Best Way to Disable 'command.com'

[Raistlin]

Morning All,

Need to disable access to command.com on a Windows XP Pro system.

Anybody done this? If so, what did you find to be the best way to do it?

I can just delete the executable, but that a) might cause compatibility problems down the line, and b) won't stop it running from a USB drive/CD.

Thanks

[Kymmy]

http://www.edugeek.net/forums/how-do...mmand-com.html

post #10 has a solution but it does involve restricting 16bit apps

[Mauldor]

I found this on the good old web:

In non-domain environment you can create software restriction policy for
cmd.exe and command.com. You can do it in Group Policy.

Open Group policy -> expand Computer Configuration -> Security Settings ->
Software Restriction Policies! Right click additional rule and my suggestion
is Hash rule. It is most reliable but it is still possible to get around it.
E.g. applying service pack might change e.g. cmd.exe. This will most likely
change the hash and users will be able to run cmd.exe command.

In domain environment you can e.g. change permission on file and give only
admins e.g. full control and remove all other users and groups...
Open Group policy -> expand Computer Configuration -> Security Settings ->
File System. Add file from c:\windows\system32\cmd.exe and select who has
any rights on it...

Hope that helps..

[Matth]

http://www.askvg.com/all-kinds-of-re...003-and-vista/

Not sure if it's correct but:

20.) Restrict Command Prompt:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System

Create DWORD value DisableCMD and set its value to 2

Doh! Command.com, now that is sneaky

12.) Restrict Programs to run:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre nt Version\Policies\Explorer\DisallowRun

create String value with any name, like 1 and set its value to the program's EXE file.
e.g., If you want to restrict msconfig, then create a String value 1 and set its value to msconfig.exe. If you want to restrict more programs, then simply create more String values with names 2, 3 and so on and set their values to the program's exe.

Wonder if that restriction can also be applied for command.com ?

I personally can not see how you can stop a system totally using command.com as you say you can boot to it via usb/cd drive ive got dos boot discs of both types neither of which have anything to do with windows.
It appears its easy to disable it in windows password protect bios and set to boot from hdd and then hope no one removes the battery

[Raistlin]

The final solution was in the post that Kymmy made above.

Disabling Windows' access to the 16-bit subsystem completely prevents command.com from running as it needs to be able to access those services and interpreters to run.

As for booting from an alternative media well.....if you're going to allow physical access to your system then it's pretty much game over anyway. However, if you apply full disk encryption to the system then the main threats from being able to boot to an alternate OS (password harvesting, file access, user account enumeration/amendments) disappear.

No wthat depends on who has access to the system. Bitlocker for example has been hacked . Anyone with the right set of skills and access to the machine can render some encryptions useless

[Raistlin]

The encryption that BitLocker provides hasn't been hacked, just the the mechanism that it uses to apply it - even then it is possible to employ BitLocker in a manner that effectively protects the data on your computer, and prevents access to it from an OS booted from alternative media.

Perhaps my comment above should have read 'if you correctly apply full disk encryption'.....

aye

[Dude111]

I have always wondered what that COMMAND.COM program was for in my root directory...

If i delete the file what programs might not run?