Restricting snap-ins

[Guest]

I'm having trouble restricting snap-in's on Server 2003. In particular, I
want to prevent "System Information" from displaying. I can't seem to
prevent this by disabling GPO: "USER Configuration\Administrative
Templates\Windows Components\Microsoft Management
Console\Restricted/Permitted snap-ins\System Information".

If also tried enabling "Restrict users to the explicitly permitted list of
snap-in's" and that does restrict quite a few, but not all of them (including
my Sys Info).

Regardless of this setting, I can still get to it via MS Word "About" as
well as other ways.

I ultimately want to restrict this on Terminal Server sessions because I
view this a back-door into the server and network, but I can't restrict it
even on local sessions. Any ideas what might be wrong? Thanks!

 

[Vincent Xu [MSFT]]

Hi Bob,

I think you can consider restrict running msinfo32.exe which generates
system information.

Run Gpedit.msc and go to :

Computer Configuration\Windows Settings\Software Restriction
Policies\Additional Rules

configure a Path rule to disallow C:\Program Files\Common Files\Microsoft
Shared\MSInfo\msinfo32.exe

Then, no one can access msinfo32.exe

Hope this helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Guest]

Hi Vincent,
I found this setting to work just fine. Thank you!

But I would like this setting to only apply to Domain Users and not Domain
Admins.

I've been able to control GPO's to "not" apply to Domain Admins by changing
the GPO's security properties to deny "Apply Group Policy" for Domain Admins
and Enterprise Admins. This technique works fine for User Configuration
GPO's, but your suggestion is found in the Computer Configuration GPO and for
some reason my deny Apply Group Policy seems to be ignored for the Computer
Configuration GPO.

Is this normal behavior or should the deny work for Computer Configuration
GPO's just like it works for the User Configuration GPO?

 

[Vincent Xu [MSFT]]

Hi Bob,

It is a normal behavior. Because the group policy filter in security is
based on user. You can specify to not to apply a GPO on a fixed user but
you cannot restrict him to use only one machine. Just considering that if a
normal user and a admin both log on the same computer, how can we tell the
computer it is different user before they log on?

If you can restrict normal user can only log on to some fixed computers,
you can move these computer account into one OU and deploy the GPO to this
OU only.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Guest]

Thanks Vincent, I understand now.

btw: I moved the software restriction policy from computer config to user
config and now I can deny the GPO to the Domain Admins. Thanks!

 

[Vincent Xu [MSFT]]

Hi Bob,

Glad to provide assistance.

Have a good day!


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------