Locking down registry editing

[Guest]

We currently use group policy to set screen saver settings such as executable
name, password protect the screen saver, and screen saver timeout. This is
particularly important for our traveling sales people. They are set up as
local administrators in order to run custom software that we develop.

I happened to be doing some service on one of our sales laptops, and found
that one of them had edited the registry
(HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop)
to circumvent the timeout. I wish to lock this down further with
permissions, but am unsure of the best way to go about it.

Is there a way to publish a local registry permission so only Domain Admins
can modify?

 

[Newbie Coder]

This will lock the registry:

----------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
]
"DisableRegistryTools"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Syste
m]
"DisableRegistryTools"=dword:00000001

-----------------------------------------

You can copy the above into a notepad doc
File SAVEAS then choose ALL FILES & around the filename type "Lock Reg.reg"
(including quotes) & click SAVE
The last step creates a registry key

To unlock just change the '00000001' to '00000000'

I hope this helps,

 

[GO]

If they are setup as administrators then I doubt there is anything that can
be done. An administrator can do anything on the computer and being able to
restrict those rights could lead to security concerns. As "Newbie Coder"
pointed out there is a way to lock someone out of the tools but that would
not be fool-proof. Your user was crafty enough to get into the registry the
first time so I'm sure they could find a way around this restriction as
well. None of your users should be running with admin rights, it just leads
to too many headaches. If this software is being developed in-house, which
is how it sounds, there is no reason that it can't be developed to run as
regular user; your programmers are just being lazy. Even if it wasn't
in-house it should be possible to get it to run under a regular user
account.


Greg

 

[John Wunderlich]

This will lock the registry:

[snip]

Actually, it won't lock the registry.
What it does do is prevent regedit.exe from running.
There are a bunch of other registry-editing programs out there that
ignore this setting and allow registry editing.

-- John

----------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polici
es\System
]
"DisableRegistryTools"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polic
ies\Syste m]
"DisableRegistryTools"=dword:00000001

-----------------------------------------

You can copy the above into a notepad doc
File SAVEAS then choose ALL FILES & around the filename type "Lock
Reg.reg" (including quotes) & click SAVE
The last step creates a registry key

To unlock just change the '00000001' to '00000000'

I hope this helps,

 

[Newbie Coder]

Yes, but are the users savvy enough to use them?

I am a coder & could bypass all of these settings forcing registry
permissions allowing me to change these keys. So, what do you say to that,
John? There is always a way around that