Move, Remove, or restrict access to CMD.exe in Windows 10 RRS feed

  • Question

  • I note that many of the current web compromises and 'drive-by-muggings' make use of CMD.EXE in a command call similar to this:

    "c:\windows\system32\cmd.exe" /q /c "<malicious launch>"
    "%systemroot%\system32\cmd.exe" /q /c "<malicious launch>"

    I note that CMD.exe redides in 2 places
    windows\system32   and    windows\SysWOW64

    Now thinking lateraly...

    1. If I remove CMD.EXE (totally from the computer)
      - this will certainly 'nuter' most virus and malware
         Q: BUT what are the consequences?
         Q: What is dependant on CMD.EXE?
    2. If I relocate CMD.exe to (for example) c:\winsecure\...
      - this will certainly 'nuter' most virus and malware
         Q: BUT what are the consequences?
         Q: What is dependant on CMD.EXE and can I re-point these to the new location?
    3. Can I restrict permissions on CMD.exe to a specific (named) administrator(s)
      (I would resist granting access to the administrators group as privilage escalation may allow the virus to then execute CMD.exe)
      - this should certainly 'nuter' most virus and malware
         Q: but will it?
         Q: what are the consequences of this permission?
         Q: What is then dependant on CMD.EXE and can I then grant object permission?
    4. Are there any better ways of doing this?

    In 99.9% of cases the User does NOT need CMD.exe.
    A support person diagnosing an issue can 'run-as' or use the alternate location or a USB stick/network share, so this wont prevent us supporting and diagnosing issues.

    What apps do fail, we can trace the call with ProcMon and go from there.

    Am I missing anything?
    How effective would this be?

    Many thanks

    David Nobby) Barnes

    Friday, May 26, 2017 11:02 AM

All replies

  • You could block access to cmd through AppLocker.

    Some other programs are depends on cmd and blocking cmd might prevent them from running.

    Blocking cmd is not a very wise approach, instead you may consider Device Guard which block malicious commands and allow verified and trusted one to be run:

    • Proposed as answer by -Mr Happy- Saturday, August 12, 2017 10:28 PM
    Friday, May 26, 2017 2:28 PM
  • Absolutely excellent ideas.
    I avoided Applocker;
        as it doesn't have an "I need to diagnose this System mode"
        Is complex and challenging to setup beyond most SME's budget and resource
        wouldn't always block the app if privalage escalation compromise was in use.

    I love the concept, theory and approach of DeviceGuard
    However this is currently not available
        Won't run on Win 10 Pro
        Is complex and challenging to setup beyond most SME's budget and resource

    I am readily familiar with the "Security Configuration and Analysis" toolset.
    This has been around since XP days.
    This benchmarks the system and recommends certain locks. One of which is:
       Either:- Remove CMD.EXE
       Or :- restrict access permissions

    This tool is easily useable and can be setup as a template database and run on any matching system to apply the standard. Quite cool really. and if one follows the MS security team guidelines you can really get a secure system. EG don't have the operating system on the "C:\" drive... as 99.99% of viruses are hard-coded c:\windows.... and would thus fail... as would most hackers at first attempt.

    I used to remove CMD.exe on server 2003 especially if it was internet facing IIS
    There were a few minor dependencies but nothing major.

    I was hoping that the current windows security team would have a base_Build dependency list for:
    That way I could determine the impact of removing or securing these programs.

    I personally feel that if these 4 programs were UAC locked (required UAC prompt) 99.99% of virus, trojan and Malware infections would be neutered..! Yes there would be the side effect that some enterprise automation would fail, but hey, 90% of windows users aren't enterprise users, and any way, enterprises have device guard and applocker so they wouldn't enable the UAC lock on those programs.
    Simple fix...

    Or am I just being over paranoid.. The SME's I look after just cannot afford to ever catch a crypto virus.
    I'm already a paranoid admin and implement many security features like:
      Border Firewall is in White-list mode (deny EVERYTHING, only let out/in minimum needed)
      PC level firewall on and using a 'Deny all' inbound and outbound rule and ONLY permitting SMB etc to permitted servers and things like 80/443 ... None of the allow everything rubbish..
      Users don't have Admin rights
      No Java
      No adobe Flash Player
      No Adobe reader
      No mapped drive letters
      No saved passwords in browsers (use password manager with 2FA)
      Autoplay disabled
      All O/S updates installed within 24hrs
      Application updates checked and installed within 48hrs
      No WiFi on main LAN (WiFi users have to VPN in)
      Printers and MFC's on seperate LAN with firewall between and MINIMAL access. (you have to print via server print queue)

    Am I being overly paranoid? we still get the odd 'drive-by-mugging' from a google search that turns up a malicious site for a users search request.. Yes we have minimal impact (spare PC swap, clean re-install). but was looking to get one step ahead by blocking access to those key apps.

    Sunday, May 28, 2017 10:23 PM
  • Anybody else got any thoughts?

    This would be such a cool way to block viruses and malware


    David (Nobby) Barnes

    Saturday, August 12, 2017 9:39 PM
  • "I need to diagnose this System mode" run your admins in OU's that do not have restrictions (still a risk).
    Saturday, August 12, 2017 10:28 PM
  • Agreed.

    Nothing is perfect. Getting CMD.exe, cscript.exe and wscript.exe out of the picture (off the system) would stop most nasties and web drive-by muggings...

    No Admin should be surfing the web
    And IE should NEVER be used on a server
    Surf the web from a PC as a User, grab your files, AV check them, copy to share, then remote the server and install...
    Yes it's extra steps, but that is the bit that will save your arse if you get slammed by something.

    David (Nobby) Barnes

    Sunday, August 13, 2017 4:41 PM
  • Ok to add admins have admin accounts, limited restrictions so they can do the trouble shooting install apps etc, and block internet access, no email with that account etc. Limit the risk.
    Sunday, August 13, 2017 8:37 PM