Solved

Locking down Start-Run for public machines

Posted on 2007-04-05
6
254 Views
Last Modified: 2013-12-04
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.

One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP;  or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.

So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.

The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.

If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.
0
Comment
Question by:mvogts
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858106
How about creating a guest account.

It has all important features disabled.

Use that instead. Of cause make sure, your video streaming / web browser is still working properly.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858123
Description of the Guest account in Windows XP

http://support.microsoft.com/kb/300489

When you use the Guest account to log on, the following activities apply:
•      You do not require a password.
•      You cannot install software or hardware.
•      You cannot change the Guest account type.
•      You cannot create a password for the account.
•      You cannot change the Guest account picture.
•      You cannot access the applications that have already been installed on the computer.
•      You cannot access the files in the Shared Documents folder.
•      You cannot access the files in the Guest profile.
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 18858153
Maybe you can just hide the Run command by using the method described at:

 http://www.xp-tips.com/remove-run.shtml

But note that this is not foolproof bevause Win-R on the keyboard will still work for the clever user.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 

Author Comment

by:mvogts
ID: 18859279
Guest account isn't an option. In the past we used generic accounts on the student use machines and had issues with "inappropriate" things showing up on them once in a while. We implemented individual accounts for each student (with Roaming Profiles) to introduce accountability for them into the mix.

That tip for an alternate method of removing the Run command looks promising, but I suspect that might be profile specific? It's something we could maybe set on the default profile on the machines. Have to look into that later on today.
0
 

Author Comment

by:mvogts
ID: 18860459
Looks like that setting works great and is easy to set. Whether we do it or not remains to be seen; the current thinking is that since we have students logging on as themselves, we have accountability if something does get jacked up. At any rate, thx for the info.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18860477
Great. It should foil many of them. Thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now