GPO to hide explorer toolbar

[basspro]

We are required to allow certain users access to certain folders on server. We control who can view/access folders via group policy, opening folder when accessed through explorer.

Problem is that I need to disable/hide the explorer tool bar and address bar to prevent user from 'surfing' the server.

I need to do this via group policy but thus far have been unable to find a way to achieve such.

Would appreciate any help.

 

[sutors]

Download Group Policy Settings Reference document. It has all policies in an excel document. Search it there.

http://www.microsoft.com/downloads/...2F-DA15-438D-8E48-45915CD2BC14&displaylang=en

 

[basspro]

Thanks for the info.
Already have policysettings.xls
Was hoping there was something I was missing in my understanding since I cannot locate a policy setting which will control what I am attempting to do.

 

[kmcferrin]

If you set the permissions on the folders of the server correctly, then it doesn't matter if they have toolbar options to allow them to "surf," because they won't be able to see anything other than what they are permitted to.

What you're trying to accomplish is called "security through obscurity". It's based on the notion that if you hide something then nobody will be smart enough to find it, or find a way to it. Usually it results in someone getting burned when they fail to take into account all of the ways in which people will try to game the system.

 

[markdmac]

Share the folders needed and give both NTFS and Share permissions. You users should not be able to browse above the point of the share unless you have authorized it. Users should only be accessing the data from a client machine connected to the share.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[basspro]

Thanks for the response Mark.

To further elaborate on my situation. The folders/files permissions have been set correctly, access set to security groups as designed; however, we have data servers where users have been given explicit rights to their personal folders with security rights explicit to the user and administrator. Unfortunately, the user(s) sometimes create subfolders and give 'Everyone' rights, then they complain that everyone can see the contents of the folders.

Education and reeducation seems to fall on deaf ears. They 'simply' want me to fix it so other cannot see/browse the folders. Obviously, hiding the folders would be one option, but anyone can change the view to include hidden folders, thus my question on limiting users' abilities to address bar and tool bars via GPO.

I also realize I could change the registry on the server so the server would not appear in the network when browsing, but would rather not do this.

Anyway, again thanks for the input.

 

[kmcferrin]

In order to see a subfolder, you have to have view/list rights to the parent folders in the path. Either that, or you have to create a share that goes directly to that subfolder. So even if you give 'everyone' rights to a subfolder of your user folder, nobody should be able to see it.

The other thing is that by default the subfolder will inherit only the permissions of the parent folders. So as long as they don't mess with permissions on the subfolders that they create then there shouldn't be an issue. Even if they did mess with the permissions, then you would still be covered as long as the permissions on the parent directories are correct.

It really sounds like your permissions are off somewhere. Either that or these people are creating shares instead of subfolders, in which case nothing you can do will stop them from sharing their personal work with everyone else.

 

[basspro]

My permissions are not screwed up. My previous post said that users were creating SUBFOLDERS where they are giving EVERYONE full rights to the subfolders and they are SHARING those subfolders.

In this case the subfolders would be visible to anyone accessing the network regardless of the permissions I put on the parent folder.

Sorry I cannot explain this sufficiently.

 

[kmcferrin]

Yes, I got the subfolders part but you didn't mention that they were sharing the subfolders. It sounded like they were only changing the permissions on the subfolders rather than creating shares.

If that is the case then there isn't anything that you can do about it. Even if you take away the explorer tool bar, the shares are available through many other methods. You can launch IE and type \\server\share in the address bar. You can go to Start --> Run and type \\server\share on the run line. Also, any shares that users have already opened documents from during their surfing will still be available to them as a shortcut via My Network Places unless you change the security. Then there's the consideration that any virus that spreads through open shares will have a heyday on your network. This goes back to the whole security by obscurity thing.

I know that you're saying that education doesn't work, but they're asking you to treat a single symptom of the problem instead of fixing the problem. The system is functioning as intended, and trying to engineer a fix to the "problem" that attempts to circumvent the system's designed functionality will be extremely time consuming, frustrating, and in the end, unsuccessful.

The fix is to not create shares where everyone has full rights. Since this is something that you have to do intentionally, there's no reason why the users creating the shares (and lets face it, they probably shouldn't be doing that anyway) can't take responsibility for setting the security properly. If they create a share and explicitly allow 'Everyone' access to it, then they have nobody to blame but themselves when someone who they didn't want to have access to it gets to see it. If they can't take responsibility for it, then they shouldn't have that power to begin with.

My suggestion is to take away the "Full Control" permissions from the users. Limit them to read/write, clean up the shares that are there, and then you shouldn't have any more problems with users incorrectly creating shares.

 

[kmcferrin]

As a clarification to my previous post, you don't need to know the names of the shares to use the \\servername\sharename method. You can just type \\servername\ and then a drop-down box will appear listing all shares on that box that you can access.

 

[markdmac]

To expand on one thing that kmcferrin is saying. There is (I believe) a misonception by many system admins as to what Full Control really means. The only difference from having modify rights to having full control that your users will notice is that Full Control gives them the ability to change permissions/assign rights to other users.

Prevent them from havingthis right at a higher level and they will not be able to hurt themselves as kmcferrin has suggested.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.