1

All,

Developers usually need admin rights to the OS, so they can do their task.

How do I as an admin, lock in the DNS settings on windows , so they cannot be changed, only by me?

I am not an expert at this permission stuff, so a step by step tutorial would be appreciated.

I do not have money for setting up servers and active-directory stuff...so this will be applied per machine.

thanks.

3 Answers3

7

Let's not beat around the bush on this.

If the user has "Administrator" rights then it's "game over" for any setting that you want to enforce on the computers themselves. There is NO mechanism that you can use to prevent an "Administrator" from doing anything they want to the computer. When you allow users to run as "Administrator" you give up all control you think you might have on the computer they are using that way. Case closed.

The only way that you are going to be able to control what DNS server these computers use is to configure your firewall to drop any outbound requests to UDP port 53 to any IP address other than the DNS servers you want the users to use. Then, if they change the specified DNS servers their requests will go nowhere and they'll either change them back or live in a world w/o DNS.

[VERY LARGE SOAPBOX]

I hope your company isn't developing a product for resale.

It's 2009. Microsoft has been saying FOR YEARS that all application software shound run properly with non-privileged user accounts. While I understand that your development tools may require "Administrator" rights to work properly, it's highly likely that by virtue of your developers running as "Administrator" the software that they are developing will end up requiring that the user who runs it also have "Administrator" rights (because it was written and, very probably, tested in an "Administrator" environment).

That makes me sad. Every time I see a piece of software that wants to write to "C:\Program Files..." I silently curse and get a little more angry at the software development community. Every time I see an installation document that says "Users need to have 'Administrator' access..." I feel my hands involuntarily curling into fists. Yeah, yeah-- maybe I'm taking this a little too seriously, but it is my job...

I'm sick and damned tired of having to deal with software written by uncaring companies that think it's alright for their software to require privileged user accounts to operate. In every case where it's practical I recommend to my Customers that they not purchase such software. When it's not possible, I usually end up sitting around with Process Monitor figuring out how to set a bare minimum set of permissions to make the software operate with a limited user account. When that won't work, my Customers have to end up purchasing additional Windows OS licenses such that we can run the software legally in a virtual machine where the user can have a privileged account and I can "roll back" any changes that get made easily and quickly.

It's a shame to me that you don't have a development manager who understands this and forbids developers from having "Administrator" rights. It's a shame to me that you, as a sysadmin, have to deal with users having "Administrator" rights. It's a shame to me that we, as a community of sysadmins, don't do a better job of standing up to users / managers and explain that such a large portion of computer security-related issues (and the associated expense) have a root causes associated with users having privilege in excess of their true need.

You shouldn't even have to be asking this question. It's not right that you have to deal with this same crap, too, frankly.

I despise having to bill my Customers needlessly for the time I spend making cruddy software that won't run as a standard user work "out of the box" work properly. It feels like dirty money to me, and it's time that I'd rather be spending finding ways to use IT to make their business more productive and profitable.

[/VERY LARGE SOAPBOX]

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1, and it's also a shame that more sysadmins don't howl this from the rooftops more often. Logical extension is 3rd party software that requires to run under Domain Admin privs: LOATHE it, DESPISE it. – Maximus Minimus Jul 26 '09 at 11:08
  • +1 from me, excellent post. BTW, catching/reporting the Admin-dependence of a new product is **the testers job** .. the developper's job is to learn about the problem & avoid it later on. – lexu Jul 26 '09 at 11:57
  • +1 From me, absolutely, and if it were possible I'd make developers use a typical user spec'ed PC too - at least for their own testing. The "I dunno - it works fine on my machine" response to apps that refuse to work without admin rights has been the bane of my life for years. It's interesting to see that Google Chrome - a rare product in that it actually fully complies with the rules in terms of being installable by standard users - comes in for abuse from some quarters because it doesn't require admin rights to install and as such it is harder to "control". – Helvick Jul 26 '09 at 13:21
  • +1 Maybe this should be part of the StackOverflow FAQ ;) – JS. Jul 26 '09 at 22:13
1

Administrators, just like root on Unix/Linux, have absolute power over the machine. Programmers - even more. If you do manage to lock the DNS settings somehow, someone who has Administrator rights on that machine can unlock them the same way. Even if they cannot do that, they still can, for example, use a proxy server (both HTTP and SOCKS support resolving domains on the proxy).

user1686
  • 10,162
  • 1
  • 26
  • 42
0

I you want to setup Custom DNS for only one machine you can use the Host file.

C:\Windows\System32\drivers\etc\hosts

Put your DNS record in this file, will override DNS checkup on external server.

Cédric Boivin
  • 744
  • 4
  • 13
  • 31