TechSapphire Wednesday, 2019-10-16, 1:13 PM
Site menu
Login form
News
Play Games
  • Deep Freeze
  • Ice Slide
  • Gyroball
  • Fat Fish
  • Bush Royal Rampage
  • Policy Restriction

    Start Menu and Taskbar Restrictions


    1.
    Disable Registry Editing Tools (All Windows)

    This restriction disables the ability to interactively run the standard Microsoft registry editing tools such as REGEDIT and REGEDT32.

    Create a new DWORD value named 'DisableRegistryTools' and set the value to '1' to disable registry editing functions. This can also be enabled on a user-by-user basis by putting the same value in the [HKEY_CURRENT_USER] tree.

    Settings:
    User Key: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    Name: DisableRegistryTools
    Type: REG_DWORD (DWORD Value)
    Value: (0 = allow regedit, 1 = disable regedit)


    2. Disable the Windows Hotkeys (All Windows)

    This restriction allows you to disable the use of the Windows hotkey combinations that provide shortcuts to the Start Menu and task swapping.

    Create a new DWORD value, or modify the existing value called 'NoWinKeys' set the value to equal '1' to enable the restriction.

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: NoWinKeys
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disable restriction, 1 = enable restriction)


    3. Restrict Access to the Windows Update Feature (All Windows)

    The Windows Update feature allows users to easily update Windows components and software over the Internet. These settings allow can be used to grant or restrict access to this function.

    Create a new DWORD (or Binary for Windows 98) value named "NoWindowsUpdate" and set the new value to equal "1".

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: NoWindowsUpdate
    Type: REG_DWORD (DWORD Value)
    Value: (0 = default, 1 = disabled)


    4. Manage System Policy Updates (Windows NT/2000/XP)

    Windows normally makes a connection to the NETLOGON share of the validating domain controller and checks for the existence of the policy file. These settings control how system policies are applied to a Windows machine when on a network.

    Value Type Value
    UpdateMode REG_DWORD Disabled=0, Automatic=1 or Manual=2
    NetworkPath REG_SZ UNC path for manual updates
    Verbose REG_DWORD Off = 0 or On = 1
    LoadBalance REG_DWORD Off = 0 or On = 1

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update]
    Name: UpdateMode, NetworkPath, Verbose, LoadBalance


    5. Restrict Applications Users Can Run (All Windows)

    Windows gives the ability to restrict the applications that can be run by users on a workstation.

    Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

    Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "notepad.exe").


    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: RestrictRun
    Value: (0 = default, 1 = disabled)

    6. Change Alternate Installation Credential Settings (Windows 2000/XP)

    These settings control whether users are prompted to enter alternate logon credentials when installing software as a non administrative user.

    Open your registry and find the key below.

    Create new DWORD values according to the options below.

    NoRunasInstallPrompt

  • "1" - Disable alternate credentials option
  • "0" (Default) - Request alternate credentials

    PromptRunasInstallNetPath

  • "1" - Request alternate credentails when installing from a network share.
  • "0" (Default) - Disable alternate credentials option 
  • Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: NoRunasInstallPrompt, PromptRunasInstallNetPath
    Type: REG_DWORD (DWORD Value)
    Value: (0 = default, 1 = enable)


    7. Restrict Changes to User Folder Locations (Windows 2000/Me/XP)

    These restrictions disable the ability for users to change the location of user-specific folders such as My Documents, My Pictures, My Music and Favorites.

    For each folder create a new DWORD value from the list below and set it to equal "1" to restrict changes or "0" to allow them.

    • DisablePersonalDirChange - Restrict changes to My Documents
    • DisableMyPicturesDirChange - Restrict changes to My Pictures
    • DisableMyMusicDirChange - Restrict changes to My Music
    • DisableFavoritesDirChange - Restrict changes to Favorites

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: DisablePersonalDirChange, DisableMyPicturesDirChange, DisableMyMusicDirChange, DisableFavoritesDirChange
    Type: REG_DWORD (DWORD Value)
    Value: (0 = allow changes, 1 = restrict changes)


    8. Disable User Profiles (Windows 95/98/Me)


    This setting can be used to disable the use of user profiles.

    Create a new DWORD value, or modify the existing value, named "UserProfiles" and set it to equal "0" to disable user profiles.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\Network\Logon]
    Name: UserProfiles
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disabled, 1 = enabled)

    9. Implement a User Based Custom Shell (Windows 2000/XP)

    Windows allows you to selectively specify the system shell based on the logged in user. For example this allows one user to use the standard explorer interface and another to use the legacy progman shell.

    Create a new String value, or modify the existing value called 'Shell' using the settings below.

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    Name: Shell
    Type: REG_SZ (String Value)
    Value: Filename of Replacement Shell


    10. Disable Run Commands Specified in the Registry (Windows 98/Me/2000/XP/Vista/Window 7)

    This restriction is used to disable the ability to run startup programs specified in the registry when Windows launches.

    Create a new DWORD value for each of the optional values below depending on which Run function to stop and set the value to "1" to disable.

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: DisableLocalMachineRun, DisableLocalMachineRunOnce, DisableCurrentUserRun, DisableCurrentUserRunOnce
    Type: REG_DWORD (DWORD Value)
    Value: (0 = enable run, 1 = disable run)


    11. Restrict Users from Running Specific Applications (Windows 2000/Me/XP/Vista/Window 7)

    This setting allows you to specify applications and filenames that users are restricted from running.

    Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]

    Create a new DWORD value and name it "DisallowRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

    Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun] and define the applications the are to be restricted. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be restriced (e.g. "regedit.exe").


    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Name: DisallowRun


    Categories
    Programming [27]
    Tips for programming
    Security [2]
    Security Tips
    Google [1]
    Use google faster then ever you use
    Project [14]
    HTML [2]
    Electronics [0]
    Data Structure [0]
    Database [16]
    SQL SERVER
    SSRS [1]
    Sql Server Reporting Services
    Copyright MyCorp © 2019