Group Policy management: Disabling CMD

You can disable CMD in Group Policy in two steps according to Wes Noonan, our Windows-based network infrastructure security design expert.

A SearchWindowsSecurity.com reader recently asked Wes: In our domain-based network, we have disabled CMD for all of our users in Group Policy. When a user tries to enable CMD via local Group Policy (gpedit.msc), he gets denied due to conflict with network policy. When that user tries to gain access from the registry (modification of the DisableCMD key), however, his CMD is enabled. How can I disable that?

Wes Noonan offered this response:

Disabling CMD in Group Policy is a two-step process. Only administrators have the ability to write to that key. So if your users are indeed administrators, you are in a hard spot since they can undo anything you do. Step one is to make sure that they are not administrators. (In testing with a domain user, I could not add or modify this value.)

Step two is to make sure that the users do not have the Full Control permission on the registry key. If they do, remove the permission or explicitly deny it. Keep in mind, though, that if they are administrators, there is nothing to prevent them from taking ownership and changing the permissions right back.

Deny access to registry editing tools

Another option is to simply prevent access to registry editing tools using Group Policy. This can be done using the User ConfigurationAdministrative ToolsSystemPrevent Access to Registry Editing Tools policy value. If you enable the setting, the user can't open registry editor (or run most other registry editing tools) and thus can't change the registry entry value.

Contact Microsoft

This also strikes me as a bit of a bug on the part of Microsoft. If you have a support contract, you might consider opening an incident with Microsoft and seeing if you can get them to change the functionality.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Vulnerability/Authentication tips for Windows Buffer overflows can be prevented by GS cookies DHCP Client Service error affects network security Free security tools that can improve IIS security Correct improperly assigned user rights in Windows XP Free security testing tools for Windows handheld devices Windows Integrity Control (WIC) in Vista Metasploit 3.1 updates improve Windows penetration testing Cross-site scripting 101: XSS attacks plague Web browsers Windows network rights, password policy and network security testing Top Windows security testing tips of 2007 Group Policy Is a Group Policy setting changing my user rights? Remote management for Windows system upgrades Group Policy Object security in Windows Deny access to Windows system properties with GPOs How can I use a GPO to manage Windows user rights? Is a GPO blocking my VPN security scan? Rights management in Windows: Security expert roundup How can I use Group Policy to manage proxy servers? Why don't I have proper Windows Server 2003 rights to open a GPO? Down the chimney, through the firewall: Holiday quiz RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.