Windows Server 2000/2003 Thread, Users can create shortcuts to network locations??? Any way to sort this? in Technical; Hi all,
Just seen that users can create shortcuts to network locations, e.g. on their desktop, right click, new shortcut ...
2nd August 2011, 08:05 PM #1
Users can create shortcuts to network locations??? Any way to sort this?
Just seen that users can create shortcuts to network locations, e.g. on their desktop, right click, new shortcut and "\\dc1\netlogon".
They can then browse this folder in explorer.
Also if they knew the path they could browse to a new hidden mapped drive that I have setup for them, "\\server\resourses$".
They need read permissions on this folder but tese files are only to be opened from the intranet.
Just also see that they can also create a shortcut to "C:\" if they like???
Have I missed a big step in security here?
Thanks in advance!
IDG Tech News
2nd August 2011, 08:08 PM #2
You will need to disable the run command
User Configuration\Administrative Templates\Start Menu & Taskbar
its called something like remove run from start menu and it actually blocks unc paths i think
2nd August 2011, 08:09 PM #3
I wouldn't worry about it. chances are they could plug in a mac/linux pc and see these shares anyway (without knowing the path)
Originally Posted by burgemaster
(btw if you really want to hide shares, use SAMBA instead).
As long as the file permissions are set correctly you should be good to go. Let the kids explore as long as they can't do any harm
2nd August 2011, 08:22 PM #4
Thanks for the replys, Run is already disbaled. If they try and type in the address they are not allowed, but for some reason creating a shortcut to it works?
Originally Posted by glennda
We have an applications share that is hidden, the start menu links to it for certain applications, I dont want the students to be able to create a shortcut to it in the "Music" room and use applications that are meant for ICT lessons.
Does anyone please know how to disbale shortcut method please?
2nd August 2011, 08:58 PM #5
Creating shortcuts on the desktop: Are you redirecting your desktop? If so is the folder that contains your redirected desktop items read only to your students?
Access to/seeing the C: drive: There is a GPO setting that hides the C: drive to users. I am sure someone here will post it. If not I will have a look at our GPOs find it and post it tomorrow.
Creating shortcuts and saving them in My Documents [Network Home Folder] I have deployed FSRM [File Server Resources Manager] using this I can specify allowed/banned file types and disk space usage. Its a godsend.
2nd August 2011, 10:52 PM #6
Originally Posted by DaveP
We have the C drive hidden and restricted. We also have fsrm running on home drives. Students have a shared read only desktop but staff have a roaming desktop. This is the only place I've seen where it's possible to create shortened but I would like to stop it everywhere incase I have missed somewhere.
Can someone please try and create a shortcut to C:\ and see if they are stopped creating it or stopped browsing it after ??
If so how please!!
2nd August 2011, 10:57 PM #7
What O/S is on your PCs?
I ask because experimenting with the redirected staff desktop I find that I can add/delete items from the, theoretically, read only staff desktop on Windows 7. We had no such problem on XP.
I must say though that I haven't finished the Desktop/Start Menu redirection yet as under testing it works then it doesn't, then it works,...
3rd August 2011, 03:11 AM #8
If you don't want people to list folder contents, don't have the NTFS List Folder Contents permission set.
3rd August 2011, 09:54 AM #9
Originally Posted by DaveP
This happens on both xp/vista/w7 but in w7 the shortcut needs to be run as admin......
I did play with list contents permission but it seems to cause all sorts of problems with the not so well coded educational apps.
I have hidden everything in netlogon but still there must be a way to stop this.
3rd August 2011, 09:59 AM #10
Disable right click on desktop.
Also are your shares done like this DC1\Netlogon\Username$?
If so, throw this in the mix
DC\Netlogon$ (hides the original folder as well)
Ideally you should be using samba though to truly hide shares, and also as Dave said there is a GPO that will allow you to hide the C:\ and any other drive you specify!
3rd August 2011, 10:25 AM #11
Thanks for the replies,
I dont think I am explaining the loophole clearly...
See screenshots.. C drive and hidden network shares (R & P) and restricted and do not allow access using GP.
As you can see from the GP screenshot1. They do not ever show in my computer and deny access (screenshot2)
If you try and browse to C or P or R you are not allowed (see screenshot2) "Acess to the resources XXX has been disallowed"
BUT there is a loophole.. If staff who have a roaming desktop right click and create shortcut, they can then open that shortcut and get into these dissallowed and hidden areas. (Screenshot2) You can see that opening the shortcut has given access to the C drive.
If they knew the names of the other hidden shares they could also browse any of these that they have permissions to.
Run is also disabled from the start menu.
Students currently cannot do this as they have a fixed desktop.
Can anyone else please test on there system?
I am hoping that there is a way that when they open a shortcut they have made to, eg. "\\dc1\netlogon" they get the "Acess to the resources XXX has been disallowed" (screenshot2)
Many thanks in advance.
Last edited by burgemaster; 3rd August 2011 at 10:29 AM.
3rd August 2011, 12:32 PM #12
If you are explicitly giving people permission to read a share it isn't a loophole or a security problem if they can get to that share.
If you want to fix it either change the share permissions or add an ACL on your switches. there isn't much point in what you are trying to achieve, it's security through obscurity - as soon as you disable right click you'll find another 'hole' that users create a link through word or some other software, or plug in an unrestricted computer. Fix the file permission to the 'disallowed' shares.
3rd August 2011, 12:34 PM #13
Those drives are "hidden" not set to "hide and deny access"...
3rd August 2011, 12:40 PM #14
Take a look at SRP as you could restrict lnk files in the areas where the user can write and that should block them.
3rd August 2011, 12:54 PM #15
They do need access to these shares, I will look at NTFS security changes, are you saying that staff can also do this on your network? Thanks for your reply.
Originally Posted by CyberNerd
They do need access to folders with these shares, they might be applications etc. but I do NOT want them to browse through them all.
Originally Posted by nephilim
Cheers mate, I looked at this, not sure what effect it would have as their desktops are part of their roaming profile. That will sort the shortucts, but as cybernerd said they might be able to just create shortcut in Word and view the share that way.... Can they do this on your network?
Originally Posted by ZeroHour
I have hidden all the folders in the P: Applications share and Netlogon, not an ideal solution.. Will look at NTFS permissions.
By FN-GM in forum Wireless Networks
Last Post: 30th January 2008, 09:11 PM
By metalmonkey in forum Network and Classroom Management
Last Post: 8th January 2008, 01:03 AM
By Gambit in forum Windows
Last Post: 13th September 2007, 08:35 AM
By WithoutMotive in forum Windows
Last Post: 7th September 2007, 12:17 PM
By contink in forum Wireless Networks
Last Post: 16th October 2006, 11:17 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)