+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 30
  1. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #1

    Default Redirected Start Menu Security Issue

    Hi all,

    Im not sure if you are aware about this one, but its been a thorn in my a** for a whole 2 years now. and yet, still no solution.

    Basically, if you redirect your start menu to a UNC path, then explore one of the folders on the redirected start menu, it takes you to the path of the folder, disregarding any security and the fact that my network places should be fully hidden.

    Im sure this is to do with the system permissions, but ive looked all over the internet for a solution, and there are other people with the problem, but nobody has found a solution to it yet. In fact, on one website, sombody claims to have found a solution, by phoning microsoft and paying £90 for it! But i dont think that is appropriate, you shouldnt have to pay microsoft for their problems.

    So has anybody come accross this, and have you found a way around it? I have a few ideas, but they reduce the functionality for the user?
    Reply With Quote Quote  

  2. SS -->
  3. Member Extraordinaire genXrcist's Avatar
    Join Date
    Oct 2008
    Location
    St. Paul, Minnesota
    Posts
    531

    Certifications
    CCNA:V MCITP:EA/EMA2K10 MCSE:S MCSA:M MCDST A+/Net+/Sec+
    #2
    Quote Originally Posted by wedge1988 View Post
    Hi all,

    Im not sure if you are aware about this one, but its been a thorn in my a** for a whole 2 years now. and yet, still no solution.

    Basically, if you redirect your start menu to a UNC path, then explore one of the folders on the redirected start menu, it takes you to the path of the folder, disregarding any security and the fact that my network places should be fully hidden.

    Im sure this is to do with the system permissions, but ive looked all over the internet for a solution, and there are other people with the problem, but nobody has found a solution to it yet. In fact, on one website, sombody claims to have found a solution, by phoning microsoft and paying £90 for it! But i dont think that is appropriate, you shouldnt have to pay microsoft for their problems.

    So has anybody come accross this, and have you found a way around it? I have a few ideas, but they reduce the functionality for the user?
    I only know of one way to fix this but in order to make it scalable you have to be using Roaming Profiles. From a machine that you're developing a default profile you go to Folder Options & uncheck the 'Display Full Path in Address Bar'.

    Then logoff and log back on as a different administrator acct and copy that user profile out to your Network.

    Then use GPO to force roaming profiles and point to that UNC.

    Otherwise, if you have access to the imaging folks you can ask that they make that setting a part of their imaging process.

    Hope that helps!
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #3
    You're talking about "hiding" a share with $? Those aren't really hidden or any more secure than visible shares. While they don't show up while browsing for shares, there tools that easily reveal them. I also prefer that some shares are not visible to users, but I really don't rely on that for security. You should focus on your NTFS and share permissions. If there are things in that same share you don't want users seeing or accessing, move them to a different share and set appropriate permissions.
    Reply With Quote Quote  

  5. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #4
    thanks genXcist, thats a good security measure, but it wont fix the problem. Sorry dynamik, you have the wrong end of the stick.

    Your both correct in assuming the $ for the shares, but i have locked them down with security very heavily. To the point of them being able to access the files but not actually see them.

    This is essentially what i need to do. But its very tricky.

    Understand that its the start menu. I cannot deny them access to the start menu because they need to see the shortcuts. I have locked down the server shares with NTFS permissions, so they cant get into those. They can however see the structure and browse the my network places even though ive blocked access to it all.

    Im currently looking into disabling NetBIOS because this is what allows you to browse my network places, and microsoft recommend that it is not sued anymore (I agree) but they can still see the structure of the local server. Its a friggin pain.

    If you use redirected start menus, you will have the same problem!
    Reply With Quote Quote  

  6. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #5
    I believe what you're looking for is Access Based Enumeration. Basically you don't want users to see folders to which they do not have access. NTFS permissions prevent them from actually opening the files, but you would prefer they never even see them. This has been a feature of Novell forever, but only introduced in Windows Server 2003 R2.

    http://www.microsoft.com/windowsserv...rview/abe.mspx
    Implementing Access-Based Enumeration in Windows Server 2003 R2
    Download details: Windows Server 2003 Access-based Enumeration
    How to implement Windows Server 2003 Access-based Enumeration in a DFS environment
    Reply With Quote Quote  

