Is it possible to self-regulate using OpenDNS?

Page 1 of 2 12 LastLast

  1. Michael33
    Posts : 42
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       New #1

    Is it possible to self-regulate using OpenDNS?


    Is it possible to self-regulate internet access using OpenDNS when I'm the sole user of my computer, and would therefore need admin access, and would therefore have access to the DNS settings (defeating the purpose of self-regulation)? I've read in other threads here that it's not possible to restrict certain permissions for anyone with admin status, but could I maybe operate a standard user account? Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?

    It sounds oxymoronic, but thought I would ask.

    Thanks,
    M33
      My Computer
    Quote Quote

  3. Pyprohly
    Posts : 721
    Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
       New #2

    Hey M33,

    Michael33 said:
    Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?
    No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

    Which settings in particular are you wanting to lock?
      My Computer
    Quote Quote

  4. Michael33
    Posts : 42
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #3

    Pyprohly said:

    No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

    But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness). I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...

    OR

    Possibly utilize the hidden admin? Does the hidden admin have higher level privileges than a regular admin? Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes? Or do all admins have access to everything?
      My Computer
    Quote Quote

  6. LMiller7
    Posts : 2,497
    Windows 7 Pro 64 bit
       New #4

    All admin accounts have the same rights and privileges as the built in admin account. The only difference is that it is not subject to UAC. Any restrictions you might impose can be just as easily removed. Also be aware that any admin account can change the password of the built in admin account.
      My Computer
    Quote Quote

  7. Pyprohly
    Posts : 721
    Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
       New #5

    Michael33 said:
    But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness).
    Yes, while you will be able to take access back, believe me, you will not know how to, never in a "moment" at least. Having the ability of control is one thing. Knowing how to take control is another.

    Michael33 said:
    I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...
    To help you stay sane, we will not let you lock yourself out of an administrator account. Using a standard account, exclusively, will perpetually prevent you from installing programs and there's no method to evade that design as far as I know. Take this route and "life" will be annoying.

    You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.

    Privileges can be taken away from administrator accounts, but privileges cannot be given to standard accounts.

    All administrator accounts have equal power. With the built-in Administrator account, all processes run at highest integrity (without UAC prompting, as LMiller7 points out). That's the only observable difference, along with the account being undeletable.

    Michael33 said:
    Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes?
    It doesn't work like that.

    Any account can deny any account. You do not have to be in a specific account to restrict a specific account. All can be done from one account.

    Michael33 said:
    Or do all admins have access to everything?
    No one has access to everything.


    Anything you do is a decision on you, but restricting yourself to a standard user is a definite no-go.


    ... Now, which settings in particular are wanting to lock, Michael?
      My Computer
    Quote Quote

  8. Alejandro85
    Posts : 2,471
    Windows 7 Ultimate x64
       New #6

    In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account. Even then, UAC popups can only be satisfied by admin credentials, even if the elevated program uses nothing that really requires an admin account.

    Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.
    The real deal-breaker is the real necessity of an administrator. At some point administrator access is required (more than simply changing DNSs) and you have to have access to such an account from time to time as you suggest. I would try to use the good old method. Find someone else who to trust the admin credential, without telling you, then, when it's really needed ask him to write it in the UAC box


    Pyprohly said:
    You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.
    This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
    Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
    Could you show what method are you proposing for this?
      My Computer
    Quote Quote

  10. Michael33
    Posts : 42
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #7

    It seems a couple of you are suggesting I can restrict certain admin permissions. Like DNS address-setting permissions? Please be specific.

    Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.
      My Computer
    Quote Quote

  11. Michael33
    Posts : 42
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #8

    Alejandro85 said:
    In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account.....Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.

    I don't know what "portables" are. Please explain.
      My Computer
    Quote Quote

  12. Alejandro85
    Posts : 2,471
    Windows 7 Ultimate x64
       New #9

    Michael33 said:
    I don't know what "portables" are. Please explain.
    Portables are programs that run without any kind of formal installation procedure, by just copying the files over to some location and running directly from there. They just store everything they need within that folder and don't touch anything outside it. As they don't touch system areas at all, there is no need of admin permissions to install them at all.

    Most programs distribute an installer instead, which needs admin permission to run, due to they writing to key system areas (program files folders and some might dump a registry entry). After that initial installation they run without being admin at all.

