Setup GPO and ACL the key so only Domain Admins have write permission to the key and all users only have read Permission. They cant take ownership if they don't have local administrative permissions or take ownership right.
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: David Lum [mailto:david....@nwea.org] Sent: Monday, April 27, 2009 3:55 PM To: NT System Admin Issues Subject: RE: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run Understood - I'm looking for an interim stopgap. We don't have the resources to bring everyone off local admins very quickly, so if a GPO could help me mitigate things with minimal effort it would be extremely helpful. Dave -----Original Message----- From: Terry Dickson [mailto:te...@treasurer.state.ks.us] Sent: Monday, April 27, 2009 12:19 PM To: NT System Admin Issues Subject: RE: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run I understood that also, however if they are a local admin it might not matter. They could simply logon take ownership and they again have the rights to do what they want. -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Monday, April 27, 2009 2:07 PM To: NT System Admin Issues Subject: RE: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run Bingo. -----Original Message----- From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Monday, April 27, 2009 11:35 AM To: NT System Admin Issues Subject: RE: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run I think the OP meant he was looking for suggestions other than "don't put them in the local administrators group". :) Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -----Original Message----- From: Terry Dickson [mailto:te...@treasurer.state.ks.us] Sent: Monday, April 27, 2009 2:25 PM To: NT System Admin Issues Subject: RE: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run Even if you did do that, as a local admin they could just take ownership of the folder and boom they are writing to the registry key again and the startup folder again. -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Monday, April 27, 2009 1:15 PM To: NT System Admin Issues Subject: Prevent mods to HKLM\Software\Microsoft\CurrentVersion\Run Is there a GPO way to prevent something from modifying this registry key? If I could prevent that and stuff from auto-populating the \Startup folder for "all users" I would be a happy camper. Tools like Spybot can do it, but that's not enterprise grade (read, centrally manageable). McAfee has a product that can do it - and we even have it and are licensed for it, but it's interface is so atrocious I'd probably nuke half my systems just attempting it. I'm looking for something other than "not local admin". David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~