Blocking command line access
Our normal Group Policies include disabling the command prompt for interactive use (i.e. user typing at a prompt), but not for scripting purposes.
Running any program located outside of allowed locations is blocked by Software Restriction Policies in our Group Policies, but again, access to the various systems tools is required. Similarly, all drives except for those explicitly containing data (not applications), e.g. the home area, shared resources, etc. will be blocked.
These methods stop most casual attempts at gaining command line access. However, stopping access to the command prompt entirely will interfere with the login process, so care must be taken.
There are two routes to a command prompt: cmd.exe and command.com. The Group Policy referred to above will block access to cmd.exe for interactive use (user will receive the error The command prompt has been disabled by your administrator. However, command.com is not affected by this group policy. To remove user access to command.com do the following:
WINDOWS\system32\command.comon your system drive and right click on it.
- Select the Security tab
Interactivein the Group or user names: box and select it
- Click on the Remove button and then click OK on the warning.