[THIN] Re: Darn Command Prompt - was Re: Restrict Drive Acces s
- From: Euan Cooper <Euan.Cooper@xxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Thu, 26 Feb 2004 12:07:48 +1300
Linden,
I am using customised Policy templates - I started with std templates and
modified them to suit our requirements. The one containing the setting for
disabling command prompt is a modification of the std winnt.adm - the actual
key that the .pol file sets appears to be the same one you are setting
(HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD) though my
template says the value for disabling access is 1 not 2 as shown in the
section from the adm file shown below
POLICY "Disable the command prompt"
KEYNAME "Software\Policies\Microsoft\Windows\System"
PART "Disable the command prompt script
processing also?" DROPDOWNLIST
NOSORT
VALUENAME "DisableCMD"
ITEMLIST
NAME "Yes"
VALUE NUMERIC 1
NAME "No"
VALUE NUMERIC 2 DEFAULT
END ITEMLIST
END PART
END POLICY
Looking at the above it appears that it referring disabling the command
prompt script for processing - to confuse things everyone seems to be set to
2 yet it does work (except for the issues that were raised yesterday with
NT4 CMD.EXE and both NT4 and w2k versions of command.com). Users who are
not permitted to run CMD.EXE can't and users who are permitted can.
Been quite a while (about two years) since I set these adm files up - I will
do some "playing" with my test server when I get a chance to see If I can
recall how I got this to work properly.
-Ec
-----Original Message-----
From: Seitz, Linden [mailto:L.Seitz@xxxxxxx]
Sent: Thursday, 26 February 2004 3:35 a.m.
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Darn Command Prompt - was Re: Restrict Drive Acces s
Yes interesting. I also disabled general users ability to run a command
prompt on our system
(my servers are W2K+SP3 MFXPe+FR3 on NT4 Domain) using the allInOne_v099.adm
system policy template file from thethin.net. I also copied cmd.exe from
the same 2000 server and put it in the user home, double clicked on it from
Explorer and it opened.
What Poledit template are you using?
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Euan Cooper
Sent: Tuesday, February 24, 2004 2:26 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Darn Command Prompt - was Re: Restrict Drive Access
Interesting ....
I disabled general users ability to run a command prompt on our system
(W2K+SP3 MFXPa+FR2 on NT4 Domain) via a system policy. Just tested putting
cmd.exe in test user's home dir and tried to run it from explorer - still
get "Command Prompt has been disabled by your administrator".
Will have a look through the adm file when I get a change to see what key it
is setting.
-Ec
-----Original Message-----
From: Seitz, Linden [mailto:L.Seitz@xxxxxxx]
Sent: Wednesday, 25 February 2004 8:33 a.m.
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Darn Command Prompt - was Re: Restrict Drive Access
I have the following registry key
(HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD = 2) set to
"try" to disable a user's ability to open and run the command prompt. The
scenario I can't get past is if a user places a copy of cmd.exe in their
personal directory and run it from a Citrix session. The command prompt
runs and the user is able to circumvent my Hide Drives and Prevent Drive
Access settings. Is there any way to avoid this from happening other than
using Appsec or other add-ons?
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Jeff Durbin
Sent: Tuesday, February 24, 2004 12:27 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restrict Drive Access
Have used it at virtually every client that had Citrix or Terminal Services.
It does prevent access to drives, which can be a problem for your app. I've
never seen a major problem as a result of using it.
JD
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Seitz, Linden
> Sent: Wednesday, 25 February 2004 3:53 a.m.
> To: Thin@Freelists. Org (E-mail)
> Subject: [THIN] Restrict Drive Access
>
> Anyone using the "Prevent access to drives in My Computer" in
> security policy or .adm files in addition to hiding the
> drives? I would like to know if this setting "could" cause
> any file access problems if I enable it on my OS and
> Application partitions. Thanks!
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
- » [THIN] Re: Darn Command Prompt - was Re: Restrict Drive Acces s
