[gptalk] Re: Can't block command.com?

• From: Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx>
• To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
• Date: Mon, 17 Nov 2008 08:58:50 -0800

Don't forget- command.com and cmd.exe are completely different executables so 
you need to catch them both if you specify the names and maybe the block the 
command prompt is only catching one?

Also-if you use software restriction policy hash rules (which can work very 
well) you will need to add in each version of the file. For example: cmd.exe 
from XP SP2 is different than cmd.exe from Vista or server 2003/2008-so get one 
copy of each file when you are defining the executables- its quite easy.

Locking down apps is always tough- are you doing it for stability or security?

Omar Droubi
omar@xxxxxxxxxxxxxxxxxxxxx<mailto:omar@xxxxxxxxxxxxxxxxxxxxx>
650-726-0300
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of 
Darren Mar-Elia [darren@xxxxxxxxxx]
Sent: Monday, November 17, 2008 08:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can't block command.com?

James-
I would try using a Software Restriction Policy hash rule to block this exe. 
Using that Admin. Templates policy below is going to be incomplete, because it 
only blocks certain types of entries into command.com.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of James F. Prudente
Sent: Monday, November 17, 2008 7:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Can't block command.com?

Hi All,

Command.com is blocked via “Don’t run specified Windows applications,” and sure 
enough that works properly if a user tries to run the file directly. However, 
if they put command.com in a batch file, and then run that batch file, they can 
get to a command prompt. “Prevent access to the command prompt” is enabled, and 
as best I can tell, I’ve got things locked down as far as possible. Is there 
something I’m missing? There are a lot of sites out that that seem to indicate 
it’s not possible to block this. Seems odd though.

Thanks,
James

James F. Prudente
Network & Systems Coordinator
Islip Public Schools
215 Main Street
Islip, NY 11751

• Follow-Ups:
  • [gptalk] Re: Can't block command.com?
    • From: James F. Prudente

• References:
  • [gptalk] Can't block command.com?
    • From: James F. Prudente
  • [gptalk] Re: Can't block command.com?
    • From: Darren Mar-Elia

Other related posts:

• » [gptalk] Can't block command.com?- James F. Prudente
• » [gptalk] Re: Can't block command.com?- Darren Mar-Elia
• » [gptalk] Re: Can't block command.com? - Omar Droubi
• » [gptalk] Re: Can't block command.com?- James F. Prudente

1. Home
2. gptalk
3. Archive
4. 11-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---