Is it possible to self-regulate using OpenDNS?

[Michael33]

Is it possible to self-regulate internet access using OpenDNS when I'm the sole user of my computer, and would therefore need admin access, and would therefore have access to the DNS settings (defeating the purpose of self-regulation)? I've read in other threads here that it's not possible to restrict certain permissions for anyone with admin status, but could I maybe operate a standard user account? Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?

It sounds oxymoronic, but thought I would ask.

Thanks,
M33

 

[Pyprohly]

Hey M33,

Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?

No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

Which settings in particular are you wanting to lock?

 

[Michael33]

No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness). I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...

OR

Possibly utilize the hidden admin? Does the hidden admin have higher level privileges than a regular admin? Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes? Or do all admins have access to everything?

 

[LMiller7]

All admin accounts have the same rights and privileges as the built in admin account. The only difference is that it is not subject to UAC. Any restrictions you might impose can be just as easily removed. Also be aware that any admin account can change the password of the built in admin account.

 

[Pyprohly]

But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness).

Yes, while you will be able to take access back, believe me, you will not know how to, never in a "moment" at least. Having the ability of control is one thing. Knowing how to take control is another.

I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...

To help you stay sane, we will not let you lock yourself out of an administrator account. Using a standard account, exclusively, will perpetually prevent you from installing programs and there's no method to evade that design as far as I know. Take this route and "life" will be annoying.

You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.

Privileges can be taken away from administrator accounts, but privileges cannot be given to standard accounts.

All administrator accounts have equal power. With the built-in Administrator account, all processes run at highest integrity (without UAC prompting, as LMiller7 points out). That's the only observable difference, along with the account being undeletable.

Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes?

It doesn't work like that.

Any account can deny any account. You do not have to be in a specific account to restrict a specific account. All can be done from one account.

Or do all admins have access to everything?

No one has access to everything.


Anything you do is a decision on you, but restricting yourself to a standard user is a definite no-go.


... Now, which settings in particular are wanting to lock, Michael?

 

[Alejandro85]

In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account. Even then, UAC popups can only be satisfied by admin credentials, even if the elevated program uses nothing that really requires an admin account.

Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.
The real deal-breaker is the real necessity of an administrator. At some point administrator access is required (more than simply changing DNSs) and you have to have access to such an account from time to time as you suggest. I would try to use the good old method. Find someone else who to trust the admin credential, without telling you, then, when it's really needed ask him to write it in the UAC box

You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.

This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
Could you show what method are you proposing for this?

 

[Michael33]

It seems a couple of you are suggesting I can restrict certain admin permissions. Like DNS address-setting permissions? Please be specific.

Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.

 

[Michael33]

In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account.....Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.

I don't know what "portables" are. Please explain.

 

[Alejandro85]

I don't know what "portables" are. Please explain.

Portables are programs that run without any kind of formal installation procedure, by just copying the files over to some location and running directly from there. They just store everything they need within that folder and don't touch anything outside it. As they don't touch system areas at all, there is no need of admin permissions to install them at all.

Most programs distribute an installer instead, which needs admin permission to run, due to they writing to key system areas (program files folders and some might dump a registry entry). After that initial installation they run without being admin at all.

Look at wikipedia for example for more details: https://en.wikipedia.org/wiki/Portable_application

 

[Pyprohly]

You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.

This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
Could you show what method are you proposing for this?

Okay, it probably was a stretch saying that all administrator accounts do not have complete unrestricted access to everything. I've emphasised my point a little far. Administrators are 'all-powerful' in that they do have the ability to make any change to the system they wish, you are right. And I would like to highlight that point you make about restrictions on admins,

Restrictions can be placed upon admins, but an admin will always have the power to undo those changes

This is exactly the point I would have liked to convey instead. Privileges can be taken away and restrictions can be placed on Administrators, but they will always have the power to regain those privileges or un-restrict themselves (despite any amount of restrictions they have, or privileges they don't), though it can become difficult to do so, to the point where 'all-powerful' becomes questionable.

For instance, no administrator can just jump into System32 and massacre every file immediately. They'd have to first grant themselves the correct permissions. In order to do that they must first take ownership of all the files--which any administrator can do at any time--no matter how badly denied they are to those files. The fact that any administrator can take ownership at will is due to a Windows setting allowing them to do so, by default. Using Group Policy, this privilege can be taken away from them, making it harder to touch those files in System32. Then Group Policy can then be restricted by setting one registry value in Regedit, then Regedit can be blocked by using the Command Prompt to make registry changes instead. And one could even block the Command Prompt by using the Command Prompt itself, after blocking PowerShell of course. (You'd still be able to run commands, but) here would sort of be the 'furthest possible point' away from ever being able to, well, delete all those System32 files. Anyone at this point who could use an administrator account to delete every last file in System32 really deserves a cookie. If you could cheat a bit by booting into another OS to delete that command that edits registry keys (namely Reg.exe), then you'd truly have administrator accounts without their 'all-powerful'-ness, being restricted to at least something, that something being able to delete System32.

