Solved

Locking down Start-Run for public machines

Posted on 2007-04-05
6
256 Views
Last Modified: 2013-12-04
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.

One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP;  or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.

So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.

The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.

If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.
0
Comment
Question by:mvogts
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858106
How about creating a guest account.

It has all important features disabled.

Use that instead. Of cause make sure, your video streaming / web browser is still working properly.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858123
Description of the Guest account in Windows XP

http://support.microsoft.com/kb/300489

When you use the Guest account to log on, the following activities apply:
•      You do not require a password.
•      You cannot install software or hardware.
•      You cannot change the Guest account type.
•      You cannot create a password for the account.
•      You cannot change the Guest account picture.
•      You cannot access the applications that have already been installed on the computer.
•      You cannot access the files in the Shared Documents folder.
•      You cannot access the files in the Guest profile.
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 18858153
Maybe you can just hide the Run command by using the method described at:

 http://www.xp-tips.com/remove-run.shtml

But note that this is not foolproof bevause Win-R on the keyboard will still work for the clever user.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:mvogts
ID: 18859279
Guest account isn't an option. In the past we used generic accounts on the student use machines and had issues with "inappropriate" things showing up on them once in a while. We implemented individual accounts for each student (with Roaming Profiles) to introduce accountability for them into the mix.

That tip for an alternate method of removing the Run command looks promising, but I suspect that might be profile specific? It's something we could maybe set on the default profile on the machines. Have to look into that later on today.
0
 

Author Comment

by:mvogts
ID: 18860459
Looks like that setting works great and is easy to set. Whether we do it or not remains to be seen; the current thinking is that since we have students logging on as themselves, we have accountability if something does get jacked up. At any rate, thx for the info.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18860477
Great. It should foil many of them. Thanks.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question