prevent a user from creating new Remote Access Connections

Hello everybody
I need a way to prevent a user (and all programs running with its
rights!!) from creating new Remote Access Connections.
I tried to use the windows criteria in gpedit.msc, i can find criteria
about preventing deletion, opening/stopping previous created ones, but
nothing about what I need!
This should be a very important security option ... think to those
malicious little, subtle, programs from the web that install
themselves very quickly, creates new connections to very expensive pay
numbers ... they can easily fool children or not expert people ... It
would be very easy to avoid that only by allowing only to
administrators to create new connections, giving to such users only a
non administrative accounts!!
Is there anyone who can accomplish that?
Thank You very much in advance!
Stefano B

With a little patience and a lot of persistence you can find the
right directives in the Group Editor that meet your management needs.
here you can disable the Control Panel, the Run command, the
Command prompt, the Taskmanager and also configure system
directives to prevent programs from running:

User Configuration\Management Templates\Control Panel\
enable; "Prohibit access to the Control Panel"
Removes access to the Control Panel to prevent users from
creating new remote access connection in Control Panel\
System\Remote Access

In Start Menu and Taskbar\enable; "Remove the Run menu
from the start menu".....
Prevents access to the Run command is so they can not run
programs by typing program's executables

In System\enable; "prevent access to command prompt"
Removes access to the command prompt to prevent
running programs from there.

In the ctrl+alt+del options folder, enable\remove taskmanager
Disable taskmanager so programs cannot be executed by
the New Task command.

In System\enable; "do not execute specified windows applications"
click on; show\add\type; program.exe (program's executables)
The programs here mentioned can be disabled for users adding the,
to this directive therefore this may be all you have to configure,
EG: add programs as;
cmd.exe (is command prompt)
tskmngr.exe (is taskmanager)
control.exe (is control panel)
If you wish to disable other programs, add their executables here...
you can get the executables from the taskmanager with the
specific program running.


----------Original Message---------------------
"Stefano B." <stefboombastic@libero.it> escribió en el mensaje
news:311f11e3.0412020025.30868bbd@posting.google.com...
> Hello everybody
> I need a way to prevent a user (and all programs running with its
> rights!!) from creating new Remote Access Connections.
> I tried to use the windows criteria in gpedit.msc, i can find criteria
> about preventing deletion, opening/stopping previous created ones, but
> nothing about what I need!
> This should be a very important security option ... think to those
> malicious little, subtle, programs from the web that install
> themselves very quickly, creates new connections to very expensive pay
> numbers ... they can easily fool children or not expert people ... It
> would be very easy to avoid that only by allowing only to
> administrators to create new connections, giving to such users only a
> non administrative accounts!!
> Is there anyone who can accomplish that?
> Thank You very much in advance!
> Stefano B

However, in a non-domain environment, the settings in GPEDIT apply to all users, not just limited users.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Juan" <soyquiensoy@terra.com> wrote in message news:OsX%23D6F2EHA.2788@TK2MSFTNGP15.phx.gbl...
> With a little patience and a lot of persistence you can find the
> right directives in the Group Editor that meet your management needs.
> here you can disable the Control Panel, the Run command, the
> Command prompt, the Taskmanager and also configure system
> directives to prevent programs from running:
>
> User Configuration\Management Templates\Control Panel\
> enable; "Prohibit access to the Control Panel"
> Removes access to the Control Panel to prevent users from
> creating new remote access connection in Control Panel\
> System\Remote Access
>
> In Start Menu and Taskbar\enable; "Remove the Run menu
> from the start menu".....
> Prevents access to the Run command is so they can not run
> programs by typing program's executables
>
> In System\enable; "prevent access to command prompt"
> Removes access to the command prompt to prevent
> running programs from there.
>
> In the ctrl+alt+del options folder, enable\remove taskmanager
> Disable taskmanager so programs cannot be executed by
> the New Task command.
>
> In System\enable; "do not execute specified windows applications"
> click on; show\add\type; program.exe (program's executables)
> The programs here mentioned can be disabled for users adding the,
> to this directive therefore this may be all you have to configure,
> EG: add programs as;
> cmd.exe (is command prompt)
> tskmngr.exe (is taskmanager)
> control.exe (is control panel)
> If you wish to disable other programs, add their executables here...
> you can get the executables from the taskmanager with the
> specific program running.
>
>
> ----------Original Message---------------------
> "Stefano B." <stefboombastic@libero.it> escribió en el mensaje
> news:311f11e3.0412020025.30868bbd@posting.google.com...
>> Hello everybody
>> I need a way to prevent a user (and all programs running with its
>> rights!!) from creating new Remote Access Connections.
>> I tried to use the windows criteria in gpedit.msc, i can find criteria
>> about preventing deletion, opening/stopping previous created ones, but
>> nothing about what I need!
>> This should be a very important security option ... think to those
>> malicious little, subtle, programs from the web that install
>> themselves very quickly, creates new connections to very expensive pay
>> numbers ... they can easily fool children or not expert people ... It
>> would be very easy to avoid that only by allowing only to
>> administrators to create new connections, giving to such users only a
>> non administrative accounts!!
>> Is there anyone who can accomplish that?
>> Thank You very much in advance!
>> Stefano B
>
>