It's a real stretch but at this point, using an administrator account on its own could not undo those steps.

Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.

Alright then. I'm going to assume you are referring to all the settings shown in the image of step 7 in this tutorial.

I've attached two batch files to this post. One of them will lock the DNS settings, other will unlock them. Both batch files require the SubInACL command which you can get from here.

To use the batch files I've attached:
1. download and install the SubInACL.msi package at that link above,
2. take just the SubInACL.exe command from the location you've installed it to,
3. uninstall the SubInACL package,
4. download one of the batch files in this post,
5. place that batch file in the same folder as the SubInACL.exe command,
6. run the batch file, then delete both the batch file and the SubInACL.exe command.

Yes, to promote your self-regulation, M33, these steps are purposely lengthy. Oh, and the commands that the batch files execute are mostly encoded, so you'll not know what registry keys are being edited in order to lock the DNS settings.

When ever you need to unlock the DNS settings, all you have to do is locate this thread and follow those steps.



Edit: faulty scripts removed.

 

[Michael33]

OK, thanks Pyprohly. I'll give that a try.

 

[Michael33]

Pyprohly - acc. to the system requirements section of the SubInAcl page, it is not compatible with Windows 7. Is there a way around this?

 

[Pyprohly]

It is compatible. If it works on my Windows 8.1, it'll work on your Window 7.

 

[Michael33]

To use the batch files I've attached:
1. download and install the SubInACL.msi package at that link above,
2. take just the SubInACL.exe command from the location you've installed it to,
3. uninstall the SubInACL package,
4. download one of the batch files in this post,
5. place that batch file in the same folder as the SubInACL.exe command,
6. run the batch file, then delete both the batch file and the SubInACL.exe command.

I went through the steps as instructed, but when I ran the batch file it said it couldn't find the .exe (yes, it was in the same folder as the .bat). Uninstalled the whole thing and retried the process. This time I used a different folder for both (keeping them together though) with the same result. Any suggestions?

 

[Pyprohly]

Oops, yes, the scripts aren't looking in the Current Directory for SubInACL.exe. I've updated them now.

 

[Layback Bear]

I'm surly no expert on this type of matter but I do have a thought.

If for what ever reason one doesn't want them selves to have permission to do something with their computer (self regulate) it's not a computer problem. It's a people problem.

Give someone else admin permission and then remove the person wanting to regulate their use of the system admin permission.

Now the new and only administrator can set up a new account (non administrator) and set the security and permissions to keep the person who wants to be self regulated out of what ever they want to be kept out of.

Self regulation is exactly that. Computers do not do self regulation. People do self regulations.

 

[Michael33]

Pyprohly - unfortunately the lock batch file locked me out of my internet access. I don't mean it didn't let me change DNS settings, I mean it disabled internet access altogether. Also unfortunate was the fact I didn't download the unlock file first; therefore I couldn't get back here to download it; therefore I had to go back to a restore point to regain internet access.

It looks like I'm just going to have to use a standard account and password-protect my admins. It seems to be the only way to do this, notwithstanding it's inconvenience. Thanks anyway.

 

[Pyprohly]

Ouch.

I managed to locate the registry key that stored the DNS settings, I didn't know which specific values contained them though. The problem is that I don't have a DNS configuration on hand to test with: my internet access would be zero given the random IPs I would input for my DNS settings. I didn't know if the solution worked, all I knew was the DNS settings couldn't be changed.

I should have at least checked my understanding with the web before creating a solution. The theory is always harder than the prac. At least I know how to completely disable internet access now .

Apologies. If I do get the time to research all there is to know about DNSs I'll try to fix the issue. Password protecting your admin accounts would be easiest way for you at this time, despite inconveniences it may bring.

 

[Michael33]

Ouch.

I managed to locate the registry key that stored the DNS settings, I didn't know which specific values contained them though. The problem is that I don't have a DNS configuration on hand to test with: my internet access would be zero given the random IPs I would input for my DNS settings. I didn't know if the solution worked, all I knew was the DNS settings couldn't be changed.

I should have at least checked my understanding with the web before creating a solution. The theory is always harder than the prac. At least I know how to completely disable internet access now .

Apologies. If I do get the time to research all there is to know about DNSs I'll try to fix the issue. Password protecting your admin accounts would be easiest way for you at this time, despite inconveniences it may bring.

Thanks for trying - and for the apology