Solved

How to lock-down the registry...

Posted on 2004-04-07
9
6,023 Views
Last Modified: 2008-01-16
Mainly so webpages can't hijack your homepage, disable you from changing your homepage, or disable you from accessing your registry. Would prefer a .vbs solution.
0
Comment
Question by:TheKenman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 7

Author Comment

by:TheKenman
ID: 10774130
P.S. Registry must still be accessible by adminstrator.
0
 
LVL 21

Expert Comment

by:gemarti
ID: 10774406
Use a policy:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/205.asp

...and write a script that will enable/disable the policy.
0
 
LVL 21

Assisted Solution

by:gemarti
gemarti earned 150 total points
ID: 10774483
Okay...the first time I read this I really just looked at the title.

I would suggest that instead of writing a script I would purchase a piece of software that does this for you instead of trying to reinvent the wheel.

BlackICE is a very good application that will monitor your system for any attempted registry changes. You will be notified by a pop-up window when a change to the registry is attempted or if an unknow application trys to start up.
http://blackice.iss.net/
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 21

Expert Comment

by:gemarti
ID: 10774512
Also, the professional version of AD-AWARE has a program called AD-WATCH. It doesn't stop a change to the registry, but it does tell you exactly where the change occurred.

Ad-aware : http://www.webattack.com/download/dladaware.shtml 
0
 
LVL 7

Author Comment

by:TheKenman
ID: 10774624
Those are decent suggestions for a home user, but in a corporate setting they are not feasible. Also the reason I would prefer a .vbs- so I can easily mass-deploy the solution.

Thanks though!
0
 
LVL 21

Expert Comment

by:gemarti
ID: 10774836
Well BlackICE comes in a Corporate level configuration.

The other option is the Policy that I suggested above.
0
 
LVL 4

Accepted Solution

by:
Veegertx earned 350 total points
ID: 10775677
Save all below to Enable Disable Homepage Change.vbs

'Enable Disable Homepage Change.vbs
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
Option Explicit
Dim WSHShell, RegKey, ValueA, Result
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
RegKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"
ValueA = WSHShell.RegRead (regkey & "HomePage")

If ValueA = 0 Then 'Change Homepage is Enabled.
   Result = MsgBox("Ability to Change Homepage is currently [Enabled]." & _
        vbNewLine & "Would you like to Disable?" & _
        vbNewLine & "Will lock and Gray it out." & _
        vbNewLine & "May need to Log-off for effect.", 36)
   If Result = 6 Then 'clicked yes
      WSHShell.RegWrite regkey & "HomePage", 1
   End If
Else 'Change Homepage is Disabled
   Result = MsgBox("Ability to Change Homepage is currently [Disabled]." & _
        vbNewLine & "Would you like to Enable?", 36)
   If Result = 6 Then 'clicked yes
      WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"
      'Delete Key cause it don't exist normally
   End If
End If
0
 
LVL 4

Expert Comment

by:Veegertx
ID: 10795523
Locking down the registry completely can be a daunting task
http://www.uksecurityonline.com/husdg/windowsxp/registry.htm
or MS XP version http://support.microsoft.com/default.aspx?kbid=314837
Requires setting permissions on the registry key's themselves and can even lock user's out from installing software, depends on how many User's you have on your PC. I studied the above pages some time back and decided against it myself. I just keep mjy virus and firewall updated and have had no problem. I also use the above reg edit to prevent homepage changing. I keep that key in my fav's list in my JUmp2Reg program though just in case.

Bottom of the 1st page is this though;
Also if you have the Windows 2000/XP Resource Kit then you can consider using the SUBINACL command to just replace the EVERYONE group wherever it is found with Authenticated Users.
0
 
LVL 7

Author Comment

by:TheKenman
ID: 10877163
Thanks guys, sorry it took so long to get back to this.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question