+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
Windows Thread, Potential Flaw in XP -- Start menu in Technical; Also an alternative is to use the folowing in GPO: User Configuration > Admin Templates > Windows Components > Windows ...
  1. #16
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,035
    Thank Post
    305
    Thanked 293 Times in 203 Posts
    Rep Power
    120

    Re: Potential Flaw in XP -- Start menu

    Also an alternative is to use the folowing in GPO:

    User Configuration > Admin Templates > Windows Components > Windows Explorer >>>

    Disbale:
    Turn off shell protocol Protected Mode

    Enable:
    Prevent access to drives from My Computer
    Choose C: Only.

    When a user right clicks on the All Programs you will get (if configured correctly) Open, Explore and Properties... By Preventing access to the C: when a user clicks on explore you will get an error.

    Tim

  2. #17
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21

    Re: Potential Flaw in XP -- Start menu

    We don't have this issue - we have a ton of GPOs enforced but the one we have set is 'force classic start menu'.

    I don't see a need at all for anyone to have the XP start menu, so they don't get it.

    If we ever go Vista - I will be enforcing that policy with Vista too.

  3. #18
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Potential Flaw in XP -- Start menu

    Assuming your user accounts are 'standard' user accounts, then they cannot do any damage on the C: drive anyway. What's the problem?

  4. #19
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,035
    Thank Post
    305
    Thanked 293 Times in 203 Posts
    Rep Power
    120

    Re: Potential Flaw in XP -- Start menu

    The fact that they could get to command.com and cmd.exe. If the kids were pretty bright, could get onto the network....

  5. #20
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Potential Flaw in XP -- Start menu

    Is there something specific that you are worried about them doing on the network?

    If you are trying to prevent them from executing unauthorised code then software restriction policies are the only watertight way of achieving this.

  6. #21
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,035
    Thank Post
    305
    Thanked 293 Times in 203 Posts
    Rep Power
    120

    Re: Potential Flaw in XP -- Start menu

    Yeah, taking the whole network down, assessing private information.. ive been on a fair few security courses about this kind of thing and we were into systems via command line attacks, DNS attacks and attacks SQL Web databases.
    We also have a tight software restriction policy in place, to the point where they cannot run exe files from pen drives, user areas and they cannot bring in zipped up exe files as that too has been blocked. You can not afford to relax on the security side of things. The courses i have been on shocked me!

  7. #22
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21

    Re: Potential Flaw in XP -- Start menu

    Quote Originally Posted by timbo343
    Yeah, taking the whole network down, assessing private information.. ive been on a fair few security courses about this kind of thing and we were into systems via command line attacks, DNS attacks and attacks SQL Web databases.
    We also have a tight software restriction policy in place, to the point where they cannot run exe files from pen drives, user areas and they cannot bring in zipped up exe files as that too has been blocked. You can not afford to relax on the security side of things. The courses i have been on shocked me!
    We are looking at using software restriction policies here too - any chance you could throw me a copy of your policy using GP Management Consoles' HTML reporting if you don't mind?

    Az

  8. #23
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Potential Flaw in XP -- Start menu

    Quote Originally Posted by azrael78
    We are looking at using software restriction policies here too - any chance you could throw me a copy of your policy using GP Management Consoles' HTML reporting if you don't mind?
    We use them here and it works quite nicely. Our setup is basically:

    Block by default
    Path rules for exceptions

    Be aware that .lnk files (windows shortcuts) are classed as executables by default in software restriction policies

    We don't create any path rules which would allow a user to run anything from a location they have write access to. e.g. they can run shortcuts in the all users start menu, but not shortcuts/exe files in their own.

  9. #24
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Potential Flaw in XP -- Start menu

    Quote Originally Posted by timbo343
    Yeah, taking the whole network down, assessing private information.. ive been on a fair few security courses about this kind of thing and we were into systems via command line attacks, DNS attacks and attacks SQL Web databases.
    We also have a tight software restriction policy in place, to the point where they cannot run exe files from pen drives, user areas and they cannot bring in zipped up exe files as that too has been blocked. You can not afford to relax on the security side of things. The courses i have been on shocked me!
    Use SRP to restrict access to COMMAND.COM and CMD.EXE. No problem.

    Use permissions to restrict access to private information. No problem.

  10. #25

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    Re: Potential Flaw in XP -- Start menu

    Quote Originally Posted by azrael78
    I don't see a need at all for anyone to have the XP start menu, so they don't get it.
    Same, always used classic here, gave a consistant interface when we were migrating from 2000 and there is just no need to change it. The Xp start menu adds nothing of value in a school environment

  11. #26
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,541
    Thank Post
    362
    Thanked 263 Times in 215 Posts
    Rep Power
    100

    Re: Potential Flaw in XP -- Start menu

    we've always run remote start menus which gets around this issue completely, is that not an option for you? or are you running remote start menus but in a different way?

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Start Menu redirection help!
    By wesleyw in forum Windows
    Replies: 5
    Last Post: 26th February 2008, 02:04 PM
  2. Start menu redirection
    By Andi in forum Network and Classroom Management
    Replies: 28
    Last Post: 5th December 2007, 01:48 PM
  3. Start Menu Issue in XP
    By rixi in forum Windows
    Replies: 1
    Last Post: 18th October 2007, 04:48 PM
  4. XP Start Menu Problem
    By Gatt in forum Windows
    Replies: 1
    Last Post: 12th July 2007, 08:30 AM
  5. XP Style Start Menu Query
    By Gatt in forum Windows
    Replies: 1
    Last Post: 6th August 2006, 02:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •