+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows Server 2000/2003 Thread, Users can create shortcuts to network locations??? Any way to sort this? in Technical; Hi all, Just seen that users can create shortcuts to network locations, e.g. on their desktop, right click, new shortcut ...
  1. #1

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26

    Users can create shortcuts to network locations??? Any way to sort this?

    Hi all,

    Just seen that users can create shortcuts to network locations, e.g. on their desktop, right click, new shortcut and "\\dc1\netlogon".
    They can then browse this folder in explorer.

    Also if they knew the path they could browse to a new hidden mapped drive that I have setup for them, "\\server\resourses$".
    They need read permissions on this folder but tese files are only to be opened from the intranet.

    Just also see that they can also create a shortcut to "C:\" if they like???

    Have I missed a big step in security here?

    Thanks in advance!

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    You will need to disable the run command

    User Configuration\Administrative Templates\Start Menu & Taskbar

    its called something like remove run from start menu and it actually blocks unc paths i think

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by burgemaster View Post
    Have I missed a big step in security here?
    I wouldn't worry about it. chances are they could plug in a mac/linux pc and see these shares anyway (without knowing the path)
    (btw if you really want to hide shares, use SAMBA instead).
    As long as the file permissions are set correctly you should be good to go. Let the kids explore as long as they can't do any harm

  4. #4

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26
    Quote Originally Posted by glennda View Post
    You will need to disable the run command

    User Configuration\Administrative Templates\Start Menu & Taskbar
    its called something like remove run from start menu and it actually blocks unc paths i think
    Thanks for the replys, Run is already disbaled. If they try and type in the address they are not allowed, but for some reason creating a shortcut to it works?

    We have an applications share that is hidden, the start menu links to it for certain applications, I dont want the students to be able to create a shortcut to it in the "Music" room and use applications that are meant for ICT lessons.

    Does anyone please know how to disbale shortcut method please?

  5. #5

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,787
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    Creating shortcuts on the desktop: Are you redirecting your desktop? If so is the folder that contains your redirected desktop items read only to your students?

    Access to/seeing the C: drive: There is a GPO setting that hides the C: drive to users. I am sure someone here will post it. If not I will have a look at our GPOs find it and post it tomorrow.

    Creating shortcuts and saving them in My Documents [Network Home Folder] I have deployed FSRM [File Server Resources Manager] using this I can specify allowed/banned file types and disk space usage. Its a godsend.

  6. #6

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26
    Quote Originally Posted by DaveP View Post
    Creating shortcuts on the desktop: Are you redirecting your desktop? If so is the folder that contains your redirected desktop items read only to your students?

    Access to/seeing the C: drive: There is a GPO setting that hides the C: drive to users. I am sure someone here will post it. If not I will have a look at our GPOs find it and post it tomorrow.

    Creating shortcuts and saving them in My Documents [Network Home Folder] I have deployed FSRM [File Server Resources Manager] using this I can specify allowed/banned file types and disk space usage. Its a godsend.
    Hi dave,
    We have the C drive hidden and restricted. We also have fsrm running on home drives. Students have a shared read only desktop but staff have a roaming desktop. This is the only place I've seen where it's possible to create shortened but I would like to stop it everywhere incase I have missed somewhere.

    Can someone please try and create a shortcut to C:\ and see if they are stopped creating it or stopped browsing it after ??
    If so how please!!

  7. #7

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,787
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    What O/S is on your PCs?

    I ask because experimenting with the redirected staff desktop I find that I can add/delete items from the, theoretically, read only staff desktop on Windows 7. We had no such problem on XP.

    I must say though that I haven't finished the Desktop/Start Menu redirection yet as under testing it works then it doesn't, then it works,...


  8. #8

    Join Date
    Jan 2007
    Location
    Nottinghamshire
    Posts
    530
    Thank Post
    1
    Thanked 84 Times in 58 Posts
    Rep Power
    38
    If you don't want people to list folder contents, don't have the NTFS List Folder Contents permission set.

  9. #9

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26
    Quote Originally Posted by DaveP View Post
    What O/S is on your PCs?

    I ask because experimenting with the redirected staff desktop I find that I can add/delete items from the, theoretically, read only staff desktop on Windows 7. We had no such problem on XP.

    I must say though that I haven't finished the Desktop/Start Menu redirection yet as under testing it works then it doesn't, then it works,...

    Hi dave,
    This happens on both xp/vista/w7 but in w7 the shortcut needs to be run as admin......

    I did play with list contents permission but it seems to cause all sorts of problems with the not so well coded educational apps.

    I have hidden everything in netlogon but still there must be a way to stop this.

  10. #10

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,786
    Thank Post
    1,623
    Thanked 1,877 Times in 1,395 Posts
    Blog Entries
    2
    Rep Power
    422
    Disable right click on desktop.

    Also are your shares done like this DC1\Netlogon\Username$?

    If so, throw this in the mix

    DC\Netlogon$ (hides the original folder as well)

    Ideally you should be using samba though to truly hide shares, and also as Dave said there is a GPO that will allow you to hide the C:\ and any other drive you specify!

  11. #11

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26
    Thanks for the replies,

    I dont think I am explaining the loophole clearly...

    See screenshots.. C drive and hidden network shares (R & P) and restricted and do not allow access using GP.
    As you can see from the GP screenshot1. They do not ever show in my computer and deny access (screenshot2)
    If you try and browse to C or P or R you are not allowed (see screenshot2) "Acess to the resources XXX has been disallowed"

    BUT there is a loophole.. If staff who have a roaming desktop right click and create shortcut, they can then open that shortcut and get into these dissallowed and hidden areas. (Screenshot2) You can see that opening the shortcut has given access to the C drive.

    If they knew the names of the other hidden shares they could also browse any of these that they have permissions to.
    Run is also disabled from the start menu.
    Students currently cannot do this as they have a fixed desktop.

    Can anyone else please test on there system?
    I am hoping that there is a way that when they open a shortcut they have made to, eg. "\\dc1\netlogon" they get the "Acess to the resources XXX has been disallowed" (screenshot2)

    Many thanks in advance.
    Attached Images Attached Images
    Last edited by burgemaster; 3rd August 2011 at 09:29 AM.

  12. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    If you are explicitly giving people permission to read a share it isn't a loophole or a security problem if they can get to that share.
    If you want to fix it either change the share permissions or add an ACL on your switches. there isn't much point in what you are trying to achieve, it's security through obscurity - as soon as you disable right click you'll find another 'hole' that users create a link through word or some other software, or plug in an unrestricted computer. Fix the file permission to the 'disallowed' shares.

  13. #13

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,786
    Thank Post
    1,623
    Thanked 1,877 Times in 1,395 Posts
    Blog Entries
    2
    Rep Power
    422
    Those drives are "hidden" not set to "hide and deny access"...

  14. #14

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,643
    Thank Post
    895
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    444
    Take a look at SRP as you could restrict lnk files in the areas where the user can write and that should block them.

  15. #15

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    26
    Quote Originally Posted by CyberNerd View Post
    If you are explicitly giving people permission to read a share it isn't a loophole or a security problem if they can get to that share.
    If you want to fix it either change the share permissions or add an ACL on your switches. there isn't much point in what you are trying to achieve, it's security through obscurity - as soon as you disable right click you'll find another 'hole' that users create a link through word or some other software, or plug in an unrestricted computer. Fix the file permission to the 'disallowed' shares.
    They do need access to these shares, I will look at NTFS security changes, are you saying that staff can also do this on your network? Thanks for your reply.

    Quote Originally Posted by nephilim View Post
    Those drives are "hidden" not set to "hide and deny access"...
    They do need access to folders with these shares, they might be applications etc. but I do NOT want them to browse through them all.


    Quote Originally Posted by ZeroHour View Post
    Take a look at SRP as you could restrict lnk files in the areas where the user can write and that should block them.
    Cheers mate, I looked at this, not sure what effect it would have as their desktops are part of their roaming profile. That will sort the shortucts, but as cybernerd said they might be able to just create shortcut in Word and view the share that way.... Can they do this on your network?

    I have hidden all the folders in the P: Applications share and Netlogon, not an ideal solution.. Will look at NTFS permissions.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. How to speed up a network without any uprades.
    By FN-GM in forum Wireless Networks
    Replies: 14
    Last Post: 30th January 2008, 08:11 PM
  2. To all LanView3 Users - Can I ask a small favour
    By metalmonkey in forum Network and Classroom Management
    Replies: 4
    Last Post: 8th January 2008, 12:03 AM
  3. Removing ablitiy to create shortcuts.
    By Gambit in forum Windows
    Replies: 15
    Last Post: 13th September 2007, 07:35 AM
  4. New users can't log in to Outlook Web Access
    By WithoutMotive in forum Windows
    Replies: 5
    Last Post: 7th September 2007, 11:17 AM
  5. Adding shortcuts to ALL USERS start menu
    By contink in forum Wireless Networks
    Replies: 15
    Last Post: 16th October 2006, 10:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •