Using Group Policy to lock down the Control Panel

Preventing unauthorized changes to Windows systems is a basic security precaution. Group Policy settings can keep users from messing with the Control Panel.

Several years ago, I worked as a help desk technician at a large enterprise. During my time there, I found that...

many of the calls the help desk received involved users making unauthorized changes to their machines.

More on Windows security:

Group Policy tricks for securing endpoints

Cracking passwords in Windows 7

Five network security resolutions for 2010

Windows is a lot more secure today than it was back then. If a user tries to change anything other than the printer, screensaver, etc. in the Control Panel, the User Account Control feature prevents the change -- unless an administrative password is provided.

But while User Account Control is helpful, it shouldn't be your only line of defense against unauthorized configuration changes. The Control Panel should also be locked down with Group Policy settings. After all, you never know when a user may have inadvertently been assigned the necessary permissions to make a change. In addition, restricting Control Panel access sends a very clear message that you do not want users making changes to the system.

Figure 1
Figure 1: Local Group Policy Editor (click to enlarge)

To get started, open the Group Policy Editor and navigate to User Configuration | Administrative Templates | Control Panel, shown in Figure 1.

Enable the Hide Specified Control Panel Items setting. However, simply enabling this setting isn't enough -- you must also select which Control Panel applets to block.

Figure 2 shows the Hide Specified Control Panel Items dialog box. Once you enable this Group Policy setting, click Show. This will take you to a blank list. Type the names of the Control Panel applets you want to block.

Figure 2
Figure 2: Hide Specified Control Panel Items dialog box (click to enlarge)

The applets you need to lock down depend on which Windows version your desktops are running. In Windows 7, you can use friendly names such as "Microsoft System" or "Microsoft Mouse." Microsoft refers to these as "canonical names." A complete list of the canonical names for Control Panel items are at the Microsoft Developer Network (MSDN).

If you're running Vista or an earlier version of Windows, then you must specify the name of the file that launches the applet. For example, to prevent the user from making changes to the clock, enter "datetime.cpl." However, a single CPL file can be linked to multiple functions in Windows Vista and Windows 7. Therefore, providing just the file name may not give you the right result. In this case, you have to reference both the CPL file and the individual module within it. For example, suppose you want to prevent the user from making changes to the Personalization applet. Since you can't address this applet directly, you have to enter it as "@themecpl.dll,-1."

This is a bit cryptic, and Microsoft doesn't appear to always follow the same naming conventions. Check out this MSDN article to figure out which names to use.

Locking down the Control Panel is just one more thing you can do to make your desktop systems a little more secure. Doing so may also improve productivity for some users, since they won't be wasting time experimenting with the Control Panel.

Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO at a nationwide chain of hospitals and health care facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.

Dig Deeper on User passwords and network permissions