  7. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #6
    wow, thanks claymoore. That looks as though its what i need! Ill try it out when i go back to work monday. The fact that it was only released at sp2 was a bit of a shock, but at least its out there now!

    thanks, ill let you know how i get on!
    Reply With Quote Quote  

  8. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #7
    Works like a charm Claymoore, thanks for that! all i need to do now is figure out how im going to remove NetBIOS from my network
    Reply With Quote Quote  

  9. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #8
    Well, i thought that it would work, but it doesnt

    It does help with security by hidng folders not accessible, but im still having issues with the start menu. The problem is you cannot lock down the folders from being viewed, because you need them to be accessible. (You dont want them to be explorable in windows explorer, but you do want them to show files and folders in their own directory) which is impossible.

    Im really starting to get annoyed with this one now. I cant prevent my users from browsing the folder structure on the server!
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #9
    Just out of curiosity, why is this an issue? If they're supposed to have access to it, why does it matter if they're able to browse around with explorer?
    Reply With Quote Quote  

  11. Senior Member WanBoy67's Avatar
    Join Date
    May 2007
    Posts
    227
    #10
    Could you go to the root of the folder, go to the advanced NTFS permissions and deny the Traverse folder item for everyone? Try using the drop down box when you add an advanced entry and apply it only to the folder and not subfolders and files. You should still be able to open files but not look through the root folder contents. Something tells me this won't work in particular for a Start Menu, I haven't try it but maybe worth a go?
    Reply With Quote Quote  

  12. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #11
    I know its confusing, its been a pain for me for a while. Users are supposed to have access to the folder, but not to view the folder at the explorer level.

    The problem is this; My network places is hidden. I dont want anybody looking through the network. No way can users do this, unless they explore a start menu folder. The problem is, they can then view my network places and start browsing the network with it. I will disable NetBIOS soon which will fix this, however, it still brings up the tree of where the share is, such as SYSVOL. (they're denied access to this)

    Nice Try WanBoy67, but I have added granular permissions to the top folder of the start menu. Yes this does work, but it will not work on sub-folders within the start menu; if you set the same permissions then you cant view inside the folder. (which ironically is what i need to do but not at the start menu level)

    traverse folder will not fix this, its the list folder permission.

    I have a feeling that the system permissions have something to do with it all...

    and i work in a school, so thats why i need security to come first!
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Dec 2004
    Location
    Connecticut
    Posts
    423

    Certifications
    MCITP:EA,CCNA,Most CompTia +'s
    #12
    I have never worked with these start menu options that you are working with, but have you ever thought of turning off browsing from explorer? I may be way off track but it was just a thought i had. Perhaps your start menu items will still allow them to go to location, but if they use the up arrow or type anything in explorer, maybe it will block them. Its just a simple gpo to test out anyway....

    Aaron
    Reply With Quote Quote  

  14. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #13
    Turn off browsing? what gpo would do that then?
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Dec 2004
    Location
    Connecticut
    Posts
    423

    Certifications
    MCITP:EA,CCNA,Most CompTia +'s
    #14
    Im not 100% sure, but i think this disables browsing from explorer address bar and IE.

    Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searchinghide
    Policy Setting Comment
    Prevent configuration of search from the Address bar Enabled
    When searching from the address bar: Do not search from the address bar

    I was having trouble finding it, so I hope thats it.
    Reply With Quote Quote  

  16. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #15
    I wont be able to try it out until tomorrow now, but from the looks of it, thats for internet explorer not windows explorer.

    Its not along the lines of what my problem really is either sorry dude.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Dec 2004
    Location
    Connecticut
    Posts
    423

    Certifications
    MCITP:EA,CCNA,Most CompTia +'s
    #16
    Yeah, I wasnt sure it would work for you. At our schools I set that gpo, or at least I think its that one, and nobody can use UNCs from IE or Explorer to browse to network or local locations.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #17
    He might be along the right track though. If you go to User Configuration\Administrative Templates\Start Menu and Taskbar, there is an option to "Remove access to the context menus for the taskbar". I assume they're right-clicking and choosing, "Explore".

