I KNOW this has been talked about a bit before but I cant find any suitable threads from searching (no doubt someone will find me a link straight away)
Basically, if a student types a server name eg \\server1 into word and lets that become a hyperlink, they can click it and see all visible shares on that server, despite the fact if they type the same thing into explorer it will not let them see anything
Its not a huge problem, because all our important shares are both hidden and well secured with NTFS permissions, but I would still prefer it not to be possible, because there are a few shares they can see, and of course once they are in explorer they can see the entire network and be able to see pc and printer names
Any way to stop it?
There are three policies which should do the trick:
User Config > Admin Templates > Desktop
Enable - Hide My Network Places icon on desktop
User Config > Admin Templates > Windows Components > Windows Explorer
Enable - No "Computers Near Me" in My Network Places
Enable - No "Entire Network" in my Network Places
Hope this helps
That didn't work for me.
Using my test pupil account I could still navigate to server shares using the technique in the OP's post.
I think if you get the Office ADM templates from the resource kit, there are settings to disable the hyperlinking.
I wasn't aware of this problem until Sidewinder posted it. I assumed existing Explorer policies would've kicked in... but alas no.Originally Posted by Geoff
Since his post I've spent some time looking for a solution and disabling hyperlinks in Office was my first idea but, in our school at least, several depts - MFL in particular - have loads of Office resources which have links to websites in them. If I disable them en masse it'd cause more 'operational' problems for us.
I've looked at trying to disable only UNC path links with no success.
I don't want to start messing around with sec settings (List Folder Contents / Traverse etc) on my Netlogon etc folder either as I don't really have the facility to test any changes during term time.
I even thought about down and dirty stuff like setting the contents of these folders to hidden and then applying a policy to remover the folder options from Tool menu in Explorer. Yes I was getting THAT desperate.
At the end of the day our approach is that it isn't a major security threat. The kids can't write / modify / delete anything in the folders. They can however view all our scripts - which were not overjoyed about.
We are closely monitoring / auditing files in the Netlogon folder just to see who potentially has been accessing it (none so far) and then using the AUP to handle any wrong-doers.
Good thread though, as I was totally unaware of this 'get around'
I've managed to re-create what you guys are talking about, however try this. I'm using Office 2003 in this example and these settings might be adjustable using OrkTools (Office Resource Kit).
Tools > AutoCorrect Options
Click the "AutoCorrect" tab, type the \\servername and then whatever you want to replace that with.
Click the "AutoFormat As You Type" tab and untick - Internet and network paths with hyperlinks
Click the "AutoFormat" tab and untick - Internet and network paths with hyperlinks
If these option(s) are not available to adjust as policies, you could do everything specified above, make the profile mandatory for all pupils, then using the OrkTools (which I am 99.9% possible) is disable access to Tools > Options altogether so they cannot undo those changes.
Hope this helps!
What about this?
type "Click here"
Highlight it
Right click - choose Hyperlink
Type in the address
Email this to all my friends
I think you have to accept that there are some things which students will do that may look bad but actually don't matter. As long as you have security set properly and you don't but critical files in exposed areas then the world won't end. The alternative is to drive yourself mad worrying about all the "bad" things pupils can do :-)
E-mail links aren't the problem. If you try enter text "click here", right click, insert hyperlink and type \\servername it doesn't work (after performing what I wrote in my last post).
There is a solution but it can take a little time depending on your setup.
Under the NTFS file permissions for each of the shares ie the documents shares simply go to the shared folder itself in Explorer and opens its properties. There is an advanced button under the security tab that will allow you to Add... a permission set to your student user group. Now you can click the clear all button then check the Deny box for List Folder/Read Data and make sure that this is not inherited by subfolders ie apply to: this object only.
Now even if they use this method in word they will only see a message saying that they are not allowed or a blank folder depending on your client OS settings. This will not effect mapping ie when the login script maps the students home directory because the script knows the name of the folder and does not require the list of other folders in the share.
You can hide things at the server name level adding a $ sign to the end of each share and printer name which will cause them not display when the server is browsed directly ie \\server.
yet another annoying little trick for them to show off to their friends!
interestin thread, i know they could launch the webtools and then ue that to access the c systm drive!
But as this site as told me over the year, as long as the ACL's are correct then they will not be able to do anything (yet!)
it's friday, 8.50 pm and still work is being discussed,
quick..need to power down this machine!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote