Jump to content

Please help me undo my IT dept's insane regedits/changes

Marty1781

By Marty1781
in Windows XP

 Share

Recommended Posts

Marty1781

Marty1781

Posted
Posted

Hello all,

I have been having a horrible time trying to undo what must seem like a thousand regedits my IT department did to my laptop. Because of a couple idiots who lost their federal goverment laptops, everyone in the US Department of Health and Human Services required to have their laptops encrypted. Of course, this is extreme overkill, especially for someone like me who has absolutely no sensitive data on my laptop (I'm a biomedical researcher so its nothing but a bunch of science notes that I couldn't pay someone to read). Anyways, when they took my laptop to encrypt it (and now I can no longer make backup images of my scientific data, way to go guys), the IT dept took the liberty of making several other changes to my previously finely tuned laptop. He removed my Symantec Antivirus and Firewall software because he said it was "unsecure" and replaced it with McAfee Viruscan 8.x and going into that program, a lot of the options have been greyed out (any way to ungray them?). They also made a couple of regedits and while I have been able to undo some of them (disable "Automatic Updates", disable required password screen saver after 15 minutes), I haven't had the same luck with some of the others.

1. Specifically, the option for "change the way security center alerts me" is greyed out, I would like to re-enable that.

2. I had a local admin account on the machine but it seems to have been disabled. I can still see the username folder if I go to C:\Documents and Settings but if I go to the "User Accounts" in control panel, it is not listed. Only my network logon is there (whcih has admin rights) as well as what looks to be a local "Administor" account that I assume the IT guy created but my previous local admin account is gone. Is there any way to re-enable my local account?

3. I remember there was an option in XP where you could change a PC from being "local" (and thus using the Windows welcome screen) to making it be on a network thus making you do the ctrl-alt-del and then logging on to a domain. I cannnot seem to remember right now where that option is, I've looked everywhere, maybe the IT guy hid thtat as well? Anyways, the IT guy changed it from the former to the latter and its driving me insane, my speedy machine is significantly slower and I can't stand it. If someone could please explain the process to make my machine a "local" machine once again (and then I can just switch it back if I ever need to give it to the IT guys again), it would be greatly appreciated.

Thanks for any help you can provide in getting my computer back to its speedy self again!

Link to comment
Share on other sites

the_nets_edge

the_nets_edge

Posted
Posted

I seem to remember a security tool that showed the 'true' state of security - sorry don't remember the program name (ran on xp pro though)

(ie password requirements, etc)

Had a similar gig when I had several PC's and automated processes running. The it guys came up with a new policy requiring password length 10 characters. It broke all kinds of things. Finally found the tool and was able to fix it.

Hope that can put you on the road to repair.

The Nets Edge

disclaimer - I take no responsibility for you breaking the new Rules of HHS

Link to comment
Share on other sites
Marty1781

Marty1781

Posted
  • Author
Posted

ok, so nix #3 on my list, I found the option to make it a local machine again (my computer - properties - computer name - change - then make it part of "workgroup") but once I do that, seems I don't have the necessary permissions to "remove it from the network".

any help with the other issues is still greatly appreciated though! thanks in advance!

p.s. it really bugs me that he removed my Norton Firewall and didn't even put a replacement firewall from McAfee (only AV). He says the "network" has an adequate firewall and I don't need my own. Ya, well how about when I travel with my laptop, there is no network to protect me then. Just really irritates me that they think they know better. I guess there is always the crappy builtin Windows Firewall. *Rant off*

Link to comment
Share on other sites
mikesw

mikesw

Posted
Posted

@marty

Is it your own personal laptop or government owned (GFE)?

If it's gov. owned, you are taking chances by modifying things that they setup. That would be grounds

to fire you! Second, anytime you reconnect the laptop to the gov. network, the servers will scan

your laptop for any changes to anything (OS updates, applications and config settings, registry settings etc)

If the software sees any changes, they'll automatically uninstall programs, reinstall programs and redo all the

registry and application settings you've changed - all automatically by software control. So it may take you

hours to undo it, but for the software minutes to redo it! Moreover, all the changes create audit logs

which they will have based on date and time and what they do everytime they have to correct things, giving

them information to use if necessary as proof to fire you. The logs aren't stored locally so you can delete them.

All the log data is collected on the fly and stored beyond your access.

Get used to it guy! If its company/government furnished then it's not yours.

Have fun....

Link to comment
Share on other sites
mmarable

mmarable

Posted
Posted

Exactly. If this is your personal laptop, then IT would not be messing with it in the first place. You're using a company provided machine, (paid for by my tax dollars). Don't go messing with it, doing so is grounds for termination at just about any company you may work for.

No offense, but grow up, show some maturity and stop treating company property as your own. If you want to play on a computer, buy one and play with it at home.

Link to comment
Share on other sites
TheFlash428

TheFlash428

Posted
Posted

As someone who works for the Department of Defense (as a systems admin), let me agree with what others are posting here:

Unless you own the computer, don't mess with it!

Many of the items you speak of may very well controlled by group policies accross the domain, so just like Mikesw said, they will only revert back if you try to disable/change them.

I'm not surprised they disabled the local firewall, what does surprise me is that they've taken all the steps to secure the system but yet still allow you to connect it an outside network...hmmm....

If you take it off of the domain and place the computer in a workgroup, you run serious risk of not being able to log into it at all, plus you won't be able to log the computer onto network anymore.

Link to comment
Share on other sites
mikesw

mikesw

Posted
Posted

@theflash

Yes, If you reconfigure your PC to a workgroup, then you will have to ask the domain admin to put

you back on the domain. They'll get mad if you ask to many times.

