disable running of batch files
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: disable running of batch files

  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    77

    disable running of batch files

    hi
    how can i disable running of batch files in Windows?

  2. #2
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    that would depend on what proggie/process is calling the batch files... more information please... what exactly is going on here, and which batch files do you wish to disable?
    My Corner of the Intarwebz: Jeremy Dean Online

  3. #3
    Member
    Join Date
    Jun 2004
    Posts
    77
    hi
    the situation is this. i have disabled the cmd.exe for users, but they can still create a batch file,
    eg
    nbtstat -a <ip>
    pause
    and save it as a batch. eg nbtstat.bat

    then they can double click on the batch and the cmd.exe runs.

    how can i restrict this?
    thanks

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    As Wiskic~ has said we need to know more.

    1. What is your hardware setup.
    2. What sort of business environment.
    3. Are we talking desktop or server.
    4. What operating systems.
    5. Is this kind of activity likely, if so, by whom.

    I would point out that security is a balanced and layered model approach. Just whacking in a few restrictions is not a satisfactory approach. Do you have a security model; do you have an AUP?

    OK, as for the batch files, your FIRST task is to find what you have, what they do and what launches them. Please remember that a lot of sites still use batch files for user logon/logoff. And there are plenty of applications that have retained them historically. Anything launched as "user" would be a potential problem.

    You might like to look at limiting access to DOS mode/DOS prompt? or maybe look at third party software, particularly if you have to run obsolete OSes for legacy support or whatever.

    Please take a look at this:

    http://www.topshareware.com/1st-Secu...nload-6513.htm

    I would normally only suggest it in a legacy support situation, as it gives you better control over Win95 (no! you can't be ) 98/98SE and ME.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Member
    Join Date
    Feb 2006
    Posts
    33
    Hi ghostmachine,

    You can do this by changing 'Windows File Types' in windows explorer if you have access to the admin account and the users your trying to prevent using batch files do not have access to the admin account.

    To do this log in as administor click on a folder such as 'My Documents' at the top of the window then click on the 'Tools' tab then scroll down and click on folder options.

    Then click on the tab 'File Types'.

    Then click on the 'new' button and a box should pop up saying 'Create New File Extension'.

    In this box enter 'bat' then click on 'Advanced' then under where you entered the file extension 'Associated File Type' should say : 'MS-DOS Batch File' then click the 'ok' button.

    Now under the 'New' button it should say:

    'Details for 'Bat' extension' next to that click on the 'Change' button.

    then select a program you want to use to open .BAT extension files with such as 'Notepad' or even 'Paint'.

    Then click 'ok' and then 'Close'.

    Now go and open a batch file to test this out.

    Then if you are logged on to windows with a limited account all the boxes which you clicked on to change what program the file extension opens with are greyed out.

    This is more effective on an operating system such as windows xp where it is easier to lock down security you did not say for which version of windows you wanted this for but i hope this helps if not could you please give us more info such as which version of windows.

    EDIT: I have just noticed this is account spectific so for the user accounts you want to prevent this on you will need to login to admin make the user accounts you want to prevent this on admin temporarly to get past the greyed out box situaction on limited accounts.

    Then do what i said above for each account you want to prevent this on then login to your usual admin account then make the accounts that were previously limited make them limited again.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I can't help but wonder "Why?"... Why would you prevent users from creating and executing batch files? What's the risk? Or even better.. What are you trying to prevent your users from doing?

    So you've prevented cmd.exe.... What about command.com? What about a user that just copies cmd.exe and renames it to mycmd.exe?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Thankyou SirDice

    Exactly what I was driving at, and you can add hardware security as well, floppy disks, CD/DVDs, thumb drives.......................stuff they send to themselves via e-mail, steganography..................

    YoungNobody FYI, this may well not be a simple as you seem to think. Some management utilities and applications may actually run as "user", rather than "system" or a custom ID for the application. You need to check this up front if you don't want to look a total dork

    Also, as soon as you stick your head above the parapet and start introducing new security controls you had better make sure that they are part of a well thought out and cohesive model.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    Member
    Join Date
    Jun 2004
    Posts
    77
    Originally posted here by SirDice
    I can't help but wonder "Why?"... Why would you prevent users from creating and executing batch files? What's the risk? Or even better.. What are you trying to prevent your users from doing?

    So you've prevented cmd.exe.... What about command.com? What about a user that just copies cmd.exe and renames it to mycmd.exe?
    say for a simple example, user downloaded netcat (from his home,maybe)
    bring it to office on a USB/floppy/CDROM , insert it and start creating a batch
    such as

    echo "HEAD / HTTP/1.1\n\n" | nc.exe -vv <IP> ( ok i forgot the exact syntax, roughly it's like this for example)

    Then he can double click the batch and it will execute.
    AFAIK, netcat can be run on a floppy.
    anyway, it's just a simple example of what users can do with batch. (even WSH i want to disable in future)

    So i don't want users to do that.

    BtW, we have XP users and PDC is running on Win2k server

    thanks

  9. #9
    Member
    Join Date
    Feb 2006
    Posts
    33
    Originally posted here by nihil
    Thankyou SirDice

    Exactly what I was driving at, and you can add hardware security as well, floppy disks, CD/DVDs, thumb drives.......................stuff they send to themselves via e-mail, steganography..................

    YoungNobody FYI, this may well not be a simple as you seem to think. Some management utilities and applications may actually run as "user", rather than "system" or a custom ID for the application. You need to check this up front if you don't want to look a total dork

    Also, as soon as you stick your head above the parapet and start introducing new security controls you had better make sure that they are part of a well thought out and cohesive model.

    nihil,

    I was just about to make another post asking ghostmachine what he is trying to accomplish by disabling access to 'cmd.exe' and preventing users from executing batch files.

    I know their are ways around what he is trying to implement but he did ask how to prevent the execution of batch files for his users.

    Like i just mentioned above i was just about to repost and ask ghostmachine exacely what hes trying to accomplish so we can answer his question more effectively.

    <Off Topic>
    nihil, sorry if you have understood me but im the sort of person if someone were to say to me:
    "I work for NASA and i need some way of securing the systems i need a free windows software firewall" then i would proberly link them to sygate or zone alarm.

    Then i would ask them if thats all they are doing to secure the systems like i was going to ask ghostmachine what he wanted this info for but you beat me to the post.</Off Topic>

    EDIT: Sorry this was hard for me to explain and i had mistyped a few things so i had to go back over what i had written to check it and make sure it made sense.

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi ghostmachine

    say for a simple example, user downloaded netcat (from his home,maybe) bring it to office on a USB/floppy/CDROM , insert it and start creating a batch
    I do hope you realise that if you allow that, you have a much greater problem than people using Windows functionality, and what you are proposing is futile? Your security model is so flawed, I doubt if anyone would bother to write a batch file to circumvent it.

    Suppose I wander in with a CD/DVD loaded with a bootable distro of some sort.............you are OWNED And all those nice little backdoors, timebombs, keyloggers and stuff that I would load onto your system?

    As we are obviously talking about "the enemy within" you MUST blend in physical security and a strong AUP as part of your security model.

    You must segment your network to reflect security requirements, and you must only grant users sufficient authority to carry out their functionality as required by the business
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides