Does the RunOnce key house any items for patches or hotfix..

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I want to enable the policy "Do no process the run once list" but one of my
co-workers feels that it will stop updates or hotfixes from applying.

To my knowledge the only update that uses the RunOnce key for installing is
when you re-install Internet Explorer and it runs the Internet Connection
Wizard the first time a "new" user launches IE as that is comming from the
..DEFAULT profile.

My ultimate goal is to cut down on spyware infiltration and a lot of our
techs overlook the RunOnce key's in both HKLM and HKCU.

Hopefully this coworker of mine will accept the answers of the forum users
as I really don't think it's worth $300 to call microsoft and have them tell
me how if you have Windows 2000 Post SP2 that patches all apply synchronously
and don't need reboots to finish their installations. But I doubt this will
be acceptable so I'll probably be calling them anyways.

Thanks for any information in advance.

 

[Marco]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

what about chaning the default ACL on the RunOnce key? Just preventing
domain users from writing to that key shouls be enough as hotifixes require
an administrative account anyway.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
"hj44wqu5y4" <hj44wqu5y4@discussions.microsoft.com> wrote in message
news:A6E9E0D9-42B8-4FB9-9190-4863CF5847D9@microsoft.com...
>I want to enable the policy "Do no process the run once list" but one of my
> co-workers feels that it will stop updates or hotfixes from applying.
>
> To my knowledge the only update that uses the RunOnce key for installing
> is
> when you re-install Internet Explorer and it runs the Internet Connection
> Wizard the first time a "new" user launches IE as that is comming from the
> .DEFAULT profile.
>
> My ultimate goal is to cut down on spyware infiltration and a lot of our
> techs overlook the RunOnce key's in both HKLM and HKCU.
>
> Hopefully this coworker of mine will accept the answers of the forum users
> as I really don't think it's worth $300 to call microsoft and have them
> tell
> me how if you have Windows 2000 Post SP2 that patches all apply
> synchronously
> and don't need reboots to finish their installations. But I doubt this
> will
> be acceptable so I'll probably be calling them anyways.
>
> Thanks for any information in advance.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I've already tried to do that but the thing is it seems that the trojans we
get are getting in there using the system account, or if the user has
Administrative privilages it defeats the ACL I've set and the majority of our
users are Local Admins because I never have enough time to fix all the
software we have. I wish vendors would make their software use the registry
correctly and even if they have to use HKLM then open up the security on the
keys they create and use.

Thanks for the suggestion though.

"Marco" wrote:

> what about chaning the default ACL on the RunOnce key? Just preventing
> domain users from writing to that key shouls be enough as hotifixes require
> an administrative account anyway.
>
> cheers,
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
> ----

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hopefully this reply gets through this time, I keep getting errors.

I've already tried that, the trojans are getting installed via the system
account and the majority of my users are local admins so the acl is useless
in their case. I haven't tried locking down the SYSTEM account yet because I
don't like taking away the one thing that helps me out of a jam when I lock
myself out with acl's

Thanks for responding.

"Marco" wrote:

> what about chaning the default ACL on the RunOnce key? Just preventing
> domain users from writing to that key shouls be enough as hotifixes require
> an administrative account anyway.
>
> cheers,
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
> ----
> "hj44wqu5y4" <hj44wqu5y4@discussions.microsoft.com> wrote in message
> news:A6E9E0D9-42B8-4FB9-9190-4863CF5847D9@microsoft.com...
> >I want to enable the policy "Do no process the run once list" but one of my
> > co-workers feels that it will stop updates or hotfixes from applying.
> >
> > To my knowledge the only update that uses the RunOnce key for installing
> > is
> > when you re-install Internet Explorer and it runs the Internet Connection
> > Wizard the first time a "new" user launches IE as that is comming from the
> > .DEFAULT profile.
> >
> > My ultimate goal is to cut down on spyware infiltration and a lot of our
> > techs overlook the RunOnce key's in both HKLM and HKCU.
> >
> > Hopefully this coworker of mine will accept the answers of the forum users
> > as I really don't think it's worth $300 to call microsoft and have them
> > tell
> > me how if you have Windows 2000 Post SP2 that patches all apply
> > synchronously
> > and don't need reboots to finish their installations. But I doubt this
> > will
> > be acceptable so I'll probably be calling them anyways.
> >
> > Thanks for any information in advance.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Stupid newsgroup

"hj44wqu5y4" wrote:

> Hopefully this reply gets through this time, I keep getting errors.
>
> I've already tried that, the trojans are getting installed via the system
> account and the majority of my users are local admins so the acl is useless
> in their case. I haven't tried locking down the SYSTEM account yet because I
> don't like taking away the one thing that helps me out of a jam when I lock
> myself out with acl's
>
> Thanks for responding.
>
> "Marco" wrote:
>
> > what about chaning the default ACL on the RunOnce key? Just preventing
> > domain users from writing to that key shouls be enough as hotifixes require
> > an administrative account anyway.
> >
> > cheers,
> >
> > Marco
> >
> > --
> > Free five computers' license for NeoExec for Active Directory
> > [ www.neovalens.com ]
> > ----
> > "hj44wqu5y4" <hj44wqu5y4@discussions.microsoft.com> wrote in message
> > news:A6E9E0D9-42B8-4FB9-9190-4863CF5847D9@microsoft.com...
> > >I want to enable the policy "Do no process the run once list" but one of my
> > > co-workers feels that it will stop updates or hotfixes from applying.
> > >
> > > To my knowledge the only update that uses the RunOnce key for installing
> > > is
> > > when you re-install Internet Explorer and it runs the Internet Connection
> > > Wizard the first time a "new" user launches IE as that is comming from the
> > > .DEFAULT profile.
> > >
> > > My ultimate goal is to cut down on spyware infiltration and a lot of our
> > > techs overlook the RunOnce key's in both HKLM and HKCU.
> > >
> > > Hopefully this coworker of mine will accept the answers of the forum users
> > > as I really don't think it's worth $300 to call microsoft and have them
> > > tell
> > > me how if you have Windows 2000 Post SP2 that patches all apply
> > > synchronously
> > > and don't need reboots to finish their installations. But I doubt this
> > > will
> > > be acceptable so I'll probably be calling them anyways.
> > >
> > > Thanks for any information in advance.
> >
> >
> >

 

[Marco]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

I would begin by fixing al lthe legacy apps and make sure that your users do
not have andim rights to begin with. When they do any attempt to secure the
desktop is doomed to fail as they can do what they want with it, and they
are all the more vulnerable to malware.

Marco
neovalens.com


"hj44wqu5y4" <hj44wqu5y4@discussions.microsoft.com> wrote in message
news:186A3F8B-56A8-4728-958D-E7CE540E28C2@microsoft.com...
> Hopefully this reply gets through this time, I keep getting errors.
>
> I've already tried that, the trojans are getting installed via the system
> account and the majority of my users are local admins so the acl is
> useless
> in their case. I haven't tried locking down the SYSTEM account yet because
> I
> don't like taking away the one thing that helps me out of a jam when I
> lock
> myself out with acl's
>
> Thanks for responding.
>
> "Marco" wrote:
>
>> what about chaning the default ACL on the RunOnce key? Just preventing
>> domain users from writing to that key shouls be enough as hotifixes
>> require
>> an administrative account anyway.
>>
>> cheers,
>>
>> Marco
>>
>> --
>> Free five computers' license for NeoExec for Active Directory
>> [ www.neovalens.com ]
>> ----
>> "hj44wqu5y4" <hj44wqu5y4@discussions.microsoft.com> wrote in message
>> news:A6E9E0D9-42B8-4FB9-9190-4863CF5847D9@microsoft.com...
>> >I want to enable the policy "Do no process the run once list" but one of
>> >my
>> > co-workers feels that it will stop updates or hotfixes from applying.
>> >
>> > To my knowledge the only update that uses the RunOnce key for
>> > installing
>> > is
>> > when you re-install Internet Explorer and it runs the Internet
>> > Connection
>> > Wizard the first time a "new" user launches IE as that is comming from
>> > the
>> > .DEFAULT profile.
>> >
>> > My ultimate goal is to cut down on spyware infiltration and a lot of
>> > our
>> > techs overlook the RunOnce key's in both HKLM and HKCU.
>> >
>> > Hopefully this coworker of mine will accept the answers of the forum
>> > users
>> > as I really don't think it's worth $300 to call microsoft and have them
>> > tell
>> > me how if you have Windows 2000 Post SP2 that patches all apply
>> > synchronously
>> > and don't need reboots to finish their installations. But I doubt this
>> > will
>> > be acceptable so I'll probably be calling them anyways.
>> >
>> > Thanks for any information in advance.
>>
>>
>>