Prevent registry changes by users

Background: I run a small computer lab of 10 computers using Windows 7 x64 Enterprise. Our users are set up as limited users. For additional restrictions, I set up local group policy for non-administrators using the microsoft management console.

Problem: Recently, I found out that some of these restrictions had been removed. Reviewing the settings MMC and in ntuser.pol showed that the settings should still be in place. However, the related registry settings were missing in ntuser.dat. I already have registry editing disabled in the GPO (though not in silent mode).

Question: What is the best way to deal with this situation? Should I look into preventing registry setting changes? Should I set up registry auditing to found out how these keys are getting changed in the first place? Or should I give up the ghost and write some kind of logon script that enforces registry values if they've been change? Any other ideas?

graf_ignotiev

Posted 2012-06-04T22:19:20.663

Reputation: 221

3Can you not simply edit the ACLs of the registry entries in question to deny write permissions to that user group? – Synetech – 2012-06-04T22:41:26.400

I hadn't thought of that. I will see if that works. Thanks. – graf_ignotiev – 2012-06-06T17:48:42.540

My users only have read access to these keys, so I'm not sure how the keys are being changed. How could I investigate the issue further? – graf_ignotiev – 2012-06-06T23:07:24.460

Is there some program that they use that requires admin rights? It is trivial to use that as a portal to do other things. For example, if you run a program with admin rights and it has some sort of Open File function, you could access cmd from there, right-click it and select run. It will be launched with admin rights as well, then you can do whatever you want. Do they also have limited file/folder rights? That's not guaranteed if they were able to hack the registry because they may have also changed the defaults and granted themselves access to the files as well. – Synetech – 2012-06-06T23:46:14.877

They don't use any programs that require admin rights. I'm not sure what you mean by limited file/folder rights. At this point we can't be sure that it's even my users that are doing the changes. It could be a side affect of another program that may not even have malicious intents, but it does keep happening. – graf_ignotiev – 2012-06-07T19:32:30.383

As an addendum, can you make suggestions as to what users I need to include? – graf_ignotiev – 2012-06-08T22:12:23.160

I have no idea what users you have. You should add the Users group in general since they are the unelevated ones that should not be making changes to the key in question. – Synetech – 2012-06-08T23:02:07.403

Well, the only users that can make changes to the key are the ones with the proper allow privileges in the Permissions tab. Shouldn't they be the ones I should add? – graf_ignotiev – 2012-06-14T19:56:29.677

Huh? Do they have specific write privileges (i.e., they have write privileges set to their actual, individual usernames as opposed to just the administrator group)? If so, then why? Did you specifically add them? If you didn't then you can specifically remove their write-privileges or remove them altogether so that they inherit their privileges from the parent key. – Synetech – 2012-06-15T00:29:20.920

Oops, I meant users, groups and security principles, not just users. Sorry about that. As it is, I will use the Everyone object to include anyone or anything that might alter the key. – graf_ignotiev – 2012-06-15T22:08:20.913

Prevent registry changes by users

Answers