As for preventing the network from working offsite, they don't do this because

a). gov. employees can work from home tele-commute in some cases.

B). One still has modem access, and one can also access the net via the USB port if software

is installed so that it acts like a network (think ppp/slip encoding via the USB vs. modem).

If you are allowed to bring your personal laptop into a gov. site, it must be registered, and borg'd

even if you access the gov dialup network to work from home. Any access to a gov. network requires

that the laptop be registered and approved, it must be only MSoft Win OS and the one that this gov.

agency uses (i.e if they use XP it can't be Win95). It must have all the latest patches and the gov.

approved anitvir/spyware software installed. It must be open to scanning and configuring remotely.

So essentially your PC becomes their PC until you remove your personal laptop from their list by

asking them too. Once you do this, your access is blocked.

Link to comment
Share on other sites
nmX.Memnoch

nmX.Memnoch

Posted
Posted

I also work for DoD...USAF to be specific. The security settings that are on your laptop now are part of the Federally mandated Standard Desktop Configuration (SDC). The Air Force started this initiative almost 2 years ago and it has now been signed into law by the president for all US Government organizations.

The settings that are on "your" laptop now will be near to impossible to undo. Not only are the settings enforced by Group Policy, but part of SDC incorporates applying a security template directly to the workstation/laptop.

Wait until they start enforcing the LUA (limited user access) portion of SDC. When that happens anyone who isn't a systems administrator will no longer have admin access to any workstation, laptop or server. Period. As a matter of fact...those of us who are systems administrators have two accounts; one for day to day tasks (email, web browsing, Office apps, etc) and another for sysadmin purposes.

I will say that I don't know where they got the notion of Symantec AV being unsecure. We're using (and are required to use) SAV Corporate Edition 10.

Link to comment
Share on other sites
mikesw

mikesw

Posted
Posted

@mmx

This might be ok for the typical gov computer user. However, this won't be ok for the

gov. computer contractor who develops software for Windows OS' or other OS'. The

reason being is that during the course of software development, they are constantly

upgrading commericial software versions or versions of the software they write.

They are always trying out new products (trialware, free, licensed) to see what the

software can do or if it can be used with or integrated into their software. Thus for

speed/contract deadlines reasons, they don't have the luxury to seek permission or wait for

an admin to allow them to install or install it for them so they can do their job.

Thus, there will always be exceptions (waivers) to this law.

In the scientific research community whereby they are changing and experimenting

with software, hardware and other stuff, the same thing applies where the law will

be (waived) for them to get their job done.

:ph34r:

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
However, this won't be ok for the gov. computer contractor who develops software for Windows OS' or other OS
I'm a biomedical researcher so its nothing but a bunch of science notes that I couldn't pay someone to read

I'm not sure the OP is doing software development, and if he already has the software he needs installed, technically the IT staff was legally bound to lock the laptop down if it belonged to the department (I have relatives in the department who are complaining about this very problem too, but there's nothing they can do short of wait for a reversal of the directive, which probably will not happen).

Link to comment
Share on other sites
nmX.Memnoch

nmX.Memnoch

Posted
Posted (edited)
there's nothing they can do short of wait for a reversal of the directive, which probably will not happen

It won't be reversed. What the other agencies are going through now is just the beginning. Like I said...we've (the Air Force) been doing this for 2+ years. Even the XP firewall is turned on for all of our workstations (forced through GPO). The eventual plan is to even block file/printer sharing on desktops/laptops (there's a management VLAN and allowances for certain IPs so things like SMS can still work). I'll put it to you this way...I can't even run regedit.exe as a regular user.

And it's only going to get "worse" with the move to Vista since there are a ton more GPO settings available.

http://www.gcn.com/print/26_12/44351-1.html

http://www.afmc.af.mil/news/story.asp?id=123020383

And mikesw...they don't care about making it easier for you. The focus is soley on security and unless you can come up with a really good justification, you won't be exempt. SDC defines what software can or can't run on a PC so I seriously doubt there are going to be a bunch of contractors testing software...unless they're on the SDC team. BTW...I'm a contractor myself. I work with other contractors who develop software for the Air Force...they're not exempt. As a matter of fact, you should be testing your software in a non-Admin environment to make sure it's SDC compliant! Developers should've been doing this for years...I've always hated the "it requires Admin privs to work" mantra.

Edited by nmX.Memnoch
Link to comment
Share on other sites
  • 3 weeks later...
Idontwantspam

Idontwantspam

Posted
Posted
I also work for DoD...USAF to be specific. The security settings that are on your laptop now are part of the Federally mandated Standard Desktop Configuration (SDC). The Air Force started this initiative almost 2 years ago and it has now been signed into law by the president for all US Government organizations.

The settings that are on "your" laptop now will be near to impossible to undo. Not only are the settings enforced by Group Policy, but part of SDC incorporates applying a security template directly to the workstation/laptop.

Wait until they start enforcing the LUA (limited user access) portion of SDC. When that happens anyone who isn't a systems administrator will no longer have admin access to any workstation, laptop or server. Period. As a matter of fact...those of us who are systems administrators have two accounts; one for day to day tasks (email, web browsing, Office apps, etc) and another for sysadmin purposes.

I will say that I don't know where they got the notion of Symantec AV being unsecure. We're using (and are required to use) SAV Corporate Edition 10.

Hmmm. Will this affect all U.S. Government computers or just USAF? Do you know where I can find more info on this, like a PDF or official website or something? Google doesn't appear to turn up anything specific. As for the guy asking the question... if you work for the gov, don't screw with their computers. Let them do what they want, or else you'll be the one in trouble.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...