Windows Thread, Students creating Shortcuts to network in Technical; Not sure if the students are doing this but its possible for them if they wanted, to create a shortcut ...
4th June 2009, 05:24 PM #1
Students creating Shortcuts to network
Not sure if the students are doing this but its possible for them if they wanted, to create a shortcut to say \\DC1 in there home drive.
From there they can either then go up a folder and see all the computers/servers/printer/etc on the network, or more worryingly they can then go into NETLOGON folder and see all the scripts etc...
ive tried blocking .lnk in there homedrive using software restrcition policies, but this doesnt seem to work for shortcuts to machines.
Is there a way for me to stop them browsing the network?
Is there a way to stop them creating shortcuts?
What happens when you try and create a shortcut to \\server ?
What do you guys do pleas?
Thanks in advance !
IDG Tech News
4th June 2009, 05:30 PM #2
4th June 2009, 06:46 PM #3
Try enabling the following policies:
User Config > Admin Temaplates > Windows Components > Windows Explorer
No "Entire Network" in My Network Places - Enabled
User Config > Admin Temaplates > Desktop
Hide My Network Places icon on desktop - Enabled
You may also want to take a look at ABE or Access Based Enumeration
4th June 2009, 08:09 PM #4
Thanks for the replies...
No "Entire Network" in My Network Places - is already enabled
"This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.
"To remove computers in the user's workgroup or domain from lists of network resources, use the "No "Computers Near Me" in My Network Places" setting."
No computers near me is also enabled.... but no good
I will have a look at ABE or the reg hack next cheers
is there an easy way to bulk edit a HKEY_CLASSES_ROOT entry ?
4th June 2009, 08:17 PM #5
Depends on what you want call bulk editing, you can roll a VBS/BAT file out which updates the registry by way of importing a file...
4th June 2009, 08:53 PM #6
Thanks for this, here is my working code:
Originally Posted by DrPerceptron
Dim objShell, RegLocate, RegLocate1
Set objShell = WScript.CreateObject("WScript.Shell")
On Error Resume Next
RegLocate = "HKEY_CLASSES_ROOT\.lnk\ShellNew\Command"
4th June 2009, 09:10 PM #7
Ive sorted the creation of new shortcuts, but they could still edit others or bring them in....
Ive setup "Access-Based Enumeration" and it works great. but when they browse to say DC1, they can see SYSVOL, NETLOGON, LostHome etc. ABE only works by hiding folders and files that they dont have access to, but all our folders and files have READ for Authenticated users.
Is this the same for your servers?
Here are the security settings for our NETLOGON folder on a domain controller:
I obviously dont want to mess up any settings here before the mass logon tommorow 9am!!
4th June 2009, 09:45 PM #8
This is normal and by design. Not much you can do here. Even if you tried unticking 'List Folder Contents', 'Read & Execute' also becomes unticked and this is needed to run scripts you have in the NETLOGON share.
they can see SYSVOL, NETLOGON
4th June 2009, 10:42 PM #9
Everything in our netlogon folder is hidden.... if that helps
Doesn't seem to have drawn upon any problems.
5th June 2009, 09:27 AM #10
When you say hidden you mean windows hidden with the tick box not the $ shares ?
Originally Posted by DrPerceptron
Thanks for all the help. This could be a solution
5th June 2009, 09:31 AM #11
yup, just the tick boxes, I assume if you add the $ on the end, it will change the path and everything stops working..
You might be able to solve your problem by denying access to UNC paths in file explorer - not sure how you go about that off the top of my head though.
5th June 2009, 09:39 AM #12
We left our NETLOGON folder as it was and moved our login scripts to another folder and made a quick and simple change in AD to reflect this.
Even if the kids somehow get to the folder, they can't see anything or do anything with it.
5th June 2009, 10:30 AM #13
- Rep Power
Same here, on the networks I support I place no files under NETLOGON.
Originally Posted by azrael78
By centurio in forum Network and Classroom Management
Last Post: 3rd May 2011, 10:11 PM
By cjohnsonuk in forum Windows
Last Post: 30th September 2008, 10:29 AM
By sidewinder in forum Windows
Last Post: 2nd November 2007, 09:55 PM
By ninjabeaver in forum Wireless Networks
Last Post: 23rd November 2005, 10:14 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)