Windows Thread, Stop access to \servername in ie7 in Technical; I have just had one kid in here saying that he got access to my IT Wiki - he actually ...
19th January 2009, 04:18 PM #1
Stop access to \\servername in ie7
I have just had one kid in here saying that he got access to my IT Wiki - he actually only got as far as the login page but thats far enough.
Is there anyway that i can stop users from typing \\servername into ie7 or just block access from this server somehow?
I am using wamp server to host the wiki on, i have tried giving the group all students deny all access on that folder but it doesnt work.
19th January 2009, 04:38 PM #2
Do you have the ie7 adm installed?
IM not sure which GPO it is, but on ours with a student account if they try to do a \\anything it comes back with a "accessing the resource has been disallowed"
19th January 2009, 04:45 PM #3
User Configuration -> Administrative Templates -> Windows Components -> IE -> Browser menus -> Disable context menu
19th January 2009, 05:01 PM #4
Context menu is right click isnt it?
19th January 2009, 05:07 PM #5
yep, your right. Ignore that.
However, I also have Run disabled on the start menu. Might be worth trying that?
19th January 2009, 06:21 PM #6
I think the simple answer is "no you can't" because Explorer and Internet Explorer are tightly integrated.
You've clearly done a good job locking down policies and they're being prompted for a username and password to view shares of the server. To make things that little bit harder, within Active Directory, copy the Administrator account and name it anything you like - then disable the administrator account. They'll need to guess the administrator username and password now.
19th January 2009, 06:43 PM #7
Read how to edit the httpd.conf file in apache. You can set up whatever ACLs you want
19th January 2009, 06:46 PM #8
Re: Disable Run Command and UNC Path
If you enable this setting, the following changes occur:
(1) The Run command is removed from the Start menu.
(2) The New Task (Run) command is removed from Task Manager.
(3) The user will be blocked from entering the following into the Internet
Explorer Address Bar:
--- A UNC path: \\<server>\<share>
---Accessing local drives: e.g., C:
--- Accessing local folders: e.g., \temp>
19th January 2009, 06:50 PM #9
If you don't want someone to access something it is better to disable access to the server by correctly setting the permissions.
disabling \\servername in one application might just obscure the problem - can they do it in MSword as well ?
19th January 2009, 06:52 PM #10
There is a policy that disallows the use of UNC paths. I have it in use. I will try and find the setting tomorrow for you.
I have never played with a wamp install only LAMP and WIMP I am guessing you are going to need to play with mod_NTLM and the like for securing the directory. I had a recent post about it between me and Geoff although he had me looking in the wrong place for a while!
Renaming the admin account is a good idea in theory but someone is bound to see you typing your admin account name eventually. Any serious enumeration of accounts also easily identifies the admin accounts since the SID always ends with 500. Not something most kids will be capable of but something to bear in mind anyway.
19th January 2009, 07:05 PM #11
- Rep Power
This is disabled by disallowing access to Start -> Run
Set User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Run menu from Start Menu to Enabled
20th January 2009, 12:24 AM #12
- Rep Power
Saying if someone brought in a laptop from home and plugged into the network. Without RADIUS or some other form of network access protection, how would you prevent non-domain members from browsing network shares?
I know theres a way somewhere, I just don't like the idea of prevent the RUN being seen.
NTFS is ok, but theres some shares that need to be accessed by some software for students. To the DOMAIN workstations, they are unable to see these shares because of the tight restrictions.
Thanks for any help
20th January 2009, 10:51 AM #13
- Rep Power
If a non domain user hits any of your network shares they should still be prompted for a domain account if permission's are set correctly, also if you just want to say stop kids from hitting your wiki why not just change the port to something other than port 80?
By actech in forum Wireless Networks
Last Post: 13th October 2008, 10:15 PM
By faza in forum Wireless Networks
Last Post: 11th April 2008, 12:02 PM
By Jamie2000uk in forum Network and Classroom Management
Last Post: 24th January 2008, 11:19 PM
By KWIK in forum Windows Vista
Last Post: 30th July 2007, 09:49 AM
By adamyoung in forum How do you do....it?
Last Post: 25th January 2006, 01:45 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)