+ Post New Thread
Page 1 of 4 1234 LastLast
Results 1 to 15 of 54
Windows Thread, !! students have access to active directory, everything !! in Technical; It has been brought to my attention today, that students can get to pretty much all the server admin stuff. ...
  1. #1

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199

    !! students have access to active directory, everything !!

    It has been brought to my attention today, that students can get to pretty much all the server admin stuff.

    They use the mmc.exe program, and then they are able to add snap-ins such as AD, DHCP, printers, pretty much everything.

    Im not sure how long this has been going on as Ive not long taken over this network, but how can I stop them from doing this???

  2. #2

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    600
    Thank Post
    92
    Thanked 72 Times in 64 Posts
    Rep Power
    24
    Create a GPO so they can't run mmc.exe.

  3. #3

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    how do i do that?

  4. #4

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    i mean, what do i put in the software restriction policies? where do i get the hash from?

  5. #5
    mounters's Avatar
    Join Date
    Mar 2006
    Location
    Northumberland
    Posts
    199
    Thank Post
    22
    Thanked 70 Times in 59 Posts
    Rep Power
    29
    Don't use a software restriction policy, go to User Config -> Policies -> ADM templates -> Windows Components -> MMC and configure it all there.

  6. 3 Thanks to mounters:

    RabbieBurns (11th May 2011), speckytecky (11th May 2011), zag (11th May 2011)

  7. #6

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    600
    Thank Post
    92
    Thanked 72 Times in 64 Posts
    Rep Power
    24
    It's in User Configuration - > Administrative Templates - > System ->don't run specified Windows applications. Enable that and put mmc.exe in it and away you go

  8. 2 Thanks to Tricky_Dicky:

    speckytecky (11th May 2011), zag (11th May 2011)

  9. #7

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    600
    Thank Post
    92
    Thanked 72 Times in 64 Posts
    Rep Power
    24
    Quote Originally Posted by mounters View Post
    Don't use a software restriction policy, go to User Config -> Policies -> ADM templates -> Windows Components -> MMC and configure it all there.
    Never noticed that before, that's much simpler. Thanks for the info.

  10. #8

    NikChillin's Avatar
    Join Date
    Nov 2007
    Location
    on the sofa
    Posts
    942
    Thank Post
    59
    Thanked 122 Times in 86 Posts
    Rep Power
    123
    Stop them from running ANY .exe's or you will have no network!

  11. #9
    mounters's Avatar
    Join Date
    Mar 2006
    Location
    Northumberland
    Posts
    199
    Thank Post
    22
    Thanked 70 Times in 59 Posts
    Rep Power
    29
    Quote Originally Posted by NikChillin View Post
    Stop them from running ANY .exe's or you will have no network!
    Hmm, yes becuase if you stop all exes then you'll have a really useful network?!? What about basic things like winlogon.exe, explorer.exe, winword.exe calc.exe, paint.exe notepad.exe

  12. #10

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    You'd be supprised what you can do with just domain user permissions. Users can, for example, edit certain fields on their own AD user, which is pretty annoying. However, when it comes to MMC stuff, they obviously don't have permissions to modify anything, they can, however, view almost anything, however, one question does present itself: Why do you have the AD management tools installed on the student computers in the first place?

    Anyway, regardless of what MMC snapins you deny, they can still use VBScripts or powershell to access data on pretty much anything if they really wanted to.

  13. #11

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,696
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by RabbieBurns View Post
    It has been brought to my attention today, that students can get to pretty much all the server admin stuff.
    Out of curiosity, Any reason they can even see the exe's to run?

    Aren't all items like "run", control panel, etc etc be locked down in first place? So even if MMC is runnable, there's no way to it.

    Just seems a bigger issue that it's accessible, than it's being run :P If that makes sense?

    Steve

  14. #12

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    ok thats them locked out. Thanks heaps for that.

    Is there anything else I should be thinking of about policies for the students a major as this?

  15. #13

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,696
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by RabbieBurns View Post
    ok thats them locked out. Thanks heaps for that.

    Is there anything else I should be thinking of about policies for the students a major as this?
    Well for one, as mentioned above. Why can they even access it as it is? Seems like something's missing/adrift.

    Steve

  16. #14

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by Steve21 View Post
    Out of curiosity, Any reason they can even see the exe's to run?

    Aren't all items like "run", control panel, etc etc be locked down in first place? So even if MMC is runnable, there's no way to it.

    Just seems a bigger issue that it's accessible, than it's being run :P If that makes sense?

    Steve
    all of the above are blcoked, but they still have access to the C: drive (which im trying to have blocked too... red tape...)

  17. #15

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by ChrisMiles View Post
    You'd be supprised what you can do with just domain user permissions. Users can, for example, edit certain fields on their own AD user, which is pretty annoying. However, when it comes to MMC stuff, they obviously don't have permissions to modify anything, they can, however, view almost anything, however, one question does present itself: Why do you have the AD management tools installed on the student computers in the first place?

    Anyway, regardless of what MMC snapins you deny, they can still use VBScripts or powershell to access data on pretty much anything if they really wanted to.
    These are just basic windows 7 enterprise installations. The AD pack hasnt been installed seperately.

SHARE:
+ Post New Thread
Page 1 of 4 1234 LastLast

Similar Threads

  1. Replies: 6
    Last Post: 31st May 2011, 08:05 AM
  2. Icon Transparency using Active Directory and Active Desktop Backgrounds
    By steveo2000 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 19th May 2010, 09:50 AM
  3. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  4. Teacher wants to access active directory...
    By Olumite in forum Network and Classroom Management
    Replies: 31
    Last Post: 8th October 2007, 12:05 PM
  5. Replies: 4
    Last Post: 10th November 2006, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •