Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Disable Right Click>Run As using Group Policy

Posted on 2010-11-16
8
Medium Priority
?
4,966 Views
Last Modified: 2012-06-27
Hello, I was wondering if it is possible to set up the accounts in Active Directory to disable the option to right click and run as command.  I DON'T want to stop the option of right clicking on a file but want to fully disable the use of using Run As option. I have found out this is how alot of users can get past locked down applications within our network.

Ideally I would like to set this up using Group Policy rather than an individual edit the registry on each machine.

Is this possible?
0
Comment
Question by:alumwell
8 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34146560
Are they running as another user?
0
 
LVL 3

Expert Comment

by:meindertjanw
ID: 34146568
If you know what registry entries you need to modify, you can also write a startup script to check and, if necessary, modify the register values on all local machines.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 34146601
You could probably just stop the secondary logon service through gorup policy.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 15

Expert Comment

by:JBond2010
ID: 34146628
You can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

computer configuration/windows settings/security settings/software restriction policies

Right click on this node and select New Software Restriction Policies, then right click on the Additional Rules and select New Path Rule. Now type the parth to runas.exe and make sure the policy is set to disallowed.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 1000 total points
ID: 34146674
If you decide to use the method I mentioned above by blocking the secondary logon service you can do so by using.

Computer configuration | Windows settings | security settings | System Services

Select the service and set to disabled.
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34146686
Reply to (JBond2010)
Hi

This could mean the user could copy the run as.exe to another location and run it. Hash rule would be better. I understand if you move it from there it wont be accessible from the right click menu. But can be accessed from command prompt.

0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34146717
@xxdcmast This would also depends on what other policies are configured on the network and what priviledges the users currently have.
0
 
LVL 6

Accepted Solution

by:
Kris Montgomery earned 1000 total points
ID: 34146730
Hi!

Here is a link to show you exactly what you need:
http://windowsdevcenter.com/pub/a/windows/2004/03/16/serverhacks_runas.html

Thanks!

mug
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question