Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

How to restrict a user from killing a process or stopping a service


  • Please log in to reply

#1
Mobi

Mobi

    Member

  • Member
  • PipPip
  • 52 posts
Hi,

I was wondering how we can restrict any user from stopping any particular service or from killing that process.

We need to run software on our all machine; the problem is that all the users are added as the local administrative in their assigned machines. Now I have seen that some service such as AV when you try to stop these services the "stop" & "start" option is disabled and if any user tries to kill the process by using the task manager he gets "Access is denied" message.

Is there any way we can also put the same response for any other service we want? Or one has to do this by making some application/program itself?

I shall be thankful to you for your response
  • 0

Advertisements


#2
Artellos

Artellos

    Tech Secretary

  • Global Moderator
  • 3,888 posts
Hello there Mobi, and welcome to Geeks to Go! :)

You can disable the Task Manager through a group policy. (Start -> Run: gpedit.msc)
This would prevent all your users to access the Task Manager at all. However, keep in mind that if they have local administrative access, they can just remove that policy with their administrative powers.

There are very few -real- restrictions you can put on local administrative users.

Regards,
Olrik
  • 0

#3
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
actually...if you set the setting to restrict access to the task manager in the DOMAIN group policy...then the local admin SHOULDN'T be able to use task manager either (at least not a user that's a local admin....there's a chance that THE local admin account could do it)
  • 0

#4
W-Unit

W-Unit

    Member

  • Member
  • PipPipPip
  • 170 posts
Hehe, if I may offer another perspective...
My high school used the setup recommended by dsenette. The restrictions were VERY strict- No access to Run, Command Prompt, Registry Editor, Task Manager, or even the C drive. It wouldn't even let you type anything into the address bar of Windows Explorer, either.

Edit:removed instructions that "could" be used to get around settings in place on a misconfigured network

Moderators- my apologies if talking about this qualified as instructions on how to hack/exploit. I consider it to be a very innocuous weakness, besides which my intent was only to let the OP know about this problem, not to educate others about how to exploit it. Please do let me know if this violates any rules, though, and I will be happy to revise the post so that it does not go into the specifics of the shortcut technique.
  • 0

#5
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
i edited it for you....

at your school...the network was probably NOT configured as a domain...and the rules were probably not put in place at the domain level.

domain policy always trumps local policy so your method wouldn't (or at least shouldn't if the domain policy is set correctly) work...

also...it's very easy in domain policy to add gpedit.msc into the "unapproved" applications list thereby blocking it
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP