Group policy setting to restrict user access to change registry

Group policy setting to restrict user access to change registry
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Group policy setting to restrict user access to change registry Also None 03-30-2006
Posted by Also None on March 30, 2006, 5:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all,

I checked google on this subject and can't seem to find a simple
article on what to set.

I want to set policy to stop the registry from being changed while
users are logged on. (Mainly to restrict installs while my teenagers
are logged on) Any other suggestions are appreciated.

The setting for "always install with elevated privileges" is
confusing. Should it be disabled or enabled to prevent them from
installing?

Hope you can help me to regain my sanity.

Regards,
George
--
NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth

Posted by Sebastian Gottschalk on March 30, 2006, 6:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Also None wrote:

> I want to set policy to stop the registry from being changed while
> users are logged on. (Mainly to restrict installs while my teenagers
> are logged on)

Changes to anything but HKCU cannot be made with restricted rights. If
you want a HKCU that is discarded after usage, you should use the Guest
account.

> The setting for "always install with elevated privileges" is
> confusing. Should it be disabled or enabled to prevent them from
> installing?

There is nothing confusing about it. When enable, MSI installer runs
with evelated privileges (means: more privileges than the user has) to
install things that need administrative access. You should leave it
disabled.

Posted by Also None on March 30, 2006, 7:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Fri, 31 Mar 2006 01:34:34 +0200, Sebastian Gottschalk

>Also None wrote:
>
>> I want to set policy to stop the registry from being changed while
>> users are logged on. (Mainly to restrict installs while my teenagers
>> are logged on)
>
>Changes to anything but HKCU cannot be made with restricted rights. If
>you want a HKCU that is discarded after usage, you should use the Guest
>account.
>
>> The setting for "always install with elevated privileges" is
>> confusing. Should it be disabled or enabled to prevent them from
>> installing?
>
>There is nothing confusing about it. When enable, MSI installer runs
>with evelated privileges (means: more privileges than the user has) to
>install things that need administrative access. You should leave it
>disabled.


Thanks for your reply,
If I understand the guest account, everything that is entered into
HKCU will dissappear including trojan entries.

Is there any way to completely shut off the installer for the user or
the guest? I tested this from a user account and some things accually
installed even though there was a warning that it might not work
correctly.

I am interested in shutting out things like kaaza, etc.

Thanks again,
George

--
NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth

Posted by Sebastian Gottschalk on March 30, 2006, 8:07 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Also None wrote:

> If I understand the guest account, everything that is entered into
> HKCU will dissappear including trojan entries.

It will disappear after logoff from such an account.

> Is there any way to completely shut off the installer for the user or
> the guest?

Since Windows XP you can use Software Restriction Policies to create a
whitelist for executables.

> I am interested in shutting out things like kaaza, etc.

Did you mean KaZaA? "kaaza" is the japanese word for "mother".

Well, for network related stuff you might use a proxy for the relevant
protocols.

Posted by Also None on March 30, 2006, 8:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Fri, 31 Mar 2006 03:07:08 +0200, Sebastian Gottschalk

>Also None wrote:
>
>> If I understand the guest account, everything that is entered into
>> HKCU will dissappear including trojan entries.
>
>It will disappear after logoff from such an account.
>
>> Is there any way to completely shut off the installer for the user or
>> the guest?
>
>Since Windows XP you can use Software Restriction Policies to create a
>whitelist for executables.
>
>> I am interested in shutting out things like kaaza, etc.
>
>Did you mean KaZaA? "kaaza" is the japanese word for "mother".
>
>Well, for network related stuff you might use a proxy for the relevant
>protocols.

Thank you,
Sebastian for President or PM, whichever is appropriate.

Thanks again

George
--
NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth

Similar ThreadsPosted
(help from Tokyo) dumpsec problems while dumping user and group information February 20, 2007, 7:55 am
Re: Security policy July 20, 2006, 4:21 pm
Ex-employee policy? July 24, 2006, 7:44 am
How delete protected XP registry entry? December 8, 2005, 7:38 pm
Uniblue Registry Scanner any good? September 23, 2008, 9:07 pm
Thinstall installs sans registry entries..subversion? February 5, 2007, 6:04 pm
Registry Problem? Is this band sites list or is this an allowed siteslist? June 23, 2005, 11:16 pm
Which encryption algorithm should I use setting up Truecrypt volume? June 22, 2006, 5:30 pm
User Authentication November 29, 2006, 11:51 am
MS WORD launches slowly due to IE local security setting November 2, 2006, 9:04 am

The site map in XML format XML site map

Contact Us | Privacy Policy