question

NelsonMauricioZamudioArias-6158 avatar image
0 Votes"
NelsonMauricioZamudioArias-6158 asked FanFan-MSFT answered

Is there any risk when enabling CMD.exe in Applocker?

Hello everyone.
We have a Mysql application called MYSQLDUMP that works to export information from MYsql databases, this program needs to use cmd.exe, but the applocker blocks it.
Is there any risk if we enable said CMD.exe?
Thanks for the help.

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
CMD can be used safely for users.
Users can only run commands with their permission.
If user run some command to change or write date on the clients without rights, they will encounter access denied error or there will be an elevation prompt for standard users.
Make sure the UAC was enabled and you can set policy: User Account Control: Behavior of the elevation prompt for standard users to the following settings:
86003-4091.jpg
86004-4092.jpg
You can restrict the permissions for users on the clients or resource.

Best Regards,



4091.jpg (171.9 KiB)
4092.jpg (65.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

No, there are no risks with CMD, it is Windows component and safe to run.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Crypt32.
Thanks for answering, is there no security risk in enabling CMD on a server where it is used by multiple people?
We must enable this application, but we have doubts if by enabling it, a user can perform an improper action in our operating system, taking into account that they are non-administrator users.
Thanks for your help

0 Votes 0 ·
Crypt32 avatar image Crypt32 NelsonMauricioZamudioArias-6158 ·

Using CMD, they cannot elevate themselves to privileged account or do something that is not allowed by their permissions or rights. There are plenty ways to run commands/apps without CMD, so disabling CMD you benefit nothing. There are more powerful tools out of the box, for example, PowerShell which is magnitudes more powerful and allow to perform complex things easier. Applocker should enforce protection on folders where users can write data to minimize (not avoid, but minimize) chances that people will run unauthorized software.

0 Votes 0 ·