Disabling command prompt
i need to disable use of command prompt from my school computers. i have made it so that the students can't get to the command prompt on the computer…. but when they use a note pad, or a batch file going via command.com they gain access to the whole system. i can't figure out how to prevent that, maybe one of you could help me out?
k figured out the right patch :D
instead edit
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
this is a command that automatically runs whenever command is booted. so put 'exit' in there, and cmd will exit itself whenever booted even through batch.
im pretty sure this is what theyve done at my school :)
DigitalFire wrote: k figured out the right patch :D
instead edit
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
this is a command that automatically runs whenever command is booted. so put 'exit' in there, and cmd will exit itself whenever booted even through batch.
im pretty sure this is what theyve done at my school :)
Hm…couldn't you use command /p to get past this?
DigitalFire wrote: gives people a
The command prompt has been disabled by your administrator.
Press any key to continue …
message when they boot cmd
they did that at my school and the way i found to get past it was you just type all the commands into notepad put a pause at the end and save as a .bat then it does all the commands pauses at the end then once you get past the pause it chucks you off.
if your the network admin my advice to you is get friendly with those who are good at computers as if you piss them off they will try probably and succeed at making your job very difficult. (it happened at my school and the network was brought down for a couple of days for "maintenance)
in our middle school they didn't try to befriend the people who were "better" with computers, i wasn't even allowed in the stlp group because the teachers said that she didn't trust me with the computer unsupervised after school. oddly enough, "someone" got into their repair file and took their SAM file. at the high school though they did let the hackers into stlp. and now their network hasn't crashed in 3 years.:D
koolkeith12345 wrote: they did that at my school and the way i found to get past it was you just type all the commands into notepad put a pause at the end and save as a .bat then it does all the commands pauses at the end then once you get past the pause it chucks you off.
doesnt work for me :(
exploit.bat:
cd \
dir
pause
result:
The command prompt has been disabled by your administrator.
Press any key to continue . . .
and anyways, the registry edit for this didnt work for all users on the computer anyways (didnt exist in hkey_users or hkey_localmachine only on current user). my second patch i would trust much more than the first to protect my own network, although i would do both anyways :happy:
and @mcfarlanet true, but for some that takes out the fun :D
as i am going to be a junior next year i have spent countless hours creating batch files and trying to somehow get into the damn win32 folder but all have failed due to: Novell
Even when i did manage to open command prompt after a few seconds the program would recognize it as a process and quickly run a script to disable my method used. I really don't understand why Microsoft didn't for see CMD as being a problem for schools and just have a simple option to disable CMD for non administrators.
sparrow wrote: If your using a Windows domain, you get set group policy to disable all use of the command prompt for specific OUs.
I'm not sure specific permissions are the way to go here. You need a little practice in there before you go f*cking with that and messing it up to the point of disaster.
& lol @ DJDotti's reply. :happy:
nights_shadow wrote: I'm not sure specific permissions are the way to go here. You need a little practice in there before you go f*cking with that and messing it up to the point of disaster.
& lol @ DJDotti's reply. :happy:
Specific permissions is a viable option, however, as long as it's done correctly. You can organize the permission types into separate GPOs, and then layer the GPOs onto different OUs of users. I currently do that, and I've found it much easier than just creating multiple different GPOs that all block "most" things. Makes the GPOs easier to maintain, too.
You could also try the registry hack I saw above, where it adds "exit" to the end of the commands but, instead of "exit", you could try "break", which would cancel the current command before it executes. To get around that, though, they could probably just pad their batch file with some trailing BS commands.
So… maybe you could try using GPO to disable viewing and accessing the C drive. Then, just change the permissions on the Desktop and My Documents (and all subfolders) to read-only. That might help to mitigate the problem since, if they can't save the batch file, they can't run it.
[edit]nested quotes problem[/edit]
Zephyr_Pure wrote:
Specific permissions is a viable option, however, as long as it's done correctly. You can organize the permission types into separate GPOs, and then layer the GPOs onto different OUs of users. I currently do that, and I've found it much easier than just creating multiple different GPOs that all block "most" things. Makes the GPOs easier to maintain, too.
You could also try the registry hack I saw above, where it adds "exit" to the end of the commands but, instead of "exit", you could try "break", which would cancel the current command before it executes. To get around that, though, they could probably just pad their batch file with some trailing BS commands.
So… maybe you could try using GPO to disable viewing and accessing the C drive. Then, just change the permissions on the Desktop and My Documents (and all subfolders) to read-only. That might help to mitigate the problem since, if they can't save the batch file, they can't run it.
I think going in there is a great choice. Probably the best to use on a Windows OS. But, i've seen many a strange thing when new people start messing with objects and containers…
nights_shadow wrote: But, i've seen many a strange thing when new people start messing with objects and containers…
Agreed… it's not recommended to try to apply experimental settings in a production environment. Rather, I would create the layered GPOs, create separate OUs to mimic the type of structure that your domain needs, and use test accounts in each OU on a test machine to ensure that the effects are what you are looking to attain.
Zephyr_Pure wrote: Agreed… it's not recommended to try to apply experimental settings in a production environment. Rather, I would create the layered GPOs, create separate OUs to mimic the type of structure that your domain needs, and use test accounts in each OU on a test machine to ensure that the effects are what you are looking to attain.
Couldn't of said it better myself. This is definately the way to go if you want to put the time into it (not insinuating that it takes a lot of time).