I have this problem that i really want to solve. I have a desktop computer at home and there are 3 people using it, at 1st we are using only one account, but i felt comfortable on it so i decided to create them a separate user account, by the way my OS in win7 pro.
Now there are 3 available user account in my computer. What I want to now is to disable the control panel and RUN on their start menu. I try to do the local group policy editor Is there any other way to do this without affecting my account? Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:. If you are in an environment where administrators routinely log on to and perform troubleshooting on client devices, then make them exempt from the SRP rules.
However, if you are in an environment where all troubleshooting is done remotely via a privileged-access station which, ideally, it should be , then you can apply the restrictions to administrators as well. Alternatively, you can whitelist all of the administrator tools as well, but bear in mind that because SRPs are not flexible by user this will allow ordinary users to run these tools also. Choose the option that makes the most sense for your environment.
The final option is whether to enforce certificate rules. If, in the Additional Rules section, you are using certificate-based checking, then you will need to enforce them here. The caveat about performance refers to the need to check a certificate revocation list CRL every time a program is run. It also means that the CRL usually held online needs to be accessible from the client, so environments with internet access blocked may struggle if this option is enforced. Choose the option that matches your requirements.
Notice that. All of the others in the list can be removed, or added to. There are a couple of notes worth calling out. Firstly, that. I normally remove. The final option is for management of Trusted Publishers.
It also, optionally, allows you to enforce a CRL on the trusted certificates. Again, choose the options which are relevant to how you wish to manage the environment. You will get a warning — just click on Yes. This now means that everything will be blocked, subject to a the options configured under your global rules, and b any Additional Rules configured with a security level of Unrestricted. In a whitelist situation, you configure Additional Rules with a Security Level of Unrestricted to allow executables to run.
However, these paths predate the arrival of x64 computing and often will mean anything in the x86 Program Files folder will be blocked. I delete the default Path Rules and replace them with those shown below This ensures that files in the system areas can execute without needing to provide an exhaustive list prior to deployment.
Population of the Additional Rules section is where your understanding of execution areas will become paramount. For instance, in our image we use App-V applications. These applications do not execute from Program Files or the SystemRoot areas — they have their own cached location.
If we try to launch one, we see the standard SRP block screen below. If you then check in the Event Viewer under Application log and look for an event ID , it will tell you the path of the executable which was prevented from running.
So we need to add a new Additional Rule that allows this path. One thing worth noting with SRPs, though, is that often the user has to log out and back in before the updated policy will take effect. So now only executables residing in our specified paths can be run. For instance, I can run regedit.
Simply allowing Paths is the most basic way to allow executables to run. However, this can potentially be subverted by an attacker creating files within the allowed Paths, even with the same name as expected executables, if you have restricted by exact name. You can further tighten the security by restricting by other methods. Network Zone rules allow you to specify particular internet or intranet locations that MSI files can be executed from. This rule is quite niche and I would not generally recommend its usage.
The most useful from a security perspective is the Hash rule. This actually takes a hash generated from a specific executable and ensures that this hash is matched before an executable is allowed to run.
This is very useful in high-security environments where you may be interested in also stopping compromised administrator accounts from executing untrusted code. However, there are caveats. The list of hashes must be updated every time an application is patched — so, if you allow Teams. Path rules are allowed for the installation and system directories, as the only people who can modify files in these locations belong to the Administrators group.
However, if you are in a high-security environment where Administrators also need to be subject to the rules, then creating Hash rules for every executable would be the way to proceed. This is a high-maintenance approach but it ensures that a compromised admin account cannot circumvent the rules — only the users who can add new Hash rules into Active Directory would be able to achieve this.
Sometimes Windows allows users Write access to system folders. This means that potentially, a user could drop out an executable into one of these folders and execute it, bypassing the rules because of the default allow configured for the system folders. There are multiple layers of defence that may protect you from this — antivirus, Windows file blocking, SmartScreen, etc.
You can use the SysInternals tool accesschk to identify folders that users have write access into. An example is shown below. This will then enforce the blocking of any executable content from the folders that users can place files within. What you can do is turn on a Registry key that performs SRP logging.
Be very careful here — if you delete the Additional Rules and leave the Security Level as Disallowed , you will effectively have broken your machine. You will be unable to even run a gpupdate to reverse the settings, so make sure you have a backup or snapshot before doing this! This will then log out to the specified file as rules are allowed to run but be warned — this process seems a little hit and miss. We can see the user trying to run the executable from the network, from a local location, and then show the event logs that indicate the executable was blocked by SRP.
Windows Client. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:. Archived Forums. Windows 7 Security. Winship 0. Sign in to vote.
0コメント