prevent a user from creating new Remote Access Connections

  • Thread starter Thread starter Stefano B.
  • Start date Start date
S

Stefano B.

Hello everybody :)
I need a way to prevent a user (and all programs running with its
rights!!) from creating new Remote Access Connections.
I tried to use the windows criteria in gpedit.msc, i can find criteria
about preventing deletion, opening/stopping previous created ones, but
nothing about what I need!
This should be a very important security option ... think to those
malicious little, subtle, programs from the web that install
themselves very quickly, creates new connections to very expensive pay
numbers ... they can easily fool children or not expert people ... It
would be very easy to avoid that only by allowing only to
administrators to create new connections, giving to such users only a
non administrative accounts!!
Is there anyone who can accomplish that?
Thank You very much in advance!
Stefano B
 
With a little patience and a lot of persistence you can find the
right directives in the Group Editor that meet your management needs.
here you can disable the Control Panel, the Run command, the
Command prompt, the Taskmanager and also configure system
directives to prevent programs from running:

User Configuration\Management Templates\Control Panel\
enable; "Prohibit access to the Control Panel"
Removes access to the Control Panel to prevent users from
creating new remote access connection in Control Panel\
System\Remote Access

In Start Menu and Taskbar\enable; "Remove the Run menu
from the start menu".....
Prevents access to the Run command is so they can not run
programs by typing program's executables

In System\enable; "prevent access to command prompt"
Removes access to the command prompt to prevent
running programs from there.

In the ctrl+alt+del options folder, enable\remove taskmanager
Disable taskmanager so programs cannot be executed by
the New Task command.

In System\enable; "do not execute specified windows applications"
click on; show\add\type; program.exe (program's executables)
The programs here mentioned can be disabled for users adding the,
to this directive therefore this may be all you have to configure,
EG: add programs as;
cmd.exe (is command prompt)
tskmngr.exe (is taskmanager)
control.exe (is control panel)
If you wish to disable other programs, add their executables here...
you can get the executables from the taskmanager with the
specific program running.


----------Original Message---------------------
 
However, in a non-domain environment, the settings in GPEDIT apply to all users, not just limited users.
 
Additionally, at least in SP2, there is a setting for users, in GPEDIT (User Configuration, Administrative Templates, Network, Network Connections). Prohibit access to the New Connection Wizard.

Note: This will not stop software from creating one manually by modifying the Registry and other system objects.
 
Thank You very much for Your reply!
It sounds like killing a fly with a cannon :)
But the most important menace is not removed ... I don't want that hostile
external programs create their connections to very expensive (often
obscene ) numbers!!!
I could set the protection settings of those by myself ... but what about
the user environment ... any program running with his rights continue to be
able to create those connections!!
And of course I can't foresee the names of executables coming from the net!!
Any idea?
Stefano B.
 
Thanks for reply!:)
"Doug Knox MS-MVP" <[email protected]> ha scritto nel messaggio Additionally, at least in SP2, there is a setting for users, in GPEDIT
Click to expand...
(User Configuration, Administrative Templates, Network, Network
Connections). Prohibit access to the New Connection Wizard.
Click to expand...

I have not the SP2 but I already have that option!
Note: This will not stop software from creating one manually by modifying
Click to expand...
the Registry and other system objects.

THAT'S THE PROBLEM!!!
 
"Doug Knox MS-MVP" <[email protected]> ha scritto nel messaggio You may want to take a look at www.dougknox.com, Win XP Utilities, Windows
Click to expand...
XP Security Console.

Your support for Juvenile Diabetes Research Foundation gives You a lot of
honor ... I help (in his studies) one young friend of mine who has such
illness and so I know what it means ;(

Is there any source code available for developers for those utilities? (I'm
a young programmer student)

Thank You for all Your help!
Stefano B.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
 
About the only thing you can do in this case, is to modify the Registry permissions, for the keys involved.
 
Hi!
I searched the registry but it seems RAS does not rely on it!!
Anyway I found a drastic way to get my goal: I negate any access to
"rasapi32.dll" to the user, so no programs running under his privileges can
create new accounts ... the drawback is that now the user cannot connect to
internet at all!
As a developer I thought to create a simple service that enables that dll
for the user only for the time needed to connect/disconnect, and keep it out
of access during internet navigations...
A better approch would be a hooking to "rasapi32.dll" to block the use of
the specific function that creates new accounts, but I think that goes
beyond my skill ... I'm only a student:(
What do You think about?
Regards,
Stefano B.

P.S. Why do not Microsoft do something for this security hole? Is there a
way to suggest them to do something?

"Doug Knox MS-MVP" <[email protected]> ha scritto nel messaggio
About the only thing you can do in this case, is to modify the Registry
permissions, for the keys involved.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
 
Back
Top