6
    Last Post: 4th January 2008, 04:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •