Can any script or setting be written (autorun file?) to disable formatting of a USB Flashdrive? (Win XP, via Windows Explorer > Format)
I'm aware of write-protection, but I don't want to completely prevent modifying files, instead something like what a Group Policy setting could do?
Edit: Really what I'm asking for is a registry setting or else that I can modify on USB drive startup to tell Win XP not to format drive X:
Format the things as NTFS. That should give you sufficient security. You need admin rights to the volume to reformat the USB stick. Anyone with those rights can by definition disable any protection you could enable. If you allow Everyone to create and modify files in the root directory and below, users can still write files as demanded.
Registry key 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD' restricts the formatting and ejecting of external drives (see this helpful Microsoft spreadsheet full of registry keys that the Group Policy editor controls).
Set it to 'Administrators' or another group which you can trust not to go formatting where they shouldn't.
Related
My main problem is I am facing the problem ->
when i am trying to execute my exe file (which i written and compiled in C using GCC). I have found the solution and the solution is to change some of the settings under gpedit.msc
run -> gpedit.msc -> computer configuration -> windows settings -> security settings ->
local policies -> security options
there are multiple files. I just want to edit files whose name starts with "User Account Control: "
Either i want to enable or disable them. How can i do that programatically using cmd/batch script?
till now i have found secdit but that does not edit the values. link -> scroll down little bit and you will find secedit. I also used resource monitor to observe registry changes when i disable something according to this link -> Use Process Monitor to Find Registry Changes. But nothing shows up. Somewhere in the internet i also found that security policies are not always associated with registry values. But i forgot to save the link. I also found this stackoverflow article Modify Local Security Policy using Powershell
. But i can't understand anything as i know nothing about powershell programming and secedit or "how to edit database". Please provide some juicy resources to learn about editing security policies.
For your information i am building my program.exe in my local computer (house pc) and transferring the generated exe in "Amazon EC2 instance". If you say compile the program in "Amazon EC2" RDP i will say that i dont need to do that because my program.exe is running fine in "Amazon EC2" if i disable or enable some of the "User Account Control: " settings
Here is everything I wanted to know -> Registrykey Values Associated with local policies and thanks to -> Grzegorz Ochlik.
When I want to check in my registry for changing keys for bitlocker I don't seem to have this location:
HKLM\Software\Policies\Microsoft\FVE
The FVE map isn't there. So I also can't change these keys with PowerShell.
Its a local computer, not in a domain.
Anyone know how I can solve this?
You need to Edit local group policy. Located here:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength
You will also need to install the MBAM Client in order for that reg hive to appear.
Once you enable the GPO and install the MBAM Client you will be able to change what you want within the registry. However, local group policy works just fine in this case.
I am encountering several situations where, in a Chef recipe with powershell_scipt, a command appears to fail, whereas if I run the same command in powershell outside of Chef, the same command works.
The two in particular are "regedit", which I am trying to use to set a key for app compatibility and the other is "net use z:...." to created a mapped drive. Both of these seem to work fine if I run them in powershell, but if I use them inside a recipe inside powershell_script, they don't appear to do anything.
So I'm wondering is this because Chef runs commands that are inside powershell_script at some lower privilege level?
Also if so, how do I change it so that the regedit and net use would work?
Thanks,
Jim
EDIT 1: This seems to work for adding the registry entry I needed:
registry_key "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" do
values [{
:name => "{2b9034f3-b661-4d36-a5ef-60ab5a711ace}",
:type => :dword,
:data => 00000004
}]
action :create
end
That prevents the compatability popup that I am getting when we run the Sharepoint installer.
EDIT 2: I hope that this is ok, but for the record and more visibility and hope that I remember this, I found this re. mapping drives in Windows and Chef:
Mount windows shares on a windows node with Chef
and:
https://tickets.opscode.com/browse/CHEF-1267
I haven't tried that yet, but that seems like the answer to my drive mapping need.... hopefully..
The chef client service runs as Local System (SYSTEM) by default.
In Windows, that user has full privileges on the local system, like root basically, but on the network it authenticates as the computer object.
So it you are trying to use regedit to change something in for example HKEY_CURRENT_USER then you need to remember that the code will not see the same "current user" as you will when you run it in interactively. Also, regedit is an .exe; you should really do what you need through the PowerShell providers or .Net objects.
For net use you are trying to map a drive. It's likely that the computer account doesn't have the rights to the share that your user has. Again, net.exe is a separate executable. net use maps a drive to a drive letter (usually) and you shouldn't be doing that in a configuration script, in my opinion. You should access the UNC path directly, but either way I still think that you're probably running into a permissions issue here.
You could change the credentials of the service to use a user account that has all the rights you want, but before doing something like that you should consider changing your workflow to not need that.
Is it posible to read a certificate out from registry without booting windows, if you know login credentials and computer name.
I have writen a little tool which automate copying of data from standard windows user folders like my document.
This tool is then part of live linux distro which we use to copy users data when we making transition from previous to our IT. Only problem is that we can't get certifikates this way and i'd like to solve this, if it's possible.
This program can read from the Windows registry Hives under Linux: http://pogostick.net/~pnh/ntpasswd/ .
I don't know where the certificates are stored or in what format, but they're in the registry somewhere. Check MSDN for information or do a registry diff before and after storing a cert.
Betcha they're DER-encoded binary keys.
How would I set the "overwrite as needed" setting on Event logs other than Application/Security/System? Specifically I'd like to apply this to the Powershell and Windows Powershell Logs, in addition to any other future logs that may be added. This needs to be applied to both server 2003 & 2008.
Wow. I looked around on this and can't find any references to set GPO settings for event logs other than for System, Application, Security. That just seems wrong. You will have to script it for your domain or workgroup or workstation with wevtutil.exe (cmd) or limit-eventlog (powershell). Both utilities have remote connection built in.
wevtutil sl <Log Name> /rt:false
limit-eventlog -Log Name -OverFlowAction OverwriteAsNeeded
I don't believe their is a GPO for this. But most group policies simply modify the registry.
You could create an adm template that modified the settings, or you could simply write a script to adjust the settings.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\PowerShell
If you are not sure how to manually configure the settings, simply adjust the settings in the event log GUI, and set all your other systems to be the same. You may need to restart the system for the changes to go into effect.
Right now you'd need to use SDM Software's GPO cmdlets. That's the only way from within PowerShell to modify the settings within a GPO. But there's no way that I know of to make a change to "any logs which might be added" - I don't think you can modify the system defaults (although I could be wrong - it's not something I've done much).
Computer Configuration-->Windows Settings-->Security Settings-->Event Log