[Lvlug] Simple Program Lockdown
Paul Ryan
paul.ryan at usa.net
Fri Jun 25 16:45:19 EDT 2004
Well, I finally found an answer. It took quite a few hours of Googlling (sp?)
to find a workable soulution, but if you ever need to do it, here's how it
works. Pay particular attention to the part about not applying it to your own
account (or the administrators!) since it WILL put you in a bind. I've
already locked up two machines to the point that nothing would run and had to
reinstall :<(
Thanks to Martin and others for putting me on the right track...
Paul
from: http://www.kellys-korner-xp.com/xp_reg_edits.htm
Restrict Applications Users Can Run in XP
Start/Run/Regedit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Value Name: RestrictRun Open your registry and find the key
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer] Create a new DWORD value and name it "RestrictRun" set the
value to "1" to enable application restrictions or "0" to allow all
applications to run.
Then create a new sub-key called
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\RestrictRun] and define the applications that are allowed.
Creating a new string value for each application, named as consecutive
numbers, and setting the value to the filename to be allowed (e.g.
"regedit.exe"). Restart Windows for the changes to take effect. *
Note:* If you are the person who applies Group Policy, do not apply this
policy to yourself. If applied too broadly, this policy can prevent
administrators from running Group Policy or the registry editors. As a result,
once applied, you cannot change this policy except by reinstalling Windows.
- - - - - - O r i g i n a l M e s s a g e - - - - - -
I'm trying to do something in XP (don't ask why, just accept it) that's a
piece of cake under Linux/unix. I want to lock a user account to a single
executable. That is, when they login, a program runs. They can stay there as
long as they like, but when the exit the program they should be logged off.
Under Linux, I'd just change field 7 in /etc/passwd to name the allowed
program, such as:
lameuser:x:1001:100:Restricted User:/home/lameuser:/usr/bin/someprogram
Now, how do I do this in XP? I remember in NT and 2000 there was something
about setting account policies, but I'm lost in mmc trying to find the
settings and cookbook method to make it happen. Google gives me all sorts of
extraneous and unhelpful info. And no, I don't want to lock a user to IIS and
set only certain sites. I want to lock them to a specific non-browser
program. Any help here would be appreciated.
Thanks,
Paul
More information about the Lvlug
mailing list