(Msg. 1) Posted: Wed Aug 13, 2008 2:06 pm
Post subject: Lock down user environment variables on PC Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
I am trying to lock down the PC desktop environment of my users so only a
tested and approved suite of tools are available to my users. One of our
applications uses user environment variables in order to function properly.
In order to prevent the user from messing around with their PC environment,
is it possible/feasible to lock down user environment variables so that
regular users cannot modify them.
(Msg. 2) Posted: Wed Aug 13, 2008 10:50 pm
Post subject: Re: Lock down user environment variables on PC [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
What security risk is there if users can manipulate the environment
variables?
"hhsu68" <hhsu68 DeleteThis @discussions.microsoft.com> wrote in message
news:74318BE6-A9C2-42BF-88A0-59A4A614513C@microsoft.com...
> I am trying to lock down the PC desktop environment of my users so only a
> tested and approved suite of tools are available to my users. One of our
> applications uses user environment variables in order to function
> properly.
> In order to prevent the user from messing around with their PC
> environment,
> is it possible/feasible to lock down user environment variables so that
> regular users cannot modify them.
(Msg. 3) Posted: Thu Aug 14, 2008 12:49 am
Post subject: RE: Lock down user environment variables on PC [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
The environment is stored in a registry key. In principle you could change
the security on this key to only allow changes by an Admin. Alternatively,
you could export the registry key to allow easy repair if it does get altered.
However, as Steve says I don't see this as being a big security issue. If
the user modifies (e.g.) the Path, so what? It doesn't allow them to run
anything they couldn't run by linking directly to the program. The worst they
could do is stop a few things working properly.
"hhsu68" wrote:
> I am trying to lock down the PC desktop environment of my users so only a
> tested and approved suite of tools are available to my users. One of our
> applications uses user environment variables in order to function properly.
> In order to prevent the user from messing around with their PC environment,
> is it possible/feasible to lock down user environment variables so that
> regular users cannot modify them.
(Msg. 4) Posted: Thu Aug 14, 2008 5:07 am
Post subject: RE: Lock down user environment variables on PC [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Our main concern with the user changing their environment variables on their
own is that they may stop applications from working properly, causing more
work for the IT staff and hurting productivity. But my main concern with
locking down user environment variables on the PC is that could it possibly
cause things to break as well. Are there cases when an application needs to
be able to modify user environment variables in order to function properly? I
would still want to retain the ability of the user to create environment
variables at the session level as one of our applications requires this. Is
this type of control possible/feasible? Would you advise against it. Thanks
for your help.
"Anteaus" wrote:
> The environment is stored in a registry key. In principle you could change
> the security on this key to only allow changes by an Admin. Alternatively,
> you could export the registry key to allow easy repair if it does get altered.
>
> However, as Steve says I don't see this as being a big security issue. If
> the user modifies (e.g.) the Path, so what? It doesn't allow them to run
> anything they couldn't run by linking directly to the program. The worst they
> could do is stop a few things working properly.
>
> "hhsu68" wrote:
>
> > I am trying to lock down the PC desktop environment of my users so only a
> > tested and approved suite of tools are available to my users. One of our
> > applications uses user environment variables in order to function properly.
> > In order to prevent the user from messing around with their PC environment,
> > is it possible/feasible to lock down user environment variables so that
> > regular users cannot modify them.
(Msg. 5) Posted: Thu Aug 14, 2008 6:10 am
Post subject: Re: Lock down user environment variables on PC [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Sure, an application can do whatever it wants with user environment
variables. Thing is, when Alice runs an application, it runs in her user
context. So there's really no difference between these two functions:
* Alice shelling out to a command prompt and having a holiday with her
environment variables
* A program running in the context of Alice and setting/modifying
environment variables as necessary
If the program needs to manipulate variables, then Alice will be able to do
so as well.
Your situation seems a little odd, though. It's highly unusual for ordinary
users to randomly mess around with environment variables -- most people
don't even know they exist. Is this really a problem for you? I think some
user education will be more effective in your case.
"hhsu68" <hhsu68.RemoveThis@discussions.microsoft.com> wrote in message
news:CB3DD461-CC35-41E2-9431-7B3E786D74C9@microsoft.com...
> Our main concern with the user changing their environment variables on
> their
> own is that they may stop applications from working properly, causing more
> work for the IT staff and hurting productivity. But my main concern with
> locking down user environment variables on the PC is that could it
> possibly
> cause things to break as well. Are there cases when an application needs
> to
> be able to modify user environment variables in order to function
> properly? I
> would still want to retain the ability of the user to create environment
> variables at the session level as one of our applications requires this.
> Is
> this type of control possible/feasible? Would you advise against it.
> Thanks
> for your help.
>
> "Anteaus" wrote:
>
>> The environment is stored in a registry key. In principle you could
>> change
>> the security on this key to only allow changes by an Admin.
>> Alternatively,
>> you could export the registry key to allow easy repair if it does get
>> altered.
>>
>> However, as Steve says I don't see this as being a big security issue. If
>> the user modifies (e.g.) the Path, so what? It doesn't allow them to run
>> anything they couldn't run by linking directly to the program. The worst
>> they
>> could do is stop a few things working properly.
>>
>> "hhsu68" wrote:
>>
>> > I am trying to lock down the PC desktop environment of my users so only
>> > a
>> > tested and approved suite of tools are available to my users. One of
>> > our
>> > applications uses user environment variables in order to function
>> > properly.
>> > In order to prevent the user from messing around with their PC
>> > environment,
>> > is it possible/feasible to lock down user environment variables so that
>> > regular users cannot modify them.
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows XP