Posts Tagged ‘Windows 7’

Preventing Windows 7 users from accessing the internet

Sunday, July 29th, 2012

I was recently asked to help out by implementing a method of preventing users from accessing the internet on AD-joined Windows 7 workstations using any installed software.

The problem is that in many applications under the Help you’ll find a URL which opens in the default browser. So it’s clearly not enough to deactivate keyboard combinations or to remove shortcuts.

The limitations were:
-Solution must be simple to implement and simple to undo
-I don’t have administrative access to the company firewall
-The users have a generic local profile (as compared to a personal user profile) and no administrative access
-It’s only for a limited time e.g. a couple of hours

I played around with the following ideas and tried to implement them:
-Activating parental controls on Windows 7 via GPO
-Put basically all URLs in the restricted sites zone in the Internet Options via GPO
-Replacing the DNS servers in network settings and implementing a customized hosts file
-Reconfiguring the Windows firewall
-Implementing a third party DNS-blocking tool or proxy server

All these methods were either difficult to implement (DNS-blocking tool or proxy server), difficult to configure (parental control, restricted sites zone), basically put the system in an unworkable condition (replacing the DNS servers) or were simply not meant to be (using the Windows firewall to prevent internet access).
For example, replacing the DHCP-assigned DNS servers with 127.0.0.1 and adding two or three entries in a host file, Windows would boot and reboot again when starting the computer. Also, the computer was not reachable anymore in our deployment tool.

In the end, the easiest method was to remove read and execute permissions for users on the installed browsers and similar executables. In our managed environment, that would be Internet Explorer (iexplore.exe), Firefox (firefox.exe) and ftp.exe.

Implemented on the command line, it’s quite simple. takeown.exe can change the owner of a file or folder to you or the administrators group. With icacls, you can change permissions on a file or folder.

Make Mozilla Firefox a non-executable:

REM # gives ownership to the administrators group
takeown /F “\Program Files\Mozilla Firefox\firefox.exe” /A

REM # remove all rights for “Users”
icacls “\Program Files\Mozilla Firefox\firefox.exe” /deny “BUILTIN\Users”:RX

Make Mozilla Firefox executable again:

REM # grant rights again
icacls “\Program Files\Mozilla Firefox\firefox.exe” /grant “BUILTIN\Users”:RX

The same lines of code can be used with ftp.exe, which lives in the System32 folder. Instead of “\Program Files”, you could of course also use environment variables such as %ProgramFiles% or %WinDir%\System32

This seemed to work with Firefox. With Internet Explorer, there was an additional problem: TrustedInstaller, a Windows system account that protects critical files and folders against manipulation. Or as I came to call it: Making life hard for no reason.
If you try to undo the changes with the above lines of code, all you will get is access denied. You have to take some additional steps to make Internet Explorer executable again:

REM # remove rights for TrustedInstaller from executable
icacls “\Program Files\Internet Explorer\iexplore.exe” /remove:g “NT Service\TrustedInstaller”

REM # grant rights for users again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Users”:RX

REM # grant rights for TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “NT Service\TrustedInstaller”:F

REM # grant full rights to administrators group
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Administrators”:F

REM # setowner to TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /setowner “NT Service\TrustedInstaller” /C

REM # reset rights of administrators to RX again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant:r “BUILTIN\Administrators”:RX

In our deployment tool, I can simply assign a batch file to make ff, ie and ftp unreadable to the users and assign another batch file to return the system back to normal.

I’m not saying this method is fool-proof and perfect. There are probably ways to work around these limitations but I’m confident this is raising the bar high enough to prevent users in a managed computer environment to access the internet when they have only very limited time while being supervised.

Creating scheduled tasks with schtasks.exe on Windows 7

Tuesday, April 24th, 2012

In Windows 7, it’s easy to create scheduled tasks. You can either use Task Scheduler under Programs -> Accessories -> System Tools or you can use schtasks.exe in the cmd. schtasks.exe can be scripted and most of the commands and options that are available in Task Scheduler are also available in schtasks.exe

In my particular case, I wanted to create a task that runs EVERYDAY in a 5 MINUTE INTERVAL from 07:00 to 21:30. Although schtasks.exe provides some examples, I promptly chose the wrong example to edit and whatever I tried didn’t seem to work.

After a lot of fiddling and calling up a good friend’s advice, this command line did the trick (should all be on one line):

schtasks /create /ru “system” /sc daily  /tn “your task name” /tr “‘%programfiles%\path\to\your\executable.exe'” /st 07:05 /sd 01/01/2012 /du 14:30 /ri 10 /f

What does this do?

Start a cmd as administrator and the above command line will create a task called “your task name”.
The task will be created and run:
-in system context (ru = run as user)
-daily from 07:05 (sc = schedule, st = starting time) until 21:30 (du = duration – 14.5 hours)
-in a 10 minute interval (ri = run interval in minutes)
-using the provided executable (tr = taskrun). Note that you can use environment variables that have to be escaped using single quotes.
-forcing the task e.g. if a task with the same name already exists, it will be overwritten

Where did I go wrong:

The help in schtasks provides some examples. My mistake was the following though:
If you choose /sc minute, you’re stuck on one particular day because you have to provide a /st and an /et (end time). The end time will always default to the provided time and the day the task was created and only that day. E.g. if you create a task running from /st 07:00 to /et 14:00, schtasks.exe will translate this to “from 07:00 <today> to 14:00 <today>” and only run it on that particular day and then never again.

Notable absent option in schtasks.exe:
In the Task Scheduler gui, a task can be created/optimized for Vista/W2k8 or Win7/W2k8_R2.
This options changes the tag “Task version” from version=”1.2″ to version=”1.3″ in the XML file of that task. In schtasks.exe, this option is not available but it doesn’t seem to make a difference at all.

HTHS
m.

Swiss German Keyboard Layout for Japanese IME on Windows 7

Sunday, March 18th, 2012

In Windows 7, there seems to be a bug regarding the keyboard layout in Japanese IME (probably not the only bug in Windows 7, but hey…). The issue apparently didn’t exist in Vista but affects Windows 7 users who use Microsoft IME to input Japanese on non-Japanese Windows 7 pcs.

After adding Japanese input via Control Panel -> Region and Language -> Tab “Keyboards and Languages” -> “Change keyboards…” -> Tab “General”, Japanese input uses an US layout keyboard whenever you input something in Japanese.

Basically, this is not a problem for users with a physical US keyboard layout but there are some people with a non-US keyboard layout. E.g. mine is Swiss German and I even though I can use an US layout on a physical Swiss German keyboard without problems, others might not be so lucky.

So, how do you change this keyboard layout setting? This article pointed me into the right direction but you can’t choose keyboard layouts anywhere in the IME settings. There are tons of settings but nothing to do with keyboards. In this case, you have change a registry key! Standard warnings on editing the registry apply, so be careful.

Start regedit and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\i8042prt
Right-click “i8042prt” and select “Export”, save the key as i8042prt.reg on your desktop.
Open i8042prt\Parameters and select “LayerDriver JPN” in the right window pane. Double-click “LayerDriver JPN” and type the following value data: KBDSG.dll
Click OK, close regedit and restart your computer. At the next logon, you can input Japanese using Microsoft IME with a Swiss German keyboard layout.

For the curious: KBDSG.dll is located in C:\Windows\System32 – if you look at the properties, it says:
File description: Swiss German Keyboard layout.

I haven’t tested this but I imagine you actually use any kbd***.dll in System32 as value in “LayerDriver JPN” if you feel unhappy with the standard US layout.

HTHS, cheers!

UPDATE:

Not all is gold that glitters. There’s a downside to the method described above. In Japanese texts, the standard brackets are “「” and “」” and guess what? As these characters don’t exist on a Swissgerman keyboard, you won’t be able to input them. Although they come with a Unicode code (U+300C and U+300D resp.), entering Unicode requires you to press Alt and the + key on the numerical pad (which you might not have if you’re working on a laptop). Even worse, as long as you only have to enter numerals, Unicode works but in most programs Alt+C or Alt+D will trigger some command or open a menu.

An easy workaround would be to copy these two characters to a simple text to have them at your disposal when required. But that’s not a very technical solution, isn’t it.