Deny access to RDP & CMD
I have a small problem, kids are able to run .bat and .cmd files. 1 kid in particular has figured out how to run programs from them and is running mstsc(RPD client) and trying to logon to the servers.
I have the group policy setting set that should be denying access to the command prompt which should also disable running of bat and cmd files according to the description, but its not. I have also added mstsc to the deny running of apppliations list which also isnt being applied.
If i run a bat file as a kid and put the program to run as cmd.exe then it pops up saying it is denied, so something is being applied somewhere.
Basically i dont want to be able to run any bat files and deny users from connecting to the terminal servers, im sure this can be done but its monday after all....
we had this last term we found that students were creating bat files on the desktop and running them from there (writing the files as they go) we put a stop to it using gpo adding the path %USERPROFILE%\Desktop
Put it in where in group policy?
Not sure if this is what you want but one way..
You could also write a batch to use 'xcacls' to set the permissions on 'cmd.exe' and 'mstsc.exe' to be admin only.
put xcacls in netlogon and run the batch file with a domain based logon script (not a user as not admin rights).
This will run for every machine every time it boots but you can do some other tricks to speed that up if need be ie. Creating an empty file to show its already been done and checkig for that file before running xcacls etc...
Ive had so many intermittent GP problems that I rather use scripts half the time. Might be me though as I know my DNS is a bit inaccurate..
Ye you'd think blocking cmd would stop .bat files wouldn't you :P but ye not the case... Anyway when i first joined this school i'm working for now they didn't have any security really against students they could run anything so at the first time i was able to sit down and sort the security i went straight into the students GPO
User Config\Windows Settings\Software Restrictions\
Once in there i decided to set Security levels default to disallowed (This stops anything running unless its set as allowed in additional rules)
Although if you want you could keep it to the normal unrestricted and just put in additional rules deny *.bat that should do it. We decided just to go straight for default block everything though as kids will soon realise they could just use .vbs or make there own .exe's etc etc, Also if you want to block them from running RDT just put in additional rules as well deny C:\WINDOWS\system32\mstsc.exe
But anyway if you do decide to disallow all by default, i reccomend then putting in additional rules the following (We only added these because these areas the students can't write to):
C:\program files\ - This allows all locally installed programs to run of which only admins can write into this folder.
\\DC-Names\netlogon\ - This allows the student logon scripts to run for thigns like add printers and only allow one logon
\\server-name\apps\ - We have some applications stored on a network share so it can easily be deployed, this allows the students to run these applications.
C:\windows\ - Well i dont think this needs explaining much
Think i've covered most of the useful things let me know if you have any problems, i'm more than willing to give any help.
Ok the software restrictions looks like it could be very useful. So i could just add a path rule in for the users home folder and put P:\*.bat ???
would this stop bat files running fromo the P:\ drives?
Obviously im gonna test this on a virtual PC first. :D
That would work. A better approach for file servers is to use R2 as this is a little more intuitive for you and you can set it up to email you when a violation occurs.
Originally Posted by mcloum
Restriction policies don't affect command.com either - which was a problem for us - as several old programs used a call to it - in the end we had to stop the use of the old programs so that coomand.com could be got rid of.
Ye that should work although it was awhile ago so give it a shot make sure it also blocks the sub directories, the only problem with doing it that way is any students with a usb stick will still be able to run it off there usb sticks hence why we just block everything as default and have set allowed to what we want them to run. And ye ChrisH has a point if you use file server resource manager with R2 it has some good file screenings on it, although the main reason i wouldn't opt for it is yet again students can still use usb sticks to get around it
For advice on using software restriction policies, there is an excellent post here that you can follow. It will block all sub folders within the drive not just the root directory.
Originally Posted by mcloum
Used it msyelf to apply software restriction to both student home directories and usb drives too.
If you want to restrict access from usb devices I recommend using USBDLM alongside your software policies.
You still have to use SRP for them. Just because you use file screening, it doesnt mean you cant use SRPs as well.
Originally Posted by Azhibberd