I'm looking for reliable ways to restrict access to the Windows Command Line for regular users without affecting admin access. Our organization uses Windows 11 and we're a domainless setup with Jumpcloud simulating those features. So far, the solutions I've found seem a bit hacky, like blocking common command line executable names. Is there a cleaner and more effective way to prevent ordinary users from accessing PowerShell, CMD, or similar tools while still enabling it for admins and necessary background services? I feel like this should be a common issue, but my research hasn't turned up any great solutions. Has anyone else tackled this, and what strategies worked for you?
3 Answers
I've come across a few methods that range from easy to complex. Here’s a quick rundown: 1. There's a setting in Intune called "Don’t run specified Windows applications (User)" that lets you block execution of certain files directly from Explorer. Users can rename files, but if Vanta isn't checking for that, it could work for you. 2. AppLocker is a way to prevent users from running PowerShell or CMD while letting admins do their thing, but keep in mind that it has some known bypasses. 3. Consider WDAC if you need more security, just remember that it’s more restrictive and might not allow exceptions for admins. If you want something smoother, ThreatLocker could also be a good fit.
You're really looking for application control, also known as application whitelisting. This is a solid way to manage which applications can be launched by users. You might want to look at specific tools that can facilitate this more efficiently.
From my experience in a K12 environment, blocking all the potential avenues for misuse is key. We use AppLocker to restrict access: allow admin users unrestricted access while blocking CMD, PowerShell, and other potentially risky tools for everyone else. You can run scripts in the system context to prevent issues.
Definitely second the use of AppLocker. It might be a pain to manage for a large number of applications, but it’s very effective at securing access.
Just note that if you set up an allow-list based on file names, users might still find a way around that by renaming the files. It's better to go for an approach that checks the hash of the executable instead.