Jump to content
RTollison

security with no access to the cmd.exe

Recommended Posts

Have apps that use the createprocess and some that use shell obj to call OS related things. Now IT is/has to lock down security on server and is planning on removing access to all cmd.exe(not sure what ALL means but guessing they are going to remove it) and the powershell and all of its function from users. 

Does anyone know if removing access to cmd.exe will break createprocess or shellobj?

irony is that i don't have rights the rename the cmd.exe to test on my own.

Share this post


Link to post

It depends on what your external processes do. If you are trying to do something that will be locked down then I guess it will be affected. But calling CreateProcess per se doesn't requires cmd.exe. Unless that's the process that you are trying to create. 

Share this post


Link to post

 

On 5/12/2023 at 10:57 PM, RTollison said:

irony is that i don't have rights the rename the cmd.exe to test on my own.

Hint: you have the rights on your own home PC, why not try there?

Share this post


Link to post
On 5/12/2023 at 9:57 PM, RTollison said:

irony is that i don't have rights the rename the cmd.exe to test on my own.

If you want to test, make a VM and try there, you can remove the "cmd.exe" and doing all know things with "gpedit" about that. SO you can try multiple solutions without damage your working PC.

 

Bye

Edited by DelphiUdIT

Share this post


Link to post

work from home, so home pc is work pc. yes i do have a home pc (windows xp retired) and installing a VM would require corporate permissions to get an admin to install. it can wait until we have to deal with it then can do the testing to see what is blocked. who knows IT just might allow some things after all.

 

Thanks

Edited by RTollison

Share this post


Link to post

@RTollison

 

removing CMD.exe from the system I think would be a "delicate" thing to do, however, system administrators should know more than I do.
In any case, you could just try "blocking its use", which could be reversed more easily:

  • Using GPEdit.msc from the command line (irony or not)
    • User Settings -> Administrative Templates -> System
      • "Prevent access to the command prompt" = Enabled
  • to revert I do it "Disabled"

 

NOTE: Now, just run the tests on your applications and others that possibly use the CMD... however, there will be no guarantees that all applications work as they should, not even the operating system with stability!

Edited by programmerdelphi2k

Share this post


Link to post

FYI i do not have permission to run GPEdit.msc

We are already pretty tight on security. Now we are looking to do the same with our clients and hosting servers.

All i was hoping for was that someone else had already done something similar and knew for sure that createprocess still worked and that may shellobj would work but maybe some odd issues or whatever.

Edited by RTollison

Share this post


Link to post
35 minutes ago, RTollison said:

FYI i do not have permission to run GPEdit.msc

As it was still "a future plan", I thought you could do the test on your terminal, or who knows on your test PC! good luck, if possible let know about it

On 5/12/2023 at 4:57 PM, RTollison said:

Now IT is/has to lock down security on server and is planning on removing access to all cmd.exe

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×