    Look at wikipedia for example for more details: https://en.wikipedia.org/wiki/Portable_application
      My Computer
    Quote Quote

  13. Pyprohly
    Posts : 721
    Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
       New #10

    Alejandro85 said:
    Pyprohly said:
    You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.
    This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
    Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
    Could you show what method are you proposing for this?
    Okay, it probably was a stretch saying that all administrator accounts do not have complete unrestricted access to everything. I've emphasised my point a little far. Administrators are 'all-powerful' in that they do have the ability to make any change to the system they wish, you are right. And I would like to highlight that point you make about restrictions on admins,

    Alejandro85 said:
    Restrictions can be placed upon admins, but an admin will always have the power to undo those changes
    This is exactly the point I would have liked to convey instead. Privileges can be taken away and restrictions can be placed on Administrators, but they will always have the power to regain those privileges or un-restrict themselves (despite any amount of restrictions they have, or privileges they don't), though it can become difficult to do so, to the point where 'all-powerful' becomes questionable.

    For instance, no administrator can just jump into System32 and massacre every file immediately. They'd have to first grant themselves the correct permissions. In order to do that they must first take ownership of all the files--which any administrator can do at any time--no matter how badly denied they are to those files. The fact that any administrator can take ownership at will is due to a Windows setting allowing them to do so, by default. Using Group Policy, this privilege can be taken away from them, making it harder to touch those files in System32. Then Group Policy can then be restricted by setting one registry value in Regedit, then Regedit can be blocked by using the Command Prompt to make registry changes instead. And one could even block the Command Prompt by using the Command Prompt itself, after blocking PowerShell of course. (You'd still be able to run commands, but) here would sort of be the 'furthest possible point' away from ever being able to, well, delete all those System32 files. Anyone at this point who could use an administrator account to delete every last file in System32 really deserves a cookie. If you could cheat a bit by booting into another OS to delete that command that edits registry keys (namely Reg.exe), then you'd truly have administrator accounts without their 'all-powerful'-ness, being restricted to at least something, that something being able to delete System32.

    It's a real stretch but at this point, using an administrator account on its own could not undo those steps.



    Michael33 said:
    Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.
    Alright then. I'm going to assume you are referring to all the settings shown in the image of step 7 in this tutorial.

    I've attached two batch files to this post. One of them will lock the DNS settings, other will unlock them. Both batch files require the SubInACL command which you can get from here.

    To use the batch files I've attached:
    1. download and install the SubInACL.msi package at that link above,
    2. take just the SubInACL.exe command from the location you've installed it to,
    3. uninstall the SubInACL package,
    4. download one of the batch files in this post,
    5. place that batch file in the same folder as the SubInACL.exe command,
    6. run the batch file, then delete both the batch file and the SubInACL.exe command.

    Yes, to promote your self-regulation, M33, these steps are purposely lengthy. Oh, and the commands that the batch files execute are mostly encoded, so you'll not know what registry keys are being edited in order to lock the DNS settings.

    When ever you need to unlock the DNS settings, all you have to do is locate this thread and follow those steps.



    Edit: faulty scripts removed.
    Last edited by Pyprohly; 24 Aug 2015 at 08:49. Reason: Removed script files
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
Opendns will not work.
in Network & Sharing

Hi everyone out there, I am attempting to use open dns. I have followed the directions to the letter for making it work with my router: https://store.opendns.com/familyshield/setup/device/dlink-dir-655 I have done everything it stated, cleared all cahces etc and it will not work. The testing...
Opendns or not?
in Network & Sharing

Is it a good idea to run opendns or a bad one? I use WildBlue through, Dish. Thanks! :)
OpenDNS + PS3
in Chillout Room

Hey Guys, I was having some previous problems with my computer and websites and I decided to use OpenDNS (the free service with their two IP addresses), all the websites are working fine now, but for some reason I'm having issues playing games online with my PS3, it signs into the Playstation...
OpenDNS windows 7 conflict
in Network & Sharing

Hello everyone, I've been reading posts here for a while but I just registered today. I just installed OpenDNS on my router last night and everything is working fine on my vista 64 machines. The first time I booted my laptop, which has been working great with windows 7, it immediately froze and...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 18:29.
Find Us