I have students that are bypasing our AV/content filtering, etc. by booting into safemode with network support. Does anyone know if there is a way to prevent them from selecting safe mode?
Answer Summary:
There's a few different ways you can do it, depending on the Windows version and what your security software will let you do. ______________________________________________ 1) One way is to physically alter the keyboard (any version) as suggested here: http://www.pcreview.co.uk/forums/disable-f8-and-safe-mode-windows-xp-boot-up-t145891.html An inelegant (but effective) method of preventing F8 access in this scenario is to modify the keyboard so that F8 is not usable. You can do this either by placing it within an enclosure that prevents someone from getting to the key or, you can pull the keycap and clip the lead for that key then replace the keycap. Assuming that someone of ill-intent doesn't hook up a different keyboard you are good to go and you don't eliminate your ability to administer the system. ______________________________________________ 2) Modifying NTLDR to disable F8 is another option. http://groups.google.com/group/microsoft.public.win2000.security/msg/9d9a240b519d43e9 ______________________________________________ 3) If you're running Windows 7, MS has a hotfix to block regular users from using Safe Mode. http://support.microsoft.com/kb/977542 A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode ______________________________________________ 4) Yet another option is to disable the boot menu completely, appears to be Windows Vista & 7 only. http://www.sevenforums.com/general-discussion/113354-how-do-i-disable-safe-mode.html With command: bcdedit /set {bootmgr} displaybootmenu no You can disable the whole bootmenu. ______________________________________________ 5) A final option (final for me, as I need to get some sleep) is to use a commercial product. http://www.disablesafemode.com/ You probably know that you can access the Advanced Boot Options menu by turning on the computer and pressing the F8 key before Windows starts. isableSafeMode will prevent this; nobody will be able to start your system in Safe Mode or in any other repairing/debugging mode ______________________________________________
Cancel
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

2
There's a few different ways you can do it, depending on the Windows version and what your security software will let you do.
______________________________________________

1) One way is to physically alter the keyboard (any version) as suggested here:

http://www.pcreview.co.uk/forums/disable-f8-and-safe-mode-windows-xp-boot-up-t145891.html

An inelegant (but effective) method of preventing F8 access in this scenario is to modify the keyboard so that F8 is not usable. You can do this either by placing it within an enclosure that prevents someone from getting to the key or, you can pull the keycap and clip the lead for that key then replace the keycap. Assuming that someone of ill-intent doesn't hook up a different keyboard you are good to go and you don't eliminate your ability to administer the system.
______________________________________________

2) Modifying NTLDR to disable F8 is another option.

http://groups.google.com/group/microsoft.public.win2000.security/msg/9d9a240b519d43e9
______________________________________________

3) If you're running Windows 7, MS has a hotfix to block regular users from using Safe Mode.

http://support.microsoft.com/kb/977542

A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode
______________________________________________

4) Yet another option is to disable the boot menu completely, appears to be Windows Vista & 7 only.

http://www.sevenforums.com/general-discussion/113354-how-do-i-disable-safe-mode.html

With command: bcdedit /set {bootmgr} displaybootmenu no

You can disable the whole bootmenu.
______________________________________________

5) A final option (final for me, as I need to get some sleep) is to use a commercial product.

http://www.disablesafemode.com/

You probably know that you can access the Advanced Boot Options menu by turning on the computer and pressing the F8 key before Windows starts. isableSafeMode will prevent this; nobody will be able to start your system in Safe Mode or in any other repairing/debugging mode
______________________________________________

Hope that helps!

John
Answered 03/12/2012 by: jverbosk
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity