Announcement

Collapse
No announcement yet.

Batch Files in a student environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Batch Files in a student environment

    Greetings,

    I have just inheirited a school network that is a Windows 2003. Presently all students have a mandatory profile and are restricted with a few GPOs. One enterprising student has figured out how to create batch files by using Notepad and then gains access to a command prompt. Before I stated he was using that to mass net send messages. I have disabled the net send service on my clients and also want to end this command prompt access. I would deny access to cmd.exe but my startup scripts are batch files. With some studying, I could do them over in Perl or VBS and then block cmd.exe and hope for the best.

    Does anyone have any ideas? I just started looking into disallow software restriction policies with path rules. It looks like I would have to test all of our software and go from there.

  • #2
    Re: Batch Files in a student environment

    I'll move this topic to the GPO forum for a better repsonse about software restriction.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Batch Files in a student environment

      have a look at this policy:
      - http://www.microsoft.com/technet/pro....mspx?mfr=true

      * registry key:
      HKCU\Software\Policies\Microsoft\Windows\System (=readonly for the user)
      (not, HKLM\)

      * registry entry:
      DisableCMD REG_DWORD 1

      Entry Value
      (Not in registry.) - The policy is not configured. Users can run Cmd.exe, and the system can run batch files.
      1 - The policy is enabled and set to Yes. Users cannot run Cmd.exe, but the system can run batch files.
      2 - The policy is enabled and set to No. Users cannot running Cmd.exe, and the system cannot run batch files.

      This entry corresponds to the Disable the command prompt Group Policy (User Configuration\Administrative Templates\System).


      \Rems

      EDIT !!!
      I tested it but unfortunately it does affect user logonscripts (batchfiles) too.

      Last edited by Rems; 19th January 2008, 15:10.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Batch Files in a student environment

        Originally posted by Rems View Post
        have a look at this policy:
        - http://www.microsoft.com/technet/pro....mspx?mfr=true

        * registry key:
        HKCU\Software\Policies\Microsoft\Windows\System (=readonly for the user)
        (not, HKLM\)

        * registry entry:
        DisableCMD REG_DWORD 1

        Entry Value
        (Not in registry.) - The policy is not configured. Users can run Cmd.exe, and the system can run batch files.
        1 - The policy is enabled and set to Yes. Users cannot run Cmd.exe, but the system can run batch files.
        2 - The policy is enabled and set to No. Users cannot running Cmd.exe, and the system cannot run batch files.

        This entry corresponds to the Disable the command prompt Group Policy (User Configuration\Administrative Templates\System).


        \Rems

        EDIT !!!
        I tested it but unfortunately it does affect user logonscripts (batchfiles) too.

        Yeah, I tried that with high hopes but it messed up my scripts too.

        What I did today was to keep that setting but I made an adm file that allows me to map drives through the GPO. My printer script is in VBS so I think I should be ok now.

        I wish there was more out there on how to make adm files, I had to piece things together and was able to get a working product. The idea of having it embedded into the GPO is something that I like.

        Thanks for the help guys!

        Comment


        • #5
          Re: Batch Files in a student environment

          In an effort to help others in the future, can you post your exact solution. what the adm file looks like and any other details that you used to resolve your issue.
          Technology is only as good as those who use it

          My tech blog - wiredtek.wordpress.com

          Comment


          • #6
            Re: Batch Files in a student environment

            I'm interested to read and learn about your solution to map drive using ADM

            (EDIT: found this thread http://www.pctools.com/forum/showthread.php?t=32446 (?))


            -----------------------------------------------------------

            note about enabling "Disable the command prompt" Group Policy.
            Once set to Enabled - the entry is tattooed in the registry on the clients.
            If you want to disable it again you cannot reset the policy to 'Not cconfigured' again, you must select 'Disabled'.



            Other solution instead of using the "Disable the command prompt" Group Policy to disable running batchfiles of users;

            A path rule(s) would have worked too I think.
            http://www.microsoft.com/technet/sec.../xpsgch06.mspx

            Two possibilities;
            1. "Disallow all batch files, except those in a login script directory."
              Create 4 Path rules.

              - *.cmd set to Disallowed
              - \\server\Share\*.CMD set to Unrestricted

              - *.bat set to Disallowed
              - \\server\Share\*.BAT set to Unrestricted

              When the same type rule is applied to the same file, then the more specific rule overrides the less specific rule.

            2. OR...
              "Disallow all batch files, exept those digitally signed"

              Create a new Path rule.
              - Set the path to be *.cmd and one for *.bat.
              - Set the security level to *Disallowed*

              Digitally sign each .cmd or .bat file to authorize it.

              Create a new Certificat rule
              - Set the security level to *Unrestricted*.

              You can apply more than one rule to one file, the priority of these rules is (highes to lowest);
              1. Hash rules
              2. Certificat rules
              3. Path rules
              4. Internetzone rules ( <== apply to msi files )

            more:
            - http://technet2.microsoft.com/window....mspx?mfr=true
            - http://technet.microsoft.com/en-us/l.../bb457006.aspx


            \Rems

            Else, (not a serious solution), to disencourage users, create a cmd.com file in the same directory. Files with the extension *.com are executed above *.exe files.
            A nice one is to make a copy of logoff.exe and name the copy cmd.com. But!!! then you cannot use just the 'cmd' command anymore from within a batch! You alway have to exend it with the .exe extension or, use the %comspec% variable instead.
            :
            Last edited by Rems; 22nd January 2008, 17:52.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Batch Files in a student environment

              Originally posted by wiredteknologies View Post
              In an effort to help others in the future, can you post your exact solution. what the adm file looks like and any other details that you used to resolve your issue.
              You bet!

              My adm file is real simple and I named it drives.adm

              The contents look like this:

              CLASS USER

              CATEGORY "Network Drives"

              POLICY "Drive S (Shared Drive)"
              KEYNAME Network\S
              PART "ConnectionType - LEAVE" NUMERIC REQUIRED
              MIN 1 MAX 1 DEFAULT 1
              VALUENAME "ConnectionType"
              END PART
              PART "ProviderName - LEAVE" EDITTEXT REQUIRED
              DEFAULT "Microsoft Windows Network"
              VALUENAME "ProviderName"
              END PART
              PART "ProviderType - LEAVE" NUMERIC REQUIRED
              MIN 131072 MAX 131072 DEFAULT 131072
              VALUENAME "ProviderType"
              END PART
              PART "RemotePath" EDITTEXT REQUIRED
              DEFAULT "\\Zeal\HS"
              VALUENAME "RemotePath"
              END PART
              PART "UserName - LEAVE BLANK" EDITTEXT
              DEFAULT ""
              VALUENAME "UserName"
              END PART
              END POLICY

              POLICY "Drive J (Journalism)"
              KEYNAME Network\J
              PART "ConnectionType - LEAVE" NUMERIC REQUIRED
              MIN 1 MAX 1 DEFAULT 1
              VALUENAME "ConnectionType"
              END PART
              PART "ProviderName - LEAVE" EDITTEXT REQUIRED
              DEFAULT "Microsoft Windows Network"
              VALUENAME "ProviderName"
              END PART
              PART "ProviderType - LEAVE" NUMERIC REQUIRED
              MIN 131072 MAX 131072 DEFAULT 131072
              VALUENAME "ProviderType"
              END PART
              PART "RemotePath" EDITTEXT REQUIRED
              DEFAULT "\\Zeal\Jrnl"
              VALUENAME "RemotePath"
              END PART
              PART "UserName - LEAVE BLANK" EDITTEXT
              DEFAULT ""
              VALUENAME "UserName"
              END PART
              END POLICY

              POLICY "Drive V (VI)"
              KEYNAME Network\V
              PART "ConnectionType - LEAVE" NUMERIC REQUIRED
              MIN 1 MAX 1 DEFAULT 1
              VALUENAME "ConnectionType"
              END PART
              PART "ProviderName - LEAVE" EDITTEXT REQUIRED
              DEFAULT "Microsoft Windows Network"
              VALUENAME "ProviderName"
              END PART
              PART "ProviderType - LEAVE" NUMERIC REQUIRED
              MIN 131072 MAX 131072 DEFAULT 131072
              VALUENAME "ProviderType"
              END PART
              PART "RemotePath" EDITTEXT REQUIRED
              DEFAULT "\\Zeal\vi"
              VALUENAME "RemotePath"
              END PART
              PART "UserName - LEAVE BLANK" EDITTEXT
              DEFAULT ""
              VALUENAME "UserName"
              END PART
              END POLICY

              POLICY "Drive T (CAD)"
              KEYNAME Network\T
              PART "ConnectionType - LEAVE" NUMERIC REQUIRED
              MIN 1 MAX 1 DEFAULT 1
              VALUENAME "ConnectionType"
              END PART
              PART "ProviderName - LEAVE" EDITTEXT REQUIRED
              DEFAULT "Microsoft Windows Network"
              VALUENAME "ProviderName"
              END PART
              PART "ProviderType - LEAVE" NUMERIC REQUIRED
              MIN 131072 MAX 131072 DEFAULT 131072
              VALUENAME "ProviderType"
              END PART
              PART "RemotePath" EDITTEXT REQUIRED
              DEFAULT "\\zeal\cad"
              VALUENAME "RemotePath"
              END PART
              PART "UserName - LEAVE BLANK" EDITTEXT
              DEFAULT ""
              VALUENAME "UserName"
              END PART
              END POLICY

              END CATEGORY

              Comment


              • #8
                Re: Batch Files in a student environment

                Now, for an overview.

                This adm file gives me four options to map specific drives. The drive letters are S, J, V, and T. By default I have entered in paths in the adm file but can still configure this in group policy.

                In regards to some of the other options, I am not exactly sure what all of them do. It was suggested that I leave them in and not mess with the settings. I have had this fix running for a week now and have had no problems. The printers are mapped with a VBS script and now I cannot access the command prompt when logged in as a student.

                Comment


                • #9
                  Re: Batch Files in a student environment

                  I just wanted to update this thread now that I have been using this for a month. So far everything is working great, the adm based drive mapping has worked perfect and did end my other problems.

                  Rems, I did some more testing and found that one would need to add *.com to the path rule too. (good throw back to the DOS days)

                  Comment

                  Working...
                  X