Disable command.com? 1

[bofhrevenge2]

Hi all.
We're currently having a small problem with our users using Net Send to message each other I’ve tried disabling command.com with group policy but it didn't seem to work. Can anyone suggest a way to prevent users opening this app or tell me what affect removing it may have?

I don't really want to disable the messenger service as our print quota system uses it.

Cheers.

 

[aftertaf]

isn't it cmd.exe ??

and you can also disable the command line shorcut & keypress (windows] & R


Aftertaf (david)
MCSA 2003

 

[bcastner]

From a tip several years ago by member Griffyn:

Create a batch file called NET.BAT and put it in a directory that is referenced in the PATH environment variable *before* WINNT\SYSTEM32, which is where the NET.EXE program lives.

Contents of NET.BAT should be:

@echo off
if /I '%1'=='SEND' goto End
%WINDIR%\SYSTEM32\NET.EXE %1 %2 %3 %4 %5 %6 %7 %8 %9
:End

What is this doing?

Because of the path statement, NET.BAT will be found before NET.EXE, and so it will get run instead. This will not happen if the current directory is \WINNT\SYSTEM32.

Because we don't want to block off all the NET functions, the first line does a case insensitive (/I) compare of the first parameter. If it's not SEND then it calls the real NET program.

Hope that works. You'll need Command Extensions enabled to use the /I switch. I think they're turned on by default.

Source: thread55-625293

 

[aftertaf]

that's just darn cunning!

Aftertaf (david)
MCSA 2003

 

[bofhrevenge2]

Looks like a great suggestion but i can't get the damn thing to work, i've placed the net.bat file in the System32 folder and the winnt folder to be on on the safe side and Net Send still works.
Am i doing this wrong?

 

[RCorrigan]

BOFHR2 run "path" from a cmd prompt and see where system32 is referenced ... for me it was 1st, so I put the batch file in the root & it worked !!!!

<Do I need A Signature or will an X do?>

 

[aftertaf]

or rename net.exe and reference the new name in your batch file

Aftertaf (david)
MCSA 2003

 

[bofhrevenge2]

Ok this is all good but can anyone advise on the problems that could be encountered by removing command.com, we don't run any DOS apps on our systems.

 

[bcastner]

I think it would be a bad idea.
If for no other reason than it would not get you where you want to go, which is to restrict NET SEND. You have no idea what native resources you might need down the road.

If you were to create a restriction on command.com, I would think it best to do this through Group Policy. Not only would this be effective, but it documents the fact for others.

But I would leave command.com and CMD.EXE alone.

Note to Aftertaf:

I thought this "trick" quite clever as well. It actually can be used for other .exe files as well.

 

[bcastner]

One thing that may not be clear in the above discussion, is the "trick" I discuss does not block recieving NET SEND messages.

There are legitimate Administrator uses, or selected users uses perhaps, for NET SEND.

Implementing this "trick" will still allow the controlled user to recieve NET SEND datagrams. It just prevents them from sending them. To block recieving NET SEND messages, disable the Messenger service (not the IM client, the service), using Start, Run, services.msc, and setting the startup despostion of Messenger to disabled.

 

[bofhrevenge2]

I see your point Bill but i'm having trouble restricting command.com with group policy, i use group policy at present to ban several exe's but when i add command.com it fails to restrict it.

 

[bcastner]

And surely someone will point out you can use a firewall to block ports 139 and 445. Which of course you can. But that would be my last choice of remedies in a Windows networking setting.

Best wishes to all,
Bill Castner

 

[mcvpjd3]

Group Policy --> User Config --> Administrative Templates --> System --> Disable the Command Prompt...

Try that...

Patrick

 

[bofhrevenge2]

Already done it but that policy affects CMD.exe i'm afraid.

 

[bcastner]

If NTFS you could set deny read and deny execute as the permissions settings for users.

 

[bofhrevenge2]

I was thinking about trying to set permissions with the services group policy, i'll give it a try tomorrow and let you know.

Cheers.

 

[bcastner]

Or use cacls.exe, perhaps in a logon script.