?
Solved

Remove/Prevent Editing of Shortcut Properties

Posted on 2004-04-07
8
Medium Priority
?
1,767 Views
Last Modified: 2013-12-04
Hello,
  I don't want my users to be able to modify where shortcuts point to on their Windows XP workstations (such as by right clicking the shortcut, selecting properties, and modifying entries under the shortcut tab).  At the same time, though, I don't want to prevent them from, say, sending a shortcut of a document in their docs folder to the desktop (so removing the default explorer context menu isn't an option).  I'm running a domain, so methods are pretty flexible:  registry change, script, gpo setting that I've overlooked, custom adm template, whatever.  The following are acceptable solutions for me:

1.  Remove properties from the context menu of a shortcut (but properties must remain intact for everything else, just removed from .lnk files)
2. Remove the shortcut tab from the properties of the shortcut
3. Make everything on the shortcut tab (target, start in, etc.) non-editable by the end user, including removing the function of the buttons along the bottom or making them unclickable
4. Anything else that achieves what I'm looking for without removing required functionality.
0
Comment
Question by:WerewolfTA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10778251
Create your own shortcut as an compiled exe-file

AutoIt v3 is free an BASIC-like scripting language with compiler
http://www.hiddensoft.com/autoit3/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 4

Author Comment

by:WerewolfTA
ID: 10783048
I don't think that's going to work for me.  Looking at it, it appears that I could do that for the shortcuts I supply, but I still want my users to be able to make shortcuts of their own documents, which they could then go into and edit.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10790100
The shortcuts that you produce with autoit can't be edited by your users. Rember, that the exe-file you produce with autoit only is a shortcut, that points excatly where you want.

Your users can still  - as they allways could -  produce their own shortcuts.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 4

Author Comment

by:WerewolfTA
ID: 10792239
 Yes, but can the users still edit the shortcuts that they produce?  That's what I'm trying to stop in addition to editing the shortcuts I supply (and even if this solution does, since it creates an executable file, it unfortunately wouldn't work for me since they're not allowed to run any executable content from locations for which they have write rights unless I hash the file and specifically allow it, which wouldn't be possible if they're creating them).  

I want my users to be able to create shortcuts to their existing documents, but not to be able to edit them.  I've already stopped them from being able to create a new blank shortcut and fill in anything they want, but they can produce a shortcut to an existing file on their own (which I want them to be able to do) and then edit it (which I don't want them to be able to do) to point somewhere they're not otherwise allowed to access in the gui (because I've disabled the run command and hidden network neighborhood) such as a network path.  One of my users actually admitted to browsing through the network looking for open shares to see what was out there.  Hopefully, everything's secure, but just in case something's overlooked, I don't want them to ever even have the opportunity to find out.  And even though they can't just browse through the network anymore, we use bginfo to put the name and ip address on all the desktops so we can have the caller quickly id which computer they're on for support purposes, so it's pretty easy for them to find paths to search.

  I know that no matter what I do, if they're determined enough, they'll find a way to get around the security I've set up or break the XP install trying, but I want to make it as difficult as possible so hopefully most of them will give up.  Experience has shown that some of these people have way too much free time on their hands, not enough supervision, and a strong desire to perform tasks on their computer that they're not allowed or supposed to do.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10800521
A user creating a shortcut (or file or folder) is the owner of the shortcut. That's defined in the creator owner ntfs permission.

Default NTFS Permissions in Windows 2000
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q244600
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 750 total points
ID: 10800523
Describing the problems with your users, I see no other solution than
http://www.microsoft.com/windows2000/technologies/terminal/default.asp
0
 
LVL 4

Author Comment

by:WerewolfTA
ID: 11060707
Unfortunately, terminal services isn't an option for me.  However, since nothing else has been posted, and I believe your answer would work were that an option, I am going to go ahead and close this question and award the points to you, trywaredk.  
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 11063354
:o) Thank you for the points
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question