You may want to take a look at www.dougknox.com, Win XP Utilities, Windows XP Security Console.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stefano B." <stefboombastic@libero.it> wrote in message news:311f11e3.0412020025.30868bbd@posting.google.com...
> Hello everybody
> I need a way to prevent a user (and all programs running with its
> rights!!) from creating new Remote Access Connections.
> I tried to use the windows criteria in gpedit.msc, i can find criteria
> about preventing deletion, opening/stopping previous created ones, but
> nothing about what I need!
> This should be a very important security option ... think to those
> malicious little, subtle, programs from the web that install
> themselves very quickly, creates new connections to very expensive pay
> numbers ... they can easily fool children or not expert people ... It
> would be very easy to avoid that only by allowing only to
> administrators to create new connections, giving to such users only a
> non administrative accounts!!
> Is there anyone who can accomplish that?
> Thank You very much in advance!
> Stefano B

Additionally, at least in SP2, there is a setting for users, in GPEDIT (User Configuration, Administrative Templates, Network, Network Connections). Prohibit access to the New Connection Wizard.

Note: This will not stop software from creating one manually by modifying the Registry and other system objects.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stefano B." <stefboombastic@libero.it> wrote in message news:311f11e3.0412020025.30868bbd@posting.google.com...
> Hello everybody
> I need a way to prevent a user (and all programs running with its
> rights!!) from creating new Remote Access Connections.
> I tried to use the windows criteria in gpedit.msc, i can find criteria
> about preventing deletion, opening/stopping previous created ones, but
> nothing about what I need!
> This should be a very important security option ... think to those
> malicious little, subtle, programs from the web that install
> themselves very quickly, creates new connections to very expensive pay
> numbers ... they can easily fool children or not expert people ... It
> would be very easy to avoid that only by allowing only to
> administrators to create new connections, giving to such users only a
> non administrative accounts!!
> Is there anyone who can accomplish that?
> Thank You very much in advance!
> Stefano B

Thank You very much for Your reply!
It sounds like killing a fly with a cannon
But the most important menace is not removed ... I don't want that hostile
external programs create their connections to very expensive (often
obscene ) numbers!!!
I could set the protection settings of those by myself ... but what about
the user environment ... any program running with his rights continue to be
able to create those connections!!
And of course I can't foresee the names of executables coming from the net!!
Any idea?
Stefano B.

"Juan" <soyquiensoy@terra.com> ha scritto nel messaggio
news:OsX#D6F2EHA.2788@TK2MSFTNGP15.phx.gbl...
> With a little patience and a lot of persistence you can find the
> right directives in the Group Editor that meet your management needs.
> here you can disable the Control Panel, the Run command, the
> Command prompt, the Taskmanager and also configure system
> directives to prevent programs from running:
>
> User Configuration\Management Templates\Control Panel\
> enable; "Prohibit access to the Control Panel"
> Removes access to the Control Panel to prevent users from
> creating new remote access connection in Control Panel\
> System\Remote Access
>
> In Start Menu and Taskbar\enable; "Remove the Run menu
> from the start menu".....
> Prevents access to the Run command is so they can not run
> programs by typing program's executables
>
> In System\enable; "prevent access to command prompt"
> Removes access to the command prompt to prevent
> running programs from there.
>
> In the ctrl+alt+del options folder, enable\remove taskmanager
> Disable taskmanager so programs cannot be executed by
> the New Task command.
>
> In System\enable; "do not execute specified windows applications"
> click on; show\add\type; program.exe (program's executables)
> The programs here mentioned can be disabled for users adding the,
> to this directive therefore this may be all you have to configure,
> EG: add programs as;
> cmd.exe (is command prompt)
> tskmngr.exe (is taskmanager)
> control.exe (is control panel)
> If you wish to disable other programs, add their executables here...
> you can get the executables from the taskmanager with the
> specific program running.
>
>
>

Thanks for reply!

>"Doug Knox MS-MVP" <dknox@mvps.org> ha scritto nel messaggio
news:OMuHI0O2EHA.2572@tk2msftngp13.phx.gbl...
>Additionally, at least in SP2, there is a setting for users, in GPEDIT
(User Configuration, Administrative Templates, Network, Network
>Connections). Prohibit access to the New Connection Wizard.

I have not the SP2 but I already have that option!

>Note: This will not stop software from creating one manually by modifying
the Registry and other system objects.

THAT'S THE PROBLEM!!!

>"Doug Knox MS-MVP" <dknox@mvps.org> ha scritto nel messaggio
news:OXL0LxO2EHA.3468@TK2MSFTNGP14.phx.gbl...
>You may want to take a look at www.dougknox.com, Win XP Utilities, Windows
XP Security Console.

Your support for Juvenile Diabetes Research Foundation gives You a lot of
honor ... I help (in his studies) one young friend of mine who has such
illness and so I know what it means ;(

Is there any source code available for developers for those utilities? (I'm
a young programmer student)

Thank You for all Your help!
Stefano B.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stefano B." <stefboombastic@libero.it> wrote in message
news:311f11e3.0412020025.30868bbd@posting.google.com...
> Hello everybody
> I need a way to prevent a user (and all programs running with its
> rights!!) from creating new Remote Access Connections.
> I tried to use the windows criteria in gpedit.msc, i can find criteria
> about preventing deletion, opening/stopping previous created ones, but
> nothing about what I need!
> This should be a very important security option ... think to those
> malicious little, subtle, programs from the web that install
> themselves very quickly, creates new connections to very expensive pay
> numbers ... they can easily fool children or not expert people ... It
> would be very easy to avoid that only by allowing only to
> administrators to create new connections, giving to such users only a
> non administrative accounts!!
> Is there anyone who can accomplish that?
> Thank You very much in advance!
> Stefano B

About the only thing you can do in this case, is to modify the Registry permissions, for the keys involved.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stefano Bonifazi" <stefboombastic@email.it> wrote in message news:%23Ks6xEX2EHA.2192@TK2MSFTNGP14.phx.gbl...
> Thanks for reply!
>
>>"Doug Knox MS-MVP" <dknox@mvps.org> ha scritto nel messaggio
> news:OMuHI0O2EHA.2572@tk2msftngp13.phx.gbl...
>>Additionally, at least in SP2, there is a setting for users, in GPEDIT
> (User Configuration, Administrative Templates, Network, Network
>>Connections). Prohibit access to the New Connection Wizard.
>
> I have not the SP2 but I already have that option!
>
>>Note: This will not stop software from creating one manually by modifying
> the Registry and other system objects.
>
> THAT'S THE PROBLEM!!!
>
>
>
>
>

Hi!
I searched the registry but it seems RAS does not rely on it!!
Anyway I found a drastic way to get my goal: I negate any access to
"rasapi32.dll" to the user, so no programs running under his privileges can
create new accounts ... the drawback is that now the user cannot connect to
internet at all!
As a developer I thought to create a simple service that enables that dll
for the user only for the time needed to connect/disconnect, and keep it out
of access during internet navigations...
A better approch would be a hooking to "rasapi32.dll" to block the use of
the specific function that creates new accounts, but I think that goes
beyond my skill ... I'm only a student
What do You think about?
Regards,
Stefano B.

P.S. Why do not Microsoft do something for this security hole? Is there a
way to suggest them to do something?

"Doug Knox MS-MVP" <dknox@mvps.org> ha scritto nel messaggio
news:OyHgeQX2EHA.3392@TK2MSFTNGP10.phx.gbl...
About the only thing you can do in this case, is to modify the Registry
permissions, for the keys involved.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stefano Bonifazi" <stefboombastic@email.it> wrote in message
news:%23Ks6xEX2EHA.2192@TK2MSFTNGP14.phx.gbl...
> Thanks for reply!
>
>>"Doug Knox MS-MVP" <dknox@mvps.org> ha scritto nel messaggio
> news:OMuHI0O2EHA.2572@tk2msftngp13.phx.gbl...
>>Additionally, at least in SP2, there is a setting for users, in GPEDIT
> (User Configuration, Administrative Templates, Network, Network
>>Connections). Prohibit access to the New Connection Wizard.
>
> I have not the SP2 but I already have that option!
>
>>Note: This will not stop software from creating one manually by modifying
> the Registry and other system objects.
>
> THAT'S THE PROBLEM!!!
>
>
>
>
>