Denying access to Command Prompt

While I personally love Command Prompt and almost always have an instance of it open in order to launch administrative tools, in general it is true that Command Prompt is a security nightmare. If any user somehow stumbles their way into an elevated Command Prompt window, they can do literally anything inside the Windows operating system. So as a matter of security common sense, if there is not a legitimate need for Command Prompt to be used on workstations in your environment (and I very much doubt that there is), disable it! This is a quick and simple policy, but one that is almost always a great addition to a well-rounded security package:

User Configuration | Policies | Administrative Templates | System | Prevent access to the command prompt:

Set Prevent access to the command prompt to Enabled, that's it! CMD.EXE is now blocked wherever this GPO applies. You will also notice that there is a separate selection within that setting regarding scripts and whether they should continue to be allowed to run. If you are utilizing batch-style logon or logoff scripts, you will want to make sure script processing remains enabled. Otherwise, this GPO will break your scripts.

Once enabled, attempting to launch Command Prompt from my user login now results in the following message:

Remember that this is a User Configuration policy, and as such you will be scoping your GPO to apply to user accounts, not computers. For example, I just mistakenly linked this GPO to my testing GPOs OU where my LAPTOP1 machine sits, and then sat here wondering why I could still access Command Prompt on that machine. Doh! What I actually needed to do was link this GPO to my accounting users OU, which is where my test user account resides. After making the change, I was immediately blocked from accessing cmd.exe.

Check out one more security policy setting that is available inside this same location; in fact, it should be listed immediately below the policy setting, which disables Command Prompt. This one is called Prevent access to registry editing tools, and is also a great one to configure for most user accounts.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.56.233