[gptalk] Re: Can't block command.com?

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 17 Nov 2008 08:34:54 -0800


I would try using a Software Restriction Policy hash rule to block this exe.
Using that Admin. Templates policy below is going to be incomplete, because
it only blocks certain types of entries into command.com. 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of James F. Prudente
Sent: Monday, November 17, 2008 7:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Can't block command.com?


Hi All,


Command.com is blocked via "Don't run specified Windows applications," and
sure enough that works properly if a user tries to run the file directly.
However, if they put command.com in a batch file, and then run that batch
file, they can get to a command prompt. "Prevent access to the command
prompt" is enabled, and as best I can tell, I've got things locked down as
far as possible. Is there something I'm missing? There are a lot of sites
out that that seem to indicate it's not possible to block this. Seems odd




James F. Prudente

Network & Systems Coordinator

Islip Public Schools

215 Main Street

Islip, NY 11751

Other related posts: