Lock down user environment variables on PC

  • Thread starter Thread starter hhsu68
  • Start date Start date
H

hhsu68

I am trying to lock down the PC desktop environment of my users so only a
tested and approved suite of tools are available to my users. One of our
applications uses user environment variables in order to function properly.
In order to prevent the user from messing around with their PC environment,
is it possible/feasible to lock down user environment variables so that
regular users cannot modify them.
 
What security risk is there if users can manipulate the environment
variables?
 
The environment is stored in a registry key. In principle you could change
the security on this key to only allow changes by an Admin. Alternatively,
you could export the registry key to allow easy repair if it does get altered.

However, as Steve says I don't see this as being a big security issue. If
the user modifies (e.g.) the Path, so what? It doesn't allow them to run
anything they couldn't run by linking directly to the program. The worst they
could do is stop a few things working properly.
 
Our main concern with the user changing their environment variables on their
own is that they may stop applications from working properly, causing more
work for the IT staff and hurting productivity. But my main concern with
locking down user environment variables on the PC is that could it possibly
cause things to break as well. Are there cases when an application needs to
be able to modify user environment variables in order to function properly? I
would still want to retain the ability of the user to create environment
variables at the session level as one of our applications requires this. Is
this type of control possible/feasible? Would you advise against it. Thanks
for your help.
 
Sure, an application can do whatever it wants with user environment
variables. Thing is, when Alice runs an application, it runs in her user
context. So there's really no difference between these two functions:

* Alice shelling out to a command prompt and having a holiday with her
environment variables
* A program running in the context of Alice and setting/modifying
environment variables as necessary

If the program needs to manipulate variables, then Alice will be able to do
so as well.

Your situation seems a little odd, though. It's highly unusual for ordinary
users to randomly mess around with environment variables -- most people
don't even know they exist. Is this really a problem for you? I think some
user education will be more effective in your case.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
 
Back
Top