Disabling Powershell.exe with GPO´s like "Prevent access to the command prompt"

    General discussion

  • Hi there,

    like the Title says, how i can archieve this?

    I configured this (on activate):

    User Configuration \ Administrative Templates \ System -> Prevent access to the command prompt

    Now the cmd.exe is deactivated with a Message to the user if someone try to open a command box.

    I´m searching  for the same just for the Powershell. What is the intended way for Microsoft?

    First of all, i don´t want to set an restriction Policy, this prevents only execution of ps1 files with powershell.

    I want to disable the execution of the whole Powershell.

    What i have done so far:

    Due the lack of existing disabling GPO for explicit disabling running Powershell i try to disable it with the Applock  -> executable rules

    Here i disabled the Path %SYSTEM32%\WindowsPowerShell\* for Domain Users and Guests.

    My Problem with this:

    - Path -> You can Copy Powershell with cmdlets and execute it

    - Hash -> Probably change of the Hash on Windows updates (bad: if Powershell.exe has an other Hash it can be run)

    - Issuer -> Probably runtimepacker can wrap and change this easily

    What are my options?

    So, what should i do? Issuer Rules? Or are there some better Ways?

    Btw. whitelist exe files is not the Way we can go here. Thats not realistic in so many cases.

    Thanks in advance.

    Monday, July 20, 2015 9:47 AM

All replies

  • > like the Title says, how i can archieve this?
    As you already found: It's almost impossible. BTW: This "disable command
    prompt" is more a cosmetic thing than a security setting - there are
    tons of file managers that offer alternative command prompts...
    > Btw. whitelist exe files is not the Way we can go here.
    But in fact this is the only way that would work.

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 20, 2015 12:43 PM
  • Hi Martin.

    Danke Dir für die Antwort.

    (Thanks for reply)

    Greets Penti

    Tuesday, July 21, 2015 6:05 AM