Can GUI be read only for "Restricted users"?

Hi Everyone,

I am configuring Firewall and Defense+ for Windows. It is required that restricted users were restricted to “sandbox” of IPs and applications and they could not change the constraints I configure in Comodo to let themselves out to browse all the internet and run games on office computers.

Is it possible to configure Comodo so while running under restricted user account users were restricted from making changes to the Firewall and Defense+ configuration, similar to how native Windows Firewall does it? Because by default it appears to me any interactive user can make configuration changes so my work to limit users becomes pointless. :slight_smile:

you can password all the settings by going to more–settings----parental controls

Great, thanks a lot.

I wonder, can a user (here: Restricted User) without Write permissions for Program Files \ COMODO (which is nicely the case by default) go, say, to Registry, and turn off password protection feature by tweaking some keys?
According to this article it is possible.

I went as a restricted user to HKLM\System\Software\Comodo\Firweall Pro and could change registry values. Is it not a backdoor of some kind?

As far as i remember, and at least under windows xp, booting in safe mode shall still ask for the user’s account.
The administrative account should have a password, and if any undesirable non administrative account, registry access should be blocked for this user.

Now, you won’t help comodo being “cracked” if someone has whatever access to your computer either in gui mode (booting a live cd) unless your system partition has disabled shares, or even in dos mode with no protection whatsoever.

Well, I just tried modifying registry by regedit from restricted user’s account. I was able to turn off password protection in Parent Control without booting in safe mode whatsover. Just launched regedit and removed PasswordEnabled and PasswordHash keys, then rebooted.

Darn. I was hoping Comodo won’t allow to do that.

It appears Comodo allows by default to create new keys or modify existing ones in HKLM\System\Software\Comodo even though it has \Software\Comodo as protected key in the group COMODO Keys.

If I add a more precise key HKLM.… COMODO does not allow me to create new keys, but it won’t prevent me from modifiying the values of old ones.

In other words, Parent Control can be turned off with RegEdit no problem and I can’t protect Parent Control using Protected Registry.

It looks to me like a security hole, pure and simple.

This would be a security hole for every user. I mean, if Comodo does not protect their own registry keys, there is not a self defense module in action.

Bad. But do you mean common users (non admin) could do that?

That’s what I was doing as a restricted user. :frowning:

You didn’t read what i wrote: it for sure won’t work if you don’t deny registry for non administrative users.

Under xp, launch gpedit.msc, go to administration models, system, and registry tools if you want to deny everyone including yourself.

Microsoft has a gui tool to restrict only the local users you define:

So, security hole.

Isn’t it set this way in Windows Vista and 7 ???

Will this allow users to use programs? MS Office, for instance, needs registry access… A lot of programs need it. How does this work?

I am sorry, i don’t know anything about vista and seven, but i am sure that similar tools exist.

There’s a security option for about everything in xp: the modification i stated is made from a gui and is only relative to registry editing, not to registry use by a restricted user.
Of course, if you also want to block some applications for some user, you also can, but it is another gpedit.msc setting and another story.

But does it block regedit.exe or any tool/application that works with the registry (for example, registrar lite)?

I don’t know, i suggest you make the test (i can’t, i have several registry editors, but no restricted account), but i suppose it should work as these registry editors are merely gui interfaces for regedit.
If not, you can deny all of these applications by the same gpedit.msc way.

By the way, the trick for Vista/Seven:
http://www.mydigitallife.info/2008/12/23/how-to-disable-registry-editor-editing-tool-regedit/
BE CAREFUL to “logoff” only the CURRENT USER if you don’t want to lock yourself out of the registry (altough it is reversible e.g. from vbscript, also leading you to forbid vbscripting for restricted users, nothing is perfect…)

Well, the latest idea was:

  • disable regedit.exe (by using Block feature)
  • specify password.

This way, regedit won’t run. And because web access is not alllowed user cannot use other tools to access registry and turn of the password.

Shaky.

Regedit when it runs is affected by Comodo so former cannot create new keys. This is not enough and very weak.

Blocked regedit does not run as a command line tool either, which is good. You can’t import .reg file overwriting PasswordEnabled key.

see the problem you are seeing is two fold. First off password protection is meant for kids and inexperienced users. So, if you install CIS in a corporate environment the password protection is enough because users are not allowed access to regedit. So the system is still protected.

Second it does have self protection from malware and such but not from the user. It allows the user ( explorer.exe) to modify what they want in the registry.

languy,
So, would you say you’d consider the system protected reasonably well in the corporate environment if regedit is blocked and password is turned on or I should also check something else to prevent other possible exploits? My users are very advanced ones. The limited IP access is essential to our business security.

exactly in a corporate environment, if you block access to the critical areas, like cmd, regedit, msconfig, and so on along with a password protection for CIS they will not be able to do anything. How many users are you distributing it too? If it is a fairly high amount and you are the system administrator I suggest you look at comodo endpoint security manager Endpoint Security Solutions | Advanced Endpoint Protection Suite

A driver lock would be good, don’t you think?