2
Background: I run a small computer lab of 10 computers using Windows 7 x64 Enterprise. Our users are set up as limited users. For additional restrictions, I set up local group policy for non-administrators using the microsoft management console.
Problem: Recently, I found out that some of these restrictions had been removed. Reviewing the settings MMC and in ntuser.pol showed that the settings should still be in place. However, the related registry settings were missing in ntuser.dat. I already have registry editing disabled in the GPO (though not in silent mode).
Question: What is the best way to deal with this situation? Should I look into preventing registry setting changes? Should I set up registry auditing to found out how these keys are getting changed in the first place? Or should I give up the ghost and write some kind of logon script that enforces registry values if they've been change? Any other ideas?
3Can you not simply edit the ACLs of the registry entries in question to deny write permissions to that user group? – Synetech – 2012-06-04T22:41:26.400
I hadn't thought of that. I will see if that works. Thanks. – graf_ignotiev – 2012-06-06T17:48:42.540
My users only have read access to these keys, so I'm not sure how the keys are being changed. How could I investigate the issue further? – graf_ignotiev – 2012-06-06T23:07:24.460
Is there some program that they use that requires admin rights? It is trivial to use that as a portal to do other things. For example, if you run a program with admin rights and it has some sort of Open File function, you could access
cmd
from there, right-click it and select run. It will be launched with admin rights as well, then you can do whatever you want. Do they also have limited file/folder rights? That's not guaranteed if they were able to hack the registry because they may have also changed the defaults and granted themselves access to the files as well. – Synetech – 2012-06-06T23:46:14.877They don't use any programs that require admin rights. I'm not sure what you mean by limited file/folder rights. At this point we can't be sure that it's even my users that are doing the changes. It could be a side affect of another program that may not even have malicious intents, but it does keep happening. – graf_ignotiev – 2012-06-07T19:32:30.383