Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
F: +44 (0)8456 446 899 / +44 (0)1223 359459
E: enquiries@precedence.co.uk
BlockCLI

Jump To: Support > KB > Windows > BlockCLI

Blocking command line access

Our normal Group Policies include disabling the command prompt for interactive use (i.e. user typing at a prompt), but not for scripting purposes.

Running any program located outside of allowed locations is blocked by Software Restriction Policies in our Group Policies, but again, access to the various systems tools is required. Similarly, all drives except for those explicitly containing data (not applications), e.g. the home area, shared resources, etc. will be blocked.

These methods stop most casual attempts at gaining command line access. However, stopping access to the command prompt entirely will interfere with the login process, so care must be taken.

There are two routes to a command prompt: cmd.exe and command.com. The Group Policy referred to above will block access to cmd.exe for interactive use (user will receive the error The command prompt has been disabled by your administrator. However, command.com is not affected by this group policy. To remove user access to command.com do the following:

  • Find WINDOWS\system32\command.com on your system drive and right click on it.
  • Select the Security tab
  • Find Interactive in the Group or user names: box and select it
  • Click on the Remove button and then click OK on the warning.
© Copyright Precedence Technologies 1999-2017
Page last modified on November 10, 2010, at 09:37 AM by sborrill