• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

Pupils accessing servers and shard folders

Hi All,

I wonder if anybody can help, pupils are accessing the servers and seeing the actually servers folders/files. When they login they are double clicking on the programs located on the start menu and accessing explorer. They keep pressing up one level until thery get to network neighbourhood, where they can select the domain thyey are on and see all work stations and servers. They can access the servers and see shared folders and folders. As you understand this is a serious issue has any of you got any ideas please.


TIA

Ictman
0
ictman
Asked:
ictman
  • 8
  • 8
  • 7
  • +1
1 Solution
 
JSoupCommented:
HOW TO: Use Xcacls.exe to modify NTFS permissions
http://support.microsoft.com/kb/318754
0
 
chuck-williamsCommented:
Use group policy to disable access to network neighborhood. I would set up a test environment and test a policy to lock down the users the way you want to. Then I would apply it to either all users or just to a special group with the particular users you want using security filtering.

I have locked down desktops using many policy modifications so I do not know off the top of my head which poolicies will give you the desired results you want.

From dealing with setting up a school, locking down students as much as possible is the best solution.
0
 
JSoupCommented:
Think about the impact to you statement chuck-williams: "Use group policy to disable access to network neighborhood. " no nothing
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
chuck-williamsCommented:
Sorry remove that first sentence from the entire statement
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Make sure the students don't have more permission than necessary.

You should also look through the User Configuration section in group policy to tighten things down for them. And if necessary, make server shares hidden (shares ending with $).

I don't think it is a big deal if students see servers, it is only a problem if they can access things you don't want them to.

PS - removing My Network Places or Network Neighborhood is just the icon. It doesn't prevent the functionality but it does make it harder for users to find it.
0
 
chuck-williamsCommented:
Thats what I meant with my above statement, if you lock down the correct set of policies in combination, you can disable their ability to browse any of those servers without mapped drives specifically. I just couldnt say which policies. When I dealt with students I had them locked down to a few icons and and very minal access to anything in windows
0
 
JSoupCommented:
The problem is the everyone group need tobe removed
0
 
ictmanAuthor Commented:
Is there anyone to stop them double clicking on the programs menu?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Yes.

User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu

Look through the entire User Configuration section to see what's possible with Group Policy. There are a lot of options and most have detailed explanations on what they do.
0
 
JSoupCommented:
Yes, GPO can nail down  GPO can over ride most things.
0
 
ictmanAuthor Commented:
If i choose that wont all the programs disappear?or the programs list disappear
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Just the list. Like I said, there are a lot of options and most have detailed explanations on what they do.
0
 
ictmanAuthor Commented:
But the only thing is, is that there are programs on the programs list that the pupils use
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
"But the only thing is, is that there are programs on the programs list that the pupils use"
That's fine, you don't need to use it then.
If you tell us what you're trying to accomplish specifically then we may be able to point you to some GPO settings. But that might be better for another question if it strays too far from your original question.
0
 
JSoupCommented:
It down to low level like read modify, delete and write
0
 
ictmanAuthor Commented:
basically i dont want pupils double clicking anywhere on the start menu and accessing explorer. Because that way they will be accessing server and shared folders.
0
 
JSoupCommented:
IT not just those area that you think they can access. Without listing all of them publicly, just consider one Task Manager File new task run.  This real take some deep thinking planning.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I really think you need to approach this from a different angle. You're trying to take away all "vehicles" (like explorer.exe) that would be used to access the servers. What you need to be doing is working on the "road blocks" (NTFS permissions and user rights) on the server.

Go to the server(s) and make sure the