Access Denied--Keeping Users from Running Unauthorized Commands

I thought I had adequately locked down workstations to keep users from accessing the command prompt and running arbitrary commands. However, some determined users have found a way to open a command prompt. I've removed the Run command from the Start menu, deleted the command-prompt shortcut, and disabled the New Task command in Task Manager. How else can users open a command prompt or run commands?

In environments with an unruly yet savvy user base, such as colleges, you might want to lock down desktops so that users can't get into the system and cause problems, such as running unauthorized commands. Users might employ several methods to get access to a command prompt. First, however, let me explain how to configure what you've implemented so far.

Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, then open the Properties dialog box for the domain root. Select the Group Policy tab and edit the Default Domain Policy Group Policy Object (GPO). Changes you make here will affect all users in your domain. To limit the policies to a subset of users, define your policies in a GPO linked to the appropriate organizational unit (OU). In the GPO, maneuver to \user configuration\administrative templates\start menu and taskbar, then enable the Remove Run menu from Start Menu policy. Enabling this policy also removes the New Task command from Task Manager, and users won't be able to display the Run dialog box by pressing the Windows logo key and the R key at the same time. Although you can delete the command prompt from the Start Menu in roundabout ways, you might want to use the policy I introduce below.

One way users can still access a command prompt after the above changes is by opening Windows Explorer and double-clicking cmd.exe in the \%systemroot%\system32 folder. Or, if Microsoft Office is installed, users can open the command prompt in the Microsoft Office Shortcut Bar. However, you can use a little-known policy called Disable the command prompt that resides in the dark recesses of GPOs—in \userconfiguration\administrative templates\system. If you enable this policy, the command-prompt program (cmd.exe) will simply display the message that Figure 3 shows regardless of how users tried to open the program. Some especially crafty users might think of writing a batch file that contains the commands they originally intended to type from the command line, then simply running the batch file. You can also disable cmd.exe from running batch and command files by setting the Disable the command prompt script processing also? policy to Yes. However, note that this option will interfere with any .bat or .cmd files you've configured as logon, logoff, startup, or shutdown scripts.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.