Tuesday, November 15, 2011

Restrict users from changing time on their local unit

Here is a trick on Restricting users changing the local CPU time.  Some people need it especially when a software is based on the running local unit’s clock, so by restricting the users’ ability to change it, they cannot cheat.

There are several ways to restrict it, but we will focus on Group Policies and some outside tricks.  To start, open Group Policy Editor by clicking Start button, Run, typing GPEDIT.MSC and hitting enter.

Once inside, navigate to these Folders:

a. Local Computer Policy
b. User Configuration
c. Administrative Templates

* Hiding the clock on system tray of Taskbar (User Notification Area)

On Start Menu and Taskbar Folder:
- Remove Clock from the system notification area – set to Enabled

* Hiding the Date and Time icon on Control Panel

On Control Panel Folder:
- Hide Specified Control Panel applets – set to Enabled.  Then click Show button, click Add button, type timedate.cpl, click Ok 3x

So we have hidden both clock in the system tray and the control panel.  So users can not change the time anymore?  Wrong!

User can still go to CMD and type TIME, enter and presto they can still change the time.  So what we need to do is prevent also the access to DOS prompt.  Here is how to do that:

On System Folder:
- Prevent access to command prompt – set to Enabled

Wonderful!  Now we have totally restricted users in changing the time!  Err… not quite yet, there is still a trick the user can do to change time although it is normally not thought of.  User can use RUN and type the applet for that  (timedate.cpl) and press enter, and presto the hidden timedate applet in control panel will be triggered.

Or they can go to \system32 and look for that timedate.cpl and double-click it.
This last one proves to be a little tricky and actually all we can do to is employ some tricks.  I haven’t been able to properly disable this even in registry so be contented with certain tricks I will show here.


Go to \Windows\System32 and look for timedate.cpl.  Once found, rename it to another name like screen.cpl or any other name.  Use names that might not attract attention.

There is a backup of every native control panel applet and it is located in \system32\dllcache.  Look for timedate.cpl and rename it as well with the same name you will use for the one located in \system32.  If you fail to do it, on next boot, your OS will check those .cpl and if it find it missing, it will restore it from that backup

However, now that the applet is no longer named timedate.cpl, policy against it on hiding its presence in control panel will no longer work as it will look for the file named timedate.cpl and not screen.cpl.  I have mentioned those steps ahead to show how things can be done but now we also need to change the name of the applet that needs to be hidden inside control panel.  So open Group Policy Editor (GPEDIT.MSC) again and repeat steps for Control Panel Folder above with one exception:  Instead of adding timedate.cpl, add now screen.cpl.  Now we are preventing two applets to show, one is named timedate.cpl and another is screen.cpl.

Or you can do this instead:


Right click that timedate.cpl and choose properties, click Change button and Select Paint.  Now all applets will be associated with Paint and it won’t open when double-clicking that applet in the explorer or using RUN, typing that applet name there and pressing enter.

These tricks are not foolproof and can be easily reversed if a user will know what has been done to restrict its usage.  But that will need a very experienced user for the tricks implented here to be realized by them then later countered.

Now, go restrict time changing ability by a user.

P.S.  Actually you can leave the clock showing in System Tray.  Disabling the control panel applet as shown in Tricks# 1 & 2 plus restricting command prompt in most cases is already enough.

No comments:

Post a Comment