Things to block in Denver When You’re an IT Admin

August 20, 2020 rudyooms Comments 0 Comment

This blog (old but it is being kept up to date) will be about some more information and options on how to block administrative tools like regedit and the command Prompt.

I am going to divide it into multiple parts and I will show you all of the options you have to prevent access to the CMD.

Applocker
Prevent access to administrative tools (settings catalog)
Don’t run specified applications (settings catalog)
Proactive Remediations
Conclusion

1.Applocker

In one of my older blogs, I showed you how it could be done within the Intune for Education portal. It’s just an easy switch 🙂 .

Blocking Administrative Apps like the Command Prompt In Intune.

When you are interested in a full app locker setup, please visit my blog on how to automate Applocker.

Applocker à la minute – Call4Cloud Powershell Automated

2. Prevent access to administrative Tools

Of course, that’s is really nice. I noticed some ADMX updates inside the windows 10 insider preview build 20185.

https://blogs.windows.com/windowsexperience/2020/08/05/announcing-windows-10-insider-preview-build-20185/

I hope this amdx update within the Insider preview build 20185 will help us to prevent access to the command prompt/ powershell and registry without using applocker?

UPDATE 01-10-2020

Peter Klapwijk and I did a test drive with it and noticed some things weren’t working as they supposed to. After reporting the bug to Microsoft it was fixed.

My blog: The never-ending Command Prompt – Call4Cloud

UPDATE 16-05-2021

I really start to love the settings catalog even more. It’s now possible to configure those 2 settings:

*Prevent access to registry editing tools

*Prevent access to the command prompt

Of course, these settings are (for now) only available for Windows Insiders

3. Don’t run specified windows Applications

Blocking the default administrative tools, won’t block access to PowerShell.exe. Instead of configuring these two settings to block cmd and regedit, try this one:

*Don’t run specified windows Applications

But just like with the prevention of launching the administrative tools it is only available to Windows Insiders.

So instead of getting this prompt

You will receive this notification. It’s a little bit different than the applocker notification or the notification above but it is pretty clear the operation is not allowed.

“It’s just an action, not a piece of work”

Let’s check which policymanager registry key is been created to restrict this operation.

It’s the same ADMX as the prevent access to administrative tools. Let’s find out the exact registry key we need to check.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ADMX_ShellCommandPromptRegEditTools\DisallowApps

Now we know the policy path, let’s check how it looks inside the Azure ad user registry.

4. Proactive Remediations

You could use proactive remediations for everything!. So why not blocking access to the CMD (as an example)

Detection Script

New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Policies\Microsoft\Windows\system"
$val = (Get-Item "HKU:\$sid\Software\Policies\Microsoft\Windows\system");
$Timer = $val.GetValue("DisableCMD");

##################################
#Launch password detection       #
##################################

if($Timer -ne 1)
{
    Write-Host "CMD is not blocked!"
    Exit 1
}
else
{
    Write-Host "CMD is already being blocked"
    Exit 0
}

Remediation Script

New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Policies\Microsoft\Windows\system"
$val = (Get-Item "HKU:\$sid\Software\Policies\Microsoft\Windows\system") | out-null
$reg = Get-Itemproperty -Path $key -Name DisableCMD -erroraction 'silentlycontinue'

##################################
#Launch password detection       #
##################################

if(-not($reg))
	{
		Write-Host "CMD registry key was not created, creating it now!"
		New-Item -path "HKU:\$sid\Software\Policies\Microsoft\Windows" -name "System" | out-null
                New-Itemproperty -path $Key -name "DisableCMD" -value "1"  -PropertyType "dword" | out-null
		exit 1
	} 
else
	{
 		Write-Host "CMD Registry key configured to 1"
		Set-ItemProperty  -path $key -name "DisableCMD" -value "1" | out-null
		Exit 0  
	}

And of course, the results when you try to open the CMD as a regular user

And when we try to open it as a local admin…

Conclusion:

I showed you 3 options to block cmd/regedit or powershell.exe. In my opinion, Applocker is the way to go. But I really like the new settings catalog.

You can even simply block other executables, by simply adding them. Adding an executable to block with the settings catalog is a lot faster than copy/paste the applocker xml/changing it and uploading it back again. But I guess we need to wait to deploy it to your regular devices because you will need to have them enrolled into the Insiders build. Luckily you could use Proactive Remediations…..