Wednesday, December 2, 2009

Disabling the command prompt does NOT increase security

There is a configuration setting in the Windows operating system called "Disable the command prompt." It "prevents users from running the interactive command prompt, cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action" (copied and pasted from the Microsoft documentation).

This setting is a holdover from Windows 95/98 (which had no security), but it is completely pointless on Windows NT/2000/XP/2003/Vista and later. I can't think of a single good reason to disable the command prompt. Why? Because cmd.exe is a program, not a security boundary.

In the Windows operating system, a security boundary prevents a program from doing something, or prevents data from going somewhere, without authorization. If a user opens a command prompt (i.e., starts the cmd.exe program), the cmd.exe program is running as that user, just like any other program the user runs. The cmd.exe program does not somehow give the user the ability to do things they can't do otherwise. The user's account is the security boundary, not the command prompt.

I have seen many requests for technical help in various forums, and sometimes the answer to a problem involves typing commands at a command prompt. Occasionally, I will see a reply like: "That won't work, because we have disabled the command prompt." My suspicion is that some administrators think that disabling the command prompt somehow increases security, but because this is wrong, the only thing it accomplishes in cases like this is slowing down problem solving processes (thus increasing costs).

[Update 5/13/2015] - These comments also apply to running PowerShell. (I'm not talking about PowerShell's execution policy, which is a separate issue. I am talking about just running powershell.exe or powershell_ise.exe.)