General discussion

Locked

Locking down the Registry...

By ithink2020 ·
I would like to accomplish two things. First, I want to prevent users from installing/uninstalling software. The second then that I would like to do is prevent the users from making changes to the registry. Here is the tough part. We are runningQuark 4.1. If we take the users out of the ?Power Users? group, then Quark will not run. Is there any thing that I can do? Is there any software, shareware, or freeware that any one can recommend? Thank you.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Locking down the Registry...

by ithink2020 In reply to Locking down the Registry ...

Point value changed by question poster.

Collapse -

Locking down the Registry...

by BeerMonster In reply to Locking down the Registry ...

Hi,
On a standard win2k install your basic users should be severely restricted when it comes to installing software anyway. I take it then that the bulk of your problems are being caused by having your users in the power users group. If that is the case then your best bet is to pin down exactly what permissions problems Quark is having when a normal (non power) user is trying to run it, and open your security just enough to get rid of the problem. Here's my method for doing this -

download filemon and regmon from www.sysinyternals.com. On a test machine log on as a non power user, and use 'runas' to run filemon and regmon as an admin. These two apps will show the results of every attempted registry or file access made on the pc. Asthe non power user, open up quark. Next scan the output of regmon and filemon for access denied errors. When you have located the offending files \ registry keys then open the security on them just enough for Quark to run successfully. Record the changes so that you can roll them out to your machines. once done you can remove your users from the power users group. Let me know if you need more info about this process.

Collapse -

Locking down the Registry...

by ithink2020 In reply to Locking down the Registry ...

Poster rated this answer

Collapse -

Locking down the Registry...

by Gigelul In reply to Locking down the Registry ...

I assume that you added domain users accounts to local Power users group and also these users can?t logon local.
If that is the situations you can implement a Policy Security (using Policy Editor). In a new policy you will find a default computer and a default user.
In these two items you can set <Allowed app to run>, <Restrict registry editing> and many other usefully options.
After you customize these save as Ntconfig.pol in your NETLOGON share on Domain Controller and Backup Domain Controller.
At next logon users will receive these settings/restrictions.
To avoid any mistake add in this policy the Domain Admin user with no restrictions.

Collapse -

Locking down the Registry...

by Gigelul In reply to Locking down the Registry ...

I don't have Win2k boxes, but Policy Security must be available also in Win2k.
In <allowed app> you must add all <exe>, <com>, <bat>, <cmd> files (all files from HDD) which are currently used/approved. Maybe in Win2k you have more options than in WinNT. I use a policy like this for our network.

Collapse -

Locking down the Registry...

by Gigelul In reply to Locking down the Registry ...

Yes, you have in Win2k more options.
You can read about GPO in Win2k here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/grpolwt.asp

Collapse -

Locking down the Registry...

by ithink2020 In reply to Locking down the Registry ...

Poster rated this answer

Collapse -

Locking down the Registry...

by ithink2020 In reply to Locking down the Registry ...

A couple things:

BeerMonster: Is there a way to roll this out over the network. We are running Win2k and Active Directory. We also run login scripts.

Florinel: This sounds like a NT4 option. Are there any options for Win2k? If this option is in Win2k, in the section <allowed app to run>, do I have to declare every app that the users use on a daily basis? Or does this just affect installers/uninstallers?

Collapse -

Locking down the Registry...

by ithink2020 In reply to Locking down the Registry ...

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums