Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Locking down Start-Run for public machines

Posted on 2007-04-05
6
Medium Priority
?
263 Views
Last Modified: 2013-12-04
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.

One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP;  or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.

So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.

The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.

If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.
0
Comment
Question by:mvogts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858106
How about creating a guest account.

It has all important features disabled.

Use that instead. Of cause make sure, your video streaming / web browser is still working properly.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858123
Description of the Guest account in Windows XP

http://support.microsoft.com/kb/300489

When you use the Guest account to log on, the following activities apply:
•      You do not require a password.
•      You cannot install software or hardware.
•      You cannot change the Guest account type.
•      You cannot create a password for the account.
•      You cannot change the Guest account picture.
•      You cannot access the applications that have already been installed on the computer.
•      You cannot access the files in the Shared Documents folder.
•      You cannot access the files in the Guest profile.
0
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 18858153
Maybe you can just hide the Run command by using the method described at:

 http://www.xp-tips.com/remove-run.shtml

But note that this is not foolproof bevause Win-R on the keyboard will still work for the clever user.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:mvogts
ID: 18859279
Guest account isn't an option. In the past we used generic accounts on the student use machines and had issues with "inappropriate" things showing up on them once in a while. We implemented individual accounts for each student (with Roaming Profiles) to introduce accountability for them into the mix.

That tip for an alternate method of removing the Run command looks promising, but I suspect that might be profile specific? It's something we could maybe set on the default profile on the machines. Have to look into that later on today.
0
 

Author Comment

by:mvogts
ID: 18860459
Looks like that setting works great and is easy to set. Whether we do it or not remains to be seen; the current thinking is that since we have students logging on as themselves, we have accountability if something does get jacked up. At any rate, thx for the info.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18860477
Great. It should foil many of them. Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question