2

How can I disable the command line net command in windows server 2003? It would probably be good to do so for security purposes.

James T
  • 224
  • 2
  • 11
  • 2
    Can you describe the security purpose as an example? (Concern: is there actually a security issue with NET, or is the security issue something that preventing the use of NET masks, but does not address?) – TristanK Mar 18 '11 at 03:54
  • Just as a added layer of protection in case a hacker gets shell access, so that they can't make a account for themselves. – James T Mar 18 '11 at 15:48
  • 2
    Only Administrators (and Power Users, which are generally recommended against due to privilege escalation possibilities) could do that legitimately - if a hacker has admin access to a box, it's already game over. – TristanK Mar 18 '11 at 22:12
  • @TristanK: +10 on your immediately prior comment if I could. – Evan Anderson Mar 19 '11 at 01:38

1 Answers1

4

The best way to disable a command is with Software Restriction Policies which will allow you to use group policy to disable the ability of a command to run for users you choose the policy to apply to.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • 1
    Disallowing software with Software Restriction Policy isn't very effective. All an attacker needs to do is make a copy of the disallowed program, append a single byte to the end of the program, and the program will execute w/o issue. Software Restriction Policy is really only effective when it's run in the "Deny All, Allow Exceptions" mode. – Evan Anderson Mar 19 '11 at 01:40
  • Correct, applocker (the newest version) is more effective – Jim B Mar 20 '11 at 15:04