Disable Administrative Components

Disable Control panel items, Administrative Tools, and PowerShell

Various control panels, administrative tools, and server settings should be disabled for standard user access if otherwise not required by organization. To disable control panel items, the following policies can be carried out from the Group Policy Microsoft Management Console (MMC): User Configuration\Administrative Templates\Control Panel

Disable Registry Modification

For added security, users should be restricted to not make any registry modifications: User Configuration\Policies\Administrative Templates\System

Windows Updates and Installer

These policy setting prevents users from using Windows Installer to install patches and disables Windows update and shutdown notifications. This can be carried out from the Group Policy Microsoft Management Console (MMC):

• Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer

• Computer Configuration\Administrative Templates\Windows Components\Windows Update

Control Panel

The following Control Panel items may be removed from the list of items available for standard user access:

• Microsoft.AdministrativeTools

• Microsoft.AutoPlay

• Microsoft.ActionCenter

• Microsoft.ColorManagement

• Microsoft.DefaultPrograms

• Microsoft.DeviceManager

• Microsoft.EaseOfAccessCenter

• Microsoft.FolderOptions

• Microsoft.iSCSIInitiator

• Microsoft.NetworkAndSharingCenter

• Microsoft.NotificationAreaIcons

• Microsoft.PhoneAndModem

• Microsoft.PowerOptions

• Microsoft.ProgramsAndFeatures

• Microsoft.System

• Microsoft.TextToSpeech

• Microsoft.UserAccounts

• Microsoft.WindowsFirewall

• Microsoft.WindowsUpdate

• Microsoft.DateAndTime

• Microsoft.RegionAndLanguage

• Microsoft.RemoteAppAndDesktopConnections

• Install Application On Remote Desktop Server

• Java

• Flash Player

Administrative Tools and PowerShell

• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.

• Right click on File System, choose Add File.

• In the Add a file or folder window, put %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools in the Folder field and click OK.

• On the next window Database Security for%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk remove Users and check that Administrators have Full Access

• On the Add Object window choose Configure this file or folder then Propagate inheritable permissions to all subfolders and files. Click OK.

• Do the same for PowerShell shortcut (+ delete Creator Owner in database security): %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk

• Do the same for Server Manager shortcut: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk