[gptalk] Re: Can't block command.com?

  • From: "James F. Prudente" <JPrudente@xxxxxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 17 Nov 2008 13:08:35 -0500


The hash value seems to work for COMMAND.COM; as noted, I had to hash the file 
from 2000, XP and Vista as they are all different.

Both CMD.EXE and COMMAND.COM were explicitly entered into "Don't run...," but 
for whatever reason, COMMAND.COM seems to ignore that under certain 
circumstances. I work for a school district, so we try to keep everything as 
tight as possible, both for security and the pleasure of confounding the 
inevitable wannabe hackers.

Thanks for the help.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Omar Droubi
Sent: Monday, November 17, 2008 11:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can't block command.com?

Don't forget- command.com and cmd.exe are completely different executables so 
you need to catch them both if you specify the names and maybe the block the 
command prompt is only catching one?

Also-if you use software restriction policy hash rules (which can work very 
well) you will need to add in each version of the file. For example: cmd.exe 
from XP SP2 is different than cmd.exe from Vista or server 2003/2008-so get one 
copy of each file when you are defining the executables- its quite easy.

Locking down apps is always tough- are you doing it for stability or security?

Omar Droubi
From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of 
Darren Mar-Elia [darren@xxxxxxxxxx]
Sent: Monday, November 17, 2008 08:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can't block command.com?
I would try using a Software Restriction Policy hash rule to block this exe. 
Using that Admin. Templates policy below is going to be incomplete, because it 
only blocks certain types of entries into command.com.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of James F. Prudente
Sent: Monday, November 17, 2008 7:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Can't block command.com?

Hi All,

Command.com is blocked via "Don't run specified Windows applications," and sure 
enough that works properly if a user tries to run the file directly. However, 
if they put command.com in a batch file, and then run that batch file, they can 
get to a command prompt. "Prevent access to the command prompt" is enabled, and 
as best I can tell, I've got things locked down as far as possible. Is there 
something I'm missing? There are a lot of sites out that that seem to indicate 
it's not possible to block this. Seems odd though.


James F. Prudente
Network & Systems Coordinator
Islip Public Schools
215 Main Street
Islip, NY 11751

Other related posts: