Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Disable Right Click>Run As using Group Policy

Posted on 2010-11-16
8
Medium Priority
?
5,165 Views
Last Modified: 2012-06-27
Hello, I was wondering if it is possible to set up the accounts in Active Directory to disable the option to right click and run as command.  I DON'T want to stop the option of right clicking on a file but want to fully disable the use of using Run As option. I have found out this is how alot of users can get past locked down applications within our network.

Ideally I would like to set this up using Group Policy rather than an individual edit the registry on each machine.

Is this possible?
0
Comment
Question by:alumwell
8 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34146560
Are they running as another user?
0
 
LVL 3

Expert Comment

by:meindertjanw
ID: 34146568
If you know what registry entries you need to modify, you can also write a startup script to check and, if necessary, modify the register values on all local machines.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 34146601
You could probably just stop the secondary logon service through gorup policy.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 15

Expert Comment

by:JBond2010
ID: 34146628
You can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

computer configuration/windows settings/security settings/software restriction policies

Right click on this node and select New Software Restriction Policies, then right click on the Additional Rules and select New Path Rule. Now type the parth to runas.exe and make sure the policy is set to disallowed.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 1000 total points
ID: 34146674
If you decide to use the method I mentioned above by blocking the secondary logon service you can do so by using.

Computer configuration | Windows settings | security settings | System Services

Select the service and set to disabled.
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34146686
Reply to (JBond2010)
Hi

This could mean the user could copy the run as.exe to another location and run it. Hash rule would be better. I understand if you move it from there it wont be accessible from the right click menu. But can be accessed from command prompt.

0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34146717
@xxdcmast This would also depends on what other policies are configured on the network and what priviledges the users currently have.
0
 
LVL 6

Accepted Solution

by:
Kris Montgomery earned 1000 total points
ID: 34146730
Hi!

Here is a link to show you exactly what you need:
http://windowsdevcenter.com/pub/a/windows/2004/03/16/serverhacks_runas.html

Thanks!

mug
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question