    Good idea, NPT
    Reply With Quote Quote  

  19. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #18
    Quote Originally Posted by wedge1988 View Post
    I know its confusing, its been a pain for me for a while. Users are supposed to have access to the folder, but not to view the folder at the explorer level.

    The problem is this; My network places is hidden. I dont want anybody looking through the network. No way can users do this, unless they explore a start menu folder. The problem is, they can then view my network places and start browsing the network with it. I will disable NetBIOS soon which will fix this, however, it still brings up the tree of where the share is, such as SYSVOL. (they're denied access to this)
    I really do not get what you are trying to do. But it sounds like you need to allow access to file shares without allowing users to enumerate the shares via an explorer window.

    I assume you have used group policy to remove the "My Network Places" icon from the start menu as well as the address bar from explorer windows? There are alos group policies to remove "computers near me" and "Entire Network." But really all of these things are just dust in the wind because I will always be able to randomly search for file shares using Internet Explorer. I will just open it and type in \\NameOfServer and I will be able to view the file shares even if you do not have NetBIOS in use on the network.

    I think you really need to consider if this is a security issue or not. Why should users not be allowed to see shares that they have read access to? One thing I have learned is that hiding things from users only provides me with a false sense of security and is not worth my time. If your network is secure, it should not matter if users are able to see the file shares they have access to or not, unless there are situations where they can escelate their access level to gain rights they should not have. But any user capable of doing this would not be detered very long by not being able to browse "my network places" or enumerate file shares via explorer. And that is an entire other security issue in itself.

    Yes, it may remove temptation from users if they cannot see the shares, but does it even matter if they are tempted so long as the network is secure?
    Reply With Quote Quote  

  20. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #19
    They can only right click on the programs button and choose explore (which i have managed to block with security) I have enabled pretty much every group policy you can think of, including hiding my network places, computers near me, right clicking, searching etc etc.

    They double click the folders on the start menu, which opens them up, then they can browse through explorer.

    This is a really stupid thing microsoft havnt found yet. Anybody that redirects their start menu to a server share will have this problem!

    Security wise, all folders are locked down, so no, nobody but me cn access certain folders. The fact still remains that there is an unnecessary hole in windows, and i intend to close it some how!!!

    thanks all so far, i appreciate it.

    (I did come accross the ability to stop users from double clicking the folders on the start menu, but it also stops users double clicking shortcuts. If there is a registry way of doing this, i can make a custom gpo to enforce it)
    Reply With Quote Quote  

  21. Senior Member WanBoy67's Avatar
    Join Date
    May 2007
    Posts
    227
    #20
    Quote Originally Posted by wedge1988 View Post
    The fact still remains that there is an unnecessary hole in windows
    What one might see as a hole, another might see as a feature. That sounds dirty doesn't it LOL
    Reply With Quote Quote  

  22. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #21
    well, i meant, its a security risk for me. Besides, i blocked my network places, so i didnt want it as a feature
    Reply With Quote Quote  

  23. Senior Member WanBoy67's Avatar
    Join Date
    May 2007
    Posts
    227
    #22
    Could you run with a roaming, mandatory profile instead?
    Reply With Quote Quote  

  24. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #23
    do roaming mandatory profiles work differently then than a .man mandatory file? i wasnt aware of this?
    Reply With Quote Quote  

  25. Senior Member WanBoy67's Avatar
    Join Date
    May 2007
    Posts
    227
    #24
    Quote Originally Posted by wedge1988 View Post
    do roaming mandatory profiles work differently then than a .man mandatory file? i wasnt aware of this?
    A mandatory profile would be on each machine (difficult to update), a roaming mandatory profile would be on the network copied down to each machine each time there is a change. But since there are no changes everything is managed from the network instead on each machine. If you need to update the profile you only have to change 1 profile instead of x amount. I haven't tried renaming the ntuser.dat to .man on a roaming profile but I see no reason why it wouldn't work.
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #25
    Quote Originally Posted by wedge1988 View Post
    They double click the folders on the start menu, which opens them up, then they can browse through explorer.
    That's hilarious; I had no idea you could even do that

    Try disabling double-clicking

    Oh, and it doesn't work like that in Vista (unless you revert to the classic start menu). Maybe it's time for an upgrade...
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks