Turn off the browser service ?
When a student enters in \\servername\ and hits enter, it immediately becomes a hyperlink. They are then able to browse the entire network for machines!!!
Is their anyway of blocking UNC paths in hyperlinks from word? or windows itself?
Turn off the browser service ?
Thanks, had a look on that on my local machine, seems to prevent further access to other network machines, however, it still displays the requested server that was entered into "\\servername".
Really want to stop UNC paths altogether!!!
Thanks so far..
Hmmm, not really advisable. As long as you have proper security / passwords set on your servers / shares etc its not going to be a problem....Really want to stop UNC paths altogether!!!
stick a $ at the end of your share names, that will hide them, and make sure your permissions are setup correctly on all shares
Blocking UNC in Windows will stop plenty of other services working.
In terms of handling Windows and UNC, suggest you disable the Computer Browser service on everything via AD.
Configure it so no workstation is ever set as a Master Browser.
Lastly, use NET CONFIG SERVER /HIDDEN:YES
This will make all your PCs invisible on the browse lists (even if the kids somehow get to network neighbourhood).
As far as Office 2002/2003 go:
Get hold of the Office 2002/2003 Reskits (freely downloadable).
Unpack the .ADM files that are present.
Create a new GP (suggest you do this in a limited OU to minimise risk to start with).
Add the WORD10.ADM and WORD11.ADM files into it.
Navigate to the following:
User Config -> Administrative Templates
Microsoft Word 2002 (or Microsoft Office Word 2003)
Tools... Autocorrect -> Autoformat as you type.
You should see 'Internet and Network paths with Hyperlinks'.
Disable this (as this stops it working).
While still under the Word 2002 heading in your GP:
Go to Tools... Options -> Edit
You should see 'Use CTRL + Click to follow hyperlink'.
As before, disable this.
Repeat this for Office 2002 or 2003, whichever you didn't change above.
Login as a student (who will get this new GP) and test away.
We've got this all in use here and even though our kids can still use \\uncpath in the open box - they won't get anywhere they can't get to anyway via drive letters.
Hope that helps.
projector1 (24th July 2009)
Just to confirm, I have tried all those suggestions with no joy.
I have checked the new policy (with the Office adm template) is being applied, and it is, so it doesn't stop the problem I am having. Stopping the computer browser service on every local machine only works once. Once you restart word again, and type into a document, a \\servername hyperlink, you can browse the network again. I have tried with users with mandatory roaming profiles, and local administrator profiles, but no luck stopping this gaping hole in security. I agree that we should have very good security on all the shares, but I have managed to lock down network neighbourhood/my network places in word/explorer, but it still appears in word/office apps!!!
This sucks!! If their is a way to prevent access COMPLETELY to Browse entire network, I would like to hear it microsoft!
Mark,Originally Posted by markwilliamson2001
Try one thing at a time - disabling the computer browsing services etc will stop computers showing up when the kids decide to browse the network, but it won't stop them browsing.
If you want to stop the computer browser service, you need to set the 'Computer Browser' service to Disabled.
This should be done for all workstations and servers (if you want to hide everything).
Best way to do that is via Group Policy -> Computer Configuration -> Security Settings -> System Services -> Computer Browser.
Set this to disabled here (perhaps try it for a limited OU).
On a side-note, it's also worth disabling the Messenger service also - unless you need WinPopup/NET SEND capabilities.
If you are still having problems, I will fish out the exact steps I took to disable browsing here.
I have disabled computer browser service on every machine, using Group Policy, but it hangs the first time you use the hyperlink hack in word. If you restart word, and try again, you can still browse the network!! I did actually disable the service using Group Policy, rather than just stopping it.
I have also now started working on better security on all the shares on servers around school.
Same as MrHappy I'd make sure your shares and permissions are set correctly and hide shared with a $ then you don't really have to worry. Also if you are using 2003 server then you can use "access based enumeration" to hide folders from prying eyes.
The templates attached are the same ones we use here for securing Word XP and Word 2003.
If you try these templates, hopefully it should help.
just configuring the settings to stop \\ browsing
but cannot see
'Internet and Network paths with Hyperlinks'.
in the group policy setting
i do have the setting
'Use CTRL + Click to follow hyperlink'.
office version is 2003
To be honest I don't believe you can stop this as it's by design, however, you should take a look at Access Based Enumeration or ABE.
I wouldn't worry too much whether users can browse computer objects. It's shares and what those shares contain which are far more critical.
I have just added the office 2003 adm files to a 2008 server and am trying to set the setting to stop the \\server working but like projector1 above I can't find the "internet and network path hyperlink" option. there are also other options in there which I might want to set but as there are no descriptions I'm reluctant to fiddle... does anyone know of a help document that can, well as the name describes, help on this? thanks
I never found that setting either.
TBH I decided this was a bit of a non issue after installing Inkskape and GIMP which freely let you browse the C: drive and network neighborhood from the open file dialogue box even though both are banned in GP.
There are currently 1 users browsing this thread. (0 members and 1 guests)