students have unfiltered internet access!!!!

[Guest]

Students have somehow get hold of a .reg file that they run and changes the
internet proxy address to the unfiltered proxy IP address. The proxy address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'. (CLASSES_ROOT is
etc)

I would very much like a fix to prevent this as I have just done a search of
userspaces and foud 90 students with this!!!!

Help?

 

[Marco]

Hi

the only thing that comes to mind is to set the policy to prevent the use of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER could
be tricky.

cheers,

Marco

 

[Guest]

Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?

Hi

the only thing that comes to mind is to set the policy to prevent the use of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Students have somehow get hold of a .reg file that they run and changes
the
internet proxy address to the unfiltered proxy IP address. The proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'. (CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Marco]

not really .. can you change the ACL on the registry key with a logon
script?

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?

Hi

the only thing that comes to mind is to set the policy to prevent the use
of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER
could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Students have somehow get hold of a .reg file that they run and changes
the
internet proxy address to the unfiltered proxy IP address. The proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'.
(CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a
search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Ken B]

How about changing permissions on regedit.exe and regedt32.exe to allow only
administrators?

The students aren't local admins on the machine, are they??

Ken

not really .. can you change the ACL on the registry key with a logon
script?

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?

Hi

the only thing that comes to mind is to set the policy to prevent the
use of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will
work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER
could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
Students have somehow get hold of a .reg file that they run and
changes
the
internet proxy address to the unfiltered proxy IP address. The proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'.
(CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a
search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Guest]

How about if i need to run regedit.exe /s files through the login script?

How about changing permissions on regedit.exe and regedt32.exe to allow only
administrators?

The students aren't local admins on the machine, are they??

Ken

not really .. can you change the ACL on the registry key with a logon
script?

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?



:

Hi

the only thing that comes to mind is to set the policy to prevent the
use of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will
work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER
could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
Students have somehow get hold of a .reg file that they run and
changes
the
internet proxy address to the unfiltered proxy IP address. The proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'.
(CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a
search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Guest]

we use a mandatory roaming profile for all students, could some permissions
be changed in that - on the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
that would be retained? This would be less restrictive for me. I do notice
already though that \\machinename\users only have RX access to this key...so
how are they allowed to change it anyway?

thanks

How about changing permissions on regedit.exe and regedt32.exe to allow only
administrators?

The students aren't local admins on the machine, are they??

Ken

not really .. can you change the ACL on the registry key with a logon
script?

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----

Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?



:

Hi

the only thing that comes to mind is to set the policy to prevent the
use of
registry editing tools, but AFAIK that only applies to the built in ones
(regedit and regedt32) -- home made registry editing solutions will
work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER
could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
Students have somehow get hold of a .reg file that they run and
changes
the
internet proxy address to the unfiltered proxy IP address. The proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'.
(CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a
search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Chris Henderson]

Can't you just deny access to the unfiltered proxy for the student range of
IP's? or do the students not have their own subnet?

Chris

 

[Ken B]

You could always make an ADM file to get around the need to directly call
regedit... but after thinking about it, my suggestion probably isn't the
best solution.

Ken

How about if i need to run regedit.exe /s files through the login script?

How about changing permissions on regedit.exe and regedt32.exe to allow
only
administrators?

The students aren't local admins on the machine, are they??

Ken

not really .. can you change the ACL on the registry key with a logon
script?

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----


Yes, registry editing is already disabled but you can still run .reg
files........any other ideas?



:

Hi

the only thing that comes to mind is to set the policy to prevent the
use of
registry editing tools, but AFAIK that only applies to the built in
ones
(regedit and regedt32) -- home made registry editing solutions will
work.

You could set an ACL on the registry key but being HKEY_CURRENT_USER
could
be tricky.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
Students have somehow get hold of a .reg file that they run and
changes
the
internet proxy address to the unfiltered proxy IP address. The
proxy
address
is set in AD.
the file contains amongst other things makes changes to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
I though i could change permissions on that key through AD but
HKEY_CURRENT_USER is not even listed when I click 'Add key'.
(CLASSES_ROOT
is
etc)

I would very much like a fix to prevent this as I have just done a
search
of
userspaces and foud 90 students with this!!!!

Help?

 

[Guest]

You can try this..it worked on my machines
open regedt32 go to HK_Local_Machine on Local machine
select software click security.......permissions....
Advanced...click users...go to View/Edit and Uncheck the 2 Permissions
Set Value and Create Subkey
This should do it if I remember correctly if not...follow the steps and do
it under
HK_Local_Machine on Local machine under System right below Software