Disable Right Click>Run As using Group Policy

Hello, I was wondering if it is possible to set up the accounts in Active Directory to disable the option to right click and run as command.  I DON'T want to stop the option of right clicking on a file but want to fully disable the use of using Run As option. I have found out this is how alot of users can get past locked down applications within our network.

Ideally I would like to set this up using Group Policy rather than an individual edit the registry on each machine.

Is this possible?
alumwellAsked:
Who is Participating?
 
Kris MontgomeryCommented:
Hi!

Here is a link to show you exactly what you need:
http://windowsdevcenter.com/pub/a/windows/2004/03/16/serverhacks_runas.html

Thanks!

mug
0
 
athomsfereCommented:
Are they running as another user?
0
 
meindertjanwCommented:
If you know what registry entries you need to modify, you can also write a startup script to check and, if necessary, modify the register values on all local machines.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Joseph DalyCommented:
You could probably just stop the secondary logon service through gorup policy.
0
 
JamesSenior Cloud Infrastructure EngineerCommented:
You can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

computer configuration/windows settings/security settings/software restriction policies

Right click on this node and select New Software Restriction Policies, then right click on the Additional Rules and select New Path Rule. Now type the parth to runas.exe and make sure the policy is set to disallowed.
0
 
Joseph DalyCommented:
If you decide to use the method I mentioned above by blocking the secondary logon service you can do so by using.

Computer configuration | Windows settings | security settings | System Services

Select the service and set to disabled.
0
 
moon_blue69Commented:
Reply to (JBond2010)
Hi

This could mean the user could copy the run as.exe to another location and run it. Hash rule would be better. I understand if you move it from there it wont be accessible from the right click menu. But can be accessed from command prompt.

0
 
JamesSenior Cloud Infrastructure EngineerCommented:
@xxdcmast This would also depends on what other policies are configured on the network and what priviledges the users currently have.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.