Last Updated on January 31, 2023 by rudyooms
This blog (old but it is being kept up to date) will be about some more information and options on how to block administrative tools like regedit and the command Prompt.
I am going to divide it into multiple parts and I will show you all of the options you have to prevent access to the CMD.
- Applocker
- Prevent access to administrative tools (settings catalog)
- Don’t run / DisallowApps specified applications (settings catalog)
- Proactive Remediations
- Conclusion
1.Applocker
In one of my older blogs, I showed you how it could be done within the Intune for Education portal. It’s just an easy switch 🙂
When you are interested in a full app locker setup, please visit my blog on how to automate Applocker.
Applocker à la minute – Call4Cloud Powershell Automated
2. Prevent Access to Administrative Tools
Of course, that’s really nice. I noticed some ADMX updates inside the windows 10 insider preview build 20185.
I hope this ADMX update within the Insider preview build 20185 will help us to prevent access to the command prompt/ PowerShell and registry without using Applocker?
UPDATE 01-10-2020
Peter Klapwijk and I did a test drive with it and noticed some things weren’t working as they were supposed to. After reporting the bug to Microsoft it was fixed.
My blog: The never-ending Command Prompt – Call4Cloud
UPDATE 16-05-2021
I really start to love the settings catalog even more. It’s now possible to configure those 2 settings:
*Prevent access to registry editing tools
*Prevent access to the command prompt
Of course, these settings are (for now) only available for Windows Insiders
3. Don’t run specified Windows Applications
Blocking the default administrative tools, won’t block access to PowerShell.exe. Instead of configuring these two settings to block cmd and regedit, try this one:
*Don’t run specified Windows Applications
But just like with the prevention of launching the administrative tools it is only available to Windows Insiders.
UPDATE 04-09-2021
Fantastic news! Finally, 1400 settings which were only available to the insider preview in the past are now available and ready to be implemented!
Looking back at the policy I showed earlier
Now go install this Windows 10, version 21H1 Build 19043.1200 also known as KB5005101!!
Now let’s see the results: So instead of getting this prompt
You will receive this notification. It’s a little different than the Applocker notification or the notification above but it is pretty clear the operation is not allowed.
“It’s just an action, not a piece of work”
Let’s check which policy manager registry key is been created to restrict this operation.
It’s the same ADMX as they prevent access to administrative tools. Let’s find out the exact registry key we need to check the DisallowApps key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ADMX_ShellCommandPromptRegEditTools\DisallowApps
Now we know the policy path, let’s check how it looks inside the Azure Ad user registry.
4. Proactive Remediations
You could use proactive remediations for everything!. So why not block access to the CMD (as an example)
Detection Script
New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Policies\Microsoft\Windows\system"
$val = (Get-Item "HKU:\$sid\Software\Policies\Microsoft\Windows\system");
$Timer = $val.GetValue("DisableCMD");
##################################
#Launch password detection #
##################################
if($Timer -ne 1)
{
Write-Host "CMD is not blocked!"
Exit 1
}
else
{
Write-Host "CMD is already being blocked"
Exit 0
}
Remediation Script
New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Policies\Microsoft\Windows\system"
$val = (Get-Item "HKU:\$sid\Software\Policies\Microsoft\Windows\system") | out-null
$reg = Get-Itemproperty -Path $key -Name DisableCMD -erroraction 'silentlycontinue'
##################################
#Launch password detection #
##################################
if(-not($reg))
{
Write-Host "CMD registry key was not created, creating it now!"
New-Item -path "HKU:\$sid\Software\Policies\Microsoft\Windows" -name "System" | out-null
New-Itemproperty -path $Key -name "DisableCMD" -value "1" -PropertyType "dword" | out-null
exit 1
}
else
{
Write-Host "CMD Registry key configured to 1"
Set-ItemProperty -path $key -name "DisableCMD" -value "1" | out-null
Exit 0
}
And of course, the results when you try to open the CMD as a regular user
And when we try to open it as a local admin…
Conclusion:
I showed you 3 options to block cmd/regedit or powershell.exe. In my opinion, Applocker is the way to go. But I really like the new settings catalog.
You can even block other executables, by simply adding them. Adding an executable to block with the settings catalog is a lot faster than copy/paste the applocker xml/changing it and uploading it back again.
Hello,
Thanks for this! Does the settings catalog still grant access to admins to use admin tools?
It depends on how you target it.. but when using a dedicated local admin user it shouldn’t target that one.. But I would rather deploy applocker so you can do the same…. but applocker ways ways better…