Alternative use of file and Registry Permissions

In a large network, for security reasons, the network administrator may not allow users to modify their IP addresses or use dial-up connections at will. It seems that there is no good way to do this in the first day, some time ago, some customers proposed a requirement that they do not want to allow users to dial (the technical department cannot manage telephone switches). So they thought about it and made a summary today.

The customer uses the AD structure of Windows 2000, and the Clinet is basically Win2K Pro. The partition types include NTFS and FAT. If both are NTFS, you can set the permissions for some DLL files. Here, raschap is selected. dll, of course, similar DLL also has some (I am too lazy to tidy up), execute the following command in the CMD window:
Cacls % systemroot % system32aschap. dll/e/d everyone

Then restart the machine and you will find that all the established dial-up connections are invisible. In addition, when you create a new connection, an error occurs and report that you have insufficient permissions. If you need to use it, change the dll permission back (you need to restart the machine)
Cacls % systemroot % system32aschap. dll/e/g everyone: r

Because the customer uses the AD structure, setting permissions can be implemented in the Group Policy, add the following content to the "File Security" section of your Security template File, and then apply the template.
"% Systemroot % system32aschap. dll", 1, "D: PAR (D; OICI; FA; WD )"

Of course, this problem occurs here. If the disk is FAT or FAT32, NTFS permissions cannot be applied to solve the problem. We can only find a solution in the registry, open your Regedt32 and go

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip
ParametersInterfaces

Then, choose "security"-"permission" on the menu"
Uncheck "allow inheritance..." and set it to Everyone read-only. Everything is OK;
If you want to apply it to AD, you can add the following line in the "Registry Keys" section of the inf file of the Group Policy.
"Machinesystemcurrentcontrolsetservicescpipparametersinterfaces", 0, "D: AR (A; CI; KR; WD )"

After the Registry permission is set, the system cannot obtain the IP address from the DHCP server, and cannot modify the IP address by itself. Many network-related modifications cannot be successful. Of course, if DHCP is used in your company, problems will occur...

In fact, the two methods I mentioned today are only some methods (these two methods are just a few alternative methods). There are also many methods, as long as you are willing to think and want to try, you can also find out, maybe you think that the user can modify these permissions to bypass the restrictions, think about it, if you do not tell the user how to modify, you can find more dll files by yourself, if you look for more registry items, you cannot find these headers. What do you say?

It's better to teach people and fish than to teach people and fish...