Manage Users' Access to System Components

In a company, there may be always some PC or web problems brought from users' wrong operations, such as wrong settings in control panel, wrong change in registry editor, mistaken installation of ActiveX or virus infection. Sometimes such wrong operations may bring terrible harm to user's computer or even the whole network. Thus managing users' operation is important.

After deploying SurveilStar Agent on users' computers, IT manager can manage users operations easily by limiting users' access and operaion privileges to control panel, task manager, device manager, system compoments, IP/Mac binding, ActiveX installation, network, command line, etc. And creating a basic policy can help IT manager to achieve this easily. With basic policy, IT manager can easily prevent unconscious inappropriate operations or any willful harmful operations, improve the operation safety and prolong the life of the computers.

Basic policy

In SurveilStar Console, click menu 【Policies > Basic】, click Add button to create a basic policy. Then you will see Property settings like the picture below.

Properties of Basic Policy
Properties Value
Name Give your basic policy a name like SYS_management.
Time Set effictive time for your basic policy.
Action Select policy execution action. Allow, Block and No Action are available.
Alert & Alert Severity Enable or disable alert on SurveilStar Console if any PC tried to break the policy.
Choose alert severity if Alert is enabled. Low, High and Critical are available.
Warning & Warning Message Enable or disable warning message to show on agent PC.
Set warning message if Warning is enabled.
Take effect while offline Check this option if you want the policy to be effective only when the computers are offline.
Expiration Time Check and apply this option to set expiring time for the policy.

Basic policy supports: Control Panel, Computers Management, System, Network, IP/MAC Binding, ActiveX and other controls.

Control Panel
Control Panel Limit all the functions that are available in control panel. Once this option is checked and policy execution action is set to <Block>, user won't be able to open control panel and Control Panel will be removed from start menu.
Modify display properties Restrict users to change the theme, desktop, screensaver and appearance.
Add printers Limit user to add printers.
Delete printers Limit user to delete printers.
Fast swithing user in XP Limit multiple users' logon in XP by switching user. This option is effective for Windows XP system only.
Computers Management
Device Manager Restrict user to use Device Manager.
Disk management Restrict user to use Disk Management such as adding, deleting or resizing disk volume.
Local users and groups Limit access to local users and groups settings in Control Panel.
Service management Restrict user to use Service Managemen.
Other computer managements Restrict user to use: Event Viewer, Performance Logs and Alerts and Shared Folders which located in Computers Management.
System
Task Manager Restrict user to use Task Manager. When this option is checked and policy execution action is set to <Block>, Task Manager on agent computers will be hidden.
Regedit Restrict user to use Regedit.
CMD Limit access to Command Prompt. In Windows 95, 98 and ME, it's command.exe and in NT or later systems, it's cmd.exe.
Run applications in the "Run" of registry When this option is checked and policy execution action is set to <Block>, the process under “Run” will not be run when OS is starting up. Log off or restart is required for effective.
Run applications in the "RunOnce" of registry “RunOnce” means that the process only run once when OS is starting up, it will not be run again in the next startup. When this option is checked and policy execution action is set to <Block>, the process under “RunOnce” will not be run nextime the OS is starting up. Log off or restart is required for effective.
Network
Modify network property Restrict user to modify the network property.
Display my network places When this option is checked and policy execution action is set to <Block>, My Network Places will be hidden from agent computer. Log off or restart is required for effective.
Modify internet options Restrict user to modify Internet Options settings.
Default netshare When this option is checked and policy execution action is set to <Block>, Netshare is prohibited.
Netshare When this option is checked and policy execution action is set to <Block>, users can't share local documents.
Add netshare When this option is checked and policy execution action is set to <Block>, users can't add new netshare for file sharing.
IP/Mac Binding
Change IP/MAC Property Prohibit user to change IP/Mac settings. When this option is checked and policy execution action is set to <Block>, SurveilStar would record current IP/MAC information. It will be resumed to reserved IP/MAC settings if any modifications are made.
You need to disable the policy before you are going to change IP/Mac.
ActiveX
Chat ActiveX Many IM tools will install chat ActiveX. When this option is checked and policy execution action is set to <Block>, users can't use chat activeX when they are using IM tools to chat.
Media ActiveX Generally playing music or watching videos online may require installing media Activex. When this option is checked and policy execution action is set to <Block>, it would stop user listening or watching online media.
Game ActiveX Some online games may require installing game activeX. When this option is checked and policy execution action is set to <Block>, users can't play such internet games any more.
Flash ActiveX This ActiveX is required for playing flash files. When this option is checked and policy execution action is set to <Block>, flash files cannot be played properly.
Others
PrintScreen keystroke When this option is checked and policy execution action is set to <Block>, users can't use PrintScreen key to print screen any more.
System Restore When this option is checked and policy execution action is set to <Block>, system restore won't be allowed. This can prevent users from uninstalling SurveilStar Agent via system restore.
Windows automatic update When this option is checked and policy execution action is set to <Block>, Windows automatic updates will be turned off.

Basic Policy Example

This is an example which can help you better understand basic policy.

The requirement is that when the employee is on work in the company, changing his IP/MAC property is not allowed, but when he is off work or on a business trip, changing his IP/MAC property is allowed. To achieve this, you can create two basic policies like below.

1. Create a basic policy and set change IP/Mac property to <Block>.
2. Create another basic policy, set change IP/Mac property to <Allow> and check option <Take effect while offline>.

According to policy priority, the policy 2 is created after policy 1 and will be listed above. Thus policy 2 has higher priority. When the computer is offline, the status matches the policy 2, IP/Mac property can be changed and surveilstar won't judge policy 1 any more. When the computer is online, the status doesn't match the policy 2, and SurveilStar continue to judge policy 1, and the status matches policy 1, thus IP/Mac propery can't be changed.

Please note that Change IP/MAC Property, System Restore and Netshare are only available to computer (group) settings and inavailable to user (group) settings.

General Introduction of Polices Back to Index Device Policy
Free Trial  Buy Now