Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win2k Terminal Server 2

Status
Not open for further replies.
nickbhogal

nickbhogal

Technical User
Mar 26, 2001
17
0
0
GB
I am running Windows 2000 Terminal Services. In preparation for locking down the server, I need to find a way to disable Winsows Explorer from being launched from the task bar, i.e right click on the START menu.

I am not using Active Directory and have been unable to find a System policy Template (ADM file ) to achieve this. I have tried changing the security permission on the explorer.exe file but this doesn't seem to work.

Any help would be greatly appreciated.

Nick
 
Sort by date Sort by votes
WHy do you want to disable the explorer ?
You can hide all local drives, you can restrict access to local drives, you can hide network neighborhood, disable the ability to map drives ... using plain policy files & registry configurations... Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
My concern is that knowledgeable users will be present a security risk to the system.

For example, my .EXE files in the WINNT folder have Read and Execute permissions, and users will be able to run these files.

If possible, I would like to remove explorer functionality altogether.

Nick
 
Upvote 0 Downvote
Have you tried to block explorer.exe as a valid application(you can set this in a policy, or directly in the registry; without the need of NTFS permissions on the file...) Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
FWIW I agree with what you're saying, Peter - policies are the *only* way to effectively lock down a Terminal Server environment. You can use a "Run only allowed applications" policy for positive locking down.

Or you could go one stage further and implement Citrix MetaFrame to publish individual applications to the users, thus eliminating the desktop completely.

Be aware that some applications contain back doors and security holes that allow users to get to the system without directly running explorer.


For example, my favorite "hack" is to simply type a url into a Microsoft application. When the address bar conveniently appears in the toolbar region (or if it doesn't, simply load up the web toolbar), type c:, m: or whatever the server's root drive letter is.

Hey presto - you've got explorer with system level access that bypasses user-level permission lock-downs - including policies.


Check out some of the security sites, if you're really security conscious.

Here's a good one: - check out an article entitled "Hardening Windows 2000".


My favorite policy is corporate policy, however - knowledgeable users should know that they aren't supposed to hack the system;

Make all users aware through a legal notice that if they do anything untoward, then the company may take legal action against them.

If anyone ignores this, find out who hacked the system and inform their manager that his/her departments services are being compromised.

Or you could *lose* that user's most important data (or worse, e-mail or internet access) for a day or two. The BOFH attitude can be useful in some circumstances...


I hope this is helpful
 
Upvote 0 Downvote
I'd definitely agree with that! I worked as part of a team a while back setting up Terminal Services. Most of the users who were using it liked to tinker and some were a bit more knowledgeable. We tried locking things down without policies and realised after about a month that polices were the only way to go. After messing around with them for a bit we realised just how powerful they are - don't bother wasting your time on anything else!!

Regards
 
Upvote 0 Downvote
I think I can get a .adm file to block right-clicking on the Start - Taskbar (including the start button itself)
If you are interested, just let me know and I'll send you the file as soon as possible... Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
peterve

Yes please if you can find an ADM file to stop the right clicking on the start bar, I would be most greatful.


My email address is nick.bhogal@sema.co.uk

Cheers

Nick

 
Upvote 0 Downvote
As soon as I have it, I will post a message on this forum... If you send me your email address, I will send the adm file... Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
Hi,

There is no .adm file to do this... but you can disable it this way :

Edit the GPO, go to User configuration and look for 'Windows Explorer'
There is a setting called 'disable Windows Explorer's default context menu'
If you disable this, normally you won't be able to right click the start button anymore...

Good luck Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
119
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Question
Server Remote Desktop License
Replies
0
Views
104
MaioMaio
MaioMaio
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
144
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
100
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
118
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top