Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disable Right Click>Run As using Group Policy

Posted on 2010-11-16
8
Medium Priority
?
4,697 Views
Last Modified: 2012-06-27
Hello, I was wondering if it is possible to set up the accounts in Active Directory to disable the option to right click and run as command.  I DON'T want to stop the option of right clicking on a file but want to fully disable the use of using Run As option. I have found out this is how alot of users can get past locked down applications within our network.

Ideally I would like to set this up using Group Policy rather than an individual edit the registry on each machine.

Is this possible?
0
Comment
Question by:alumwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34146560
Are they running as another user?
0
 
LVL 3

Expert Comment

by:meindertjanw
ID: 34146568
If you know what registry entries you need to modify, you can also write a startup script to check and, if necessary, modify the register values on all local machines.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 34146601
You could probably just stop the secondary logon service through gorup policy.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 15

Expert Comment

by:JBond2010
ID: 34146628
You can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

computer configuration/windows settings/security settings/software restriction policies

Right click on this node and select New Software Restriction Policies, then right click on the Additional Rules and select New Path Rule. Now type the parth to runas.exe and make sure the policy is set to disallowed.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 1000 total points
ID: 34146674
If you decide to use the method I mentioned above by blocking the secondary logon service you can do so by using.

Computer configuration | Windows settings | security settings | System Services

Select the service and set to disabled.
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34146686
Reply to (JBond2010)
Hi

This could mean the user could copy the run as.exe to another location and run it. Hash rule would be better. I understand if you move it from there it wont be accessible from the right click menu. But can be accessed from command prompt.

0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34146717
@xxdcmast This would also depends on what other policies are configured on the network and what priviledges the users currently have.
0
 
LVL 6

Accepted Solution

by:
Kris Montgomery earned 1000 total points
ID: 34146730
Hi!

Here is a link to show you exactly what you need:
http://windowsdevcenter.com/pub/a/windows/2004/03/16/serverhacks_runas.html

Thanks!

mug
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question