Jump to content

Word 2003 Security SUCKS!!

markwilliamson2001

By markwilliamson2001
in Windows

 Share

Recommended Posts

markwilliamson2001

markwilliamson2001

Posted
  • Author
Posted

Thanks, had a look on that on my local machine, seems to prevent further access to other network machines, however, it still displays the requested server that was entered into "\\servername".

 

Really want to stop UNC paths altogether!!!

 

Thanks so far..

 

Mark

mattx

mattx

Posted
Posted
Really want to stop UNC paths altogether!!!

 

Hmmm, not really advisable. As long as you have proper security / passwords set on your servers / shares etc its not going to be a problem....

azrael78

azrael78

Posted
Posted

Blocking UNC in Windows will stop plenty of other services working.

 

In terms of handling Windows and UNC, suggest you disable the Computer Browser service on everything via AD.

 

Configure it so no workstation is ever set as a Master Browser.

Lastly, use NET CONFIG SERVER /HIDDEN:YES

 

This will make all your PCs invisible on the browse lists (even if the kids somehow get to network neighbourhood).

 

As far as Office 2002/2003 go:

Get hold of the Office 2002/2003 Reskits (freely downloadable).

Unpack the .ADM files that are present.

 

Create a new GP (suggest you do this in a limited OU to minimise risk to start with).

Add the WORD10.ADM and WORD11.ADM files into it.

 

Navigate to the following:

User Config -> Administrative Templates

Microsoft Word 2002 (or Microsoft Office Word 2003)

Tools... Autocorrect -> Autoformat as you type.

You should see 'Internet and Network paths with Hyperlinks'.

Disable this (as this stops it working).

 

Next...

While still under the Word 2002 heading in your GP:

Go to Tools... Options -> Edit

You should see 'Use CTRL + Click to follow hyperlink'.

As before, disable this.

 

Repeat this for Office 2002 or 2003, whichever you didn't change above.

 

Login as a student (who will get this new GP) and test away.

We've got this all in use here and even though our kids can still use \\uncpath in the open box - they won't get anywhere they can't get to anyway via drive letters.

 

Hope that helps.

 

Az

  • Thanks 1
markwilliamson2001

markwilliamson2001

Posted
  • Author
Posted

Just to confirm, I have tried all those suggestions with no joy.

 

I have checked the new policy (with the Office adm template) is being applied, and it is, so it doesn't stop the problem I am having. Stopping the computer browser service on every local machine only works once. Once you restart word again, and type into a document, a \\servername hyperlink, you can browse the network again. I have tried with users with mandatory roaming profiles, and local administrator profiles, but no luck stopping this gaping hole in security. I agree that we should have very good security on all the shares, but I have managed to lock down network neighbourhood/my network places in word/explorer, but it still appears in word/office apps!!!

 

This sucks!! If their is a way to prevent access COMPLETELY to Browse entire network, I would like to hear it microsoft!

 

rant over

Mark

azrael78

azrael78

Posted
Posted
Just to confirm, I have tried all those suggestions with no joy.

 

I have checked the new policy (with the Office adm template) is being applied, and it is, so it doesn't stop the problem I am having. Stopping the computer browser service on every local machine only works once. Once you restart word again, and type into a document, a \\servername hyperlink, you can browse the network again. I have tried with users with mandatory roaming profiles, and local administrator profiles, but no luck stopping this gaping hole in security. I agree that we should have very good security on all the shares, but I have managed to lock down network neighbourhood/my network places in word/explorer, but it still appears in word/office apps!!!

 

This sucks!! If their is a way to prevent access COMPLETELY to Browse entire network, I would like to hear it microsoft!

 

rant over

Mark

 

Mark,

 

Try one thing at a time - disabling the computer browsing services etc will stop computers showing up when the kids decide to browse the network, but it won't stop them browsing.

 

If you want to stop the computer browser service, you need to set the 'Computer Browser' service to Disabled.

This should be done for all workstations and servers (if you want to hide everything).

Best way to do that is via Group Policy -> Computer Configuration -> Security Settings -> System Services -> Computer Browser.

 

Set this to disabled here (perhaps try it for a limited OU).

 

On a side-note, it's also worth disabling the Messenger service also - unless you need WinPopup/NET SEND capabilities.

 

If you are still having problems, I will fish out the exact steps I took to disable browsing here.

markwilliamson2001

markwilliamson2001

Posted
  • Author
Posted

I have disabled computer browser service on every machine, using Group Policy, but it hangs the first time you use the hyperlink hack in word. If you restart word, and try again, you can still browse the network!! I did actually disable the service using Group Policy, rather than just stopping it.

 

I have also now started working on better security on all the shares on servers around school.

 

Mark

cookie_monster

cookie_monster

Posted
Posted
Same as MrHappy I'd make sure your shares and permissions are set correctly and hide shared with a $ then you don't really have to worry. Also if you are using 2003 server then you can use "access based enumeration" to hide folders from prying eyes.
  • 1 year later...
projector1

projector1

Posted
Posted

just configuring the settings to stop \\ browsing

 

but cannot see

 

'Internet and Network paths with Hyperlinks'.

 

in the group policy setting

 

i do have the setting

 

 

'Use CTRL + Click to follow hyperlink'.

 

office version is 2003

thx

Michael

Michael

Posted
Posted

To be honest I don't believe you can stop this as it's by design, however, you should take a look at Access Based Enumeration or ABE.

 

I wouldn't worry too much whether users can browse computer objects. It's shares and what those shares contain which are far more critical.

  • 2 months later...
DAckroyd

DAckroyd

Posted
Posted
I have just added the office 2003 adm files to a 2008 server and am trying to set the setting to stop the \\server working but like projector1 above I can't find the "internet and network path hyperlink" option. there are also other options in there which I might want to set but as there are no descriptions I'm reluctant to fiddle... does anyone know of a help document that can, well as the name describes, help on this? thanks
cookie_monster

cookie_monster

Posted
Posted

I never found that setting either.

 

TBH I decided this was a bit of a non issue after installing Inkskape and GIMP which freely let you browse the C: drive and network neighborhood from the open file dialogue box even though both are banned in GP.

computer_expert

computer_expert

Posted
Posted
Maybe they can see the name of the server their home folder maps to. Ranger (damn it) used to grass up the name of the DC that logged you on each time :D

turning off the address bar in explorer would be one way to limit the kids from finding the server names out.

 

i know this won't help in this particular case, but its worth bearing in mind.

cookie_monster

cookie_monster

Posted
Posted (edited)
turning off the address bar in explorer would be one way to limit the kids from finding the server names out.

 

i know this won't help in this particular case, but its worth bearing in mind.

 

 

It also shows in the left hand details info pane in XP, My Computer also gives the location of mapped drives.

 

 

DMcCoy

AFAIK only applications carrying the Windows logo have to adhere to the GP restrictions

 

 

Yes any apps that use the standard Windows file open API should obey group policy. Unfortunatly most GTK+ apps don't seem to use this it uses it's own version that ignores this.

Edited by cookie_monster

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 46 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Comment below
      • Either time
×
×
  • Create New...