Re: Lock down user environment variables on PC

Sure, an application can do whatever it wants with user environment variables. Thing is, when Alice runs an application, it runs in her user context. So there's really no difference between these two functions:

* Alice shelling out to a command prompt and having a holiday with her environment variables
* A program running in the context of Alice and setting/modifying environment variables as necessary

If the program needs to manipulate variables, then Alice will be able to do so as well.

Your situation seems a little odd, though. It's highly unusual for ordinary users to randomly mess around with environment variables -- most people don't even know they exist. Is this really a problem for you? I think some user education will be more effective in your case.

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"hhsu68" <hhsu68@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:CB3DD461-CC35-41E2-9431-7B3E786D74C9@xxxxxxxxxxxxxxxx
Our main concern with the user changing their environment variables on their
own is that they may stop applications from working properly, causing more
work for the IT staff and hurting productivity. But my main concern with
locking down user environment variables on the PC is that could it possibly
cause things to break as well. Are there cases when an application needs to
be able to modify user environment variables in order to function properly? I
would still want to retain the ability of the user to create environment
variables at the session level as one of our applications requires this. Is
this type of control possible/feasible? Would you advise against it. Thanks
for your help.

"Anteaus" wrote:

The environment is stored in a registry key. In principle you could change
the security on this key to only allow changes by an Admin. Alternatively,
you could export the registry key to allow easy repair if it does get altered.

However, as Steve says I don't see this as being a big security issue. If
the user modifies (e.g.) the Path, so what? It doesn't allow them to run
anything they couldn't run by linking directly to the program. The worst they
could do is stop a few things working properly.

"hhsu68" wrote:

> I am trying to lock down the PC desktop environment of my users so only > a
> tested and approved suite of tools are available to my users. One of > our
> applications uses user environment variables in order to function > properly.
> In order to prevent the user from messing around with their PC > environment,
> is it possible/feasible to lock down user environment variables so that
> regular users cannot modify them.

.

Relevant Pages

  • Re: How do I change path in a command prompt?
    ... I assume that you are a system administrator ... The user environment variables are different for each user of a particular ... references and command shell overview but I can't find anyhting relating ...
    (microsoft.public.windows.server.general)
  • Re: How do I change path in a command prompt?
    ... I assume that you are a system administrator ... The user environment variables are different for each user of a particular ... references and command shell overview but I can't find anyhting relating ...
    (microsoft.public.windows.server.general)
  • Setting User Environment Variables
    ... I would like to modify user environment variables by editing the ... private static extern int SendMessageTimeout( ...
    (microsoft.public.vc.language)
  • Re: How do I change path in a command prompt?
    ... it for just the current Command Prompt, ... Using System in Control Panel, ... User environment variables for logged_on_user_name ...
    (microsoft.public.windows.server.general)