none
Restricting Access to Cmd using Software Restriction Policies

    Question

  • Hello everyone,

    I'm having issues restricting cmd.exe from being used on a Win7 machine using Software Restriction Policies in GP.

    First, I would like to say this is just a lab challenge and I understand that it would probably be best if I disabled it using GPO rather than using hash to restrict it, but I can't seem to find any information on this.

    so I created a new Software Restriction Policies, then I right clicked on additional rules and selected new hash rule.

    after that I clicked browse and went to %windir%\system32\cmd.exe, made sure security level was set to disallow.

    I logged onto my win7 machine and I can still open CMD.

    Edit: forgot to mention win7 machine is 64bit, and the DC is on server 2008 r2.

    any insight would be greatly appreciated!

    • Edited by Montbot Monday, November 07, 2016 10:04 PM
    Monday, November 07, 2016 10:01 PM

All replies

  • Hi Montbot,

    Open the GPO...

    User Configuration/Administrative Templates/System

    And Enable Prevent access to the command prompt policy. 

    Monday, November 07, 2016 10:14 PM
  • Thanks for the reply Chetan.Cosmos, but the lab challenge wants me to do this with Software Restriction Policies.
    Monday, November 07, 2016 10:19 PM
  • Hi,
    Have you checked if the GPO is applied successfully to the clients? You could run gpresult /r command to view it.
    And regarding to troubleshoot Software Restriction Policies, you could refer to and also have a try:
    Troubleshoot Software Restriction Policies
    https://technet.microsoft.com/en-us/library/hh994599(v=ws.11).aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 08, 2016 7:26 AM
    Moderator
  • Thanks for the reply Wendy, ill give that a shot and make sure that it really is applying to the client.
    Tuesday, November 08, 2016 12:55 PM
  • Hello,

    Looks like my GPOs were not applied because they were filtered out?

    the other GPOs were working before?

    not sure why this is happening but ill give it a google search and see what I come up with.

    Tuesday, November 08, 2016 1:32 PM
  • > Looks like my GPOs were not applied because they were filtered out?
     
    MS16-072?
     
    Tuesday, November 08, 2016 2:55 PM
  • Hi,
    I am checking how the issue going. If as Martin said, it is caused by MS16-072, you might need to use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.
    Please see details from: https://support.microsoft.com/en-sg/kb/3163622
    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 14, 2016 9:30 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 18, 2016 9:04 AM
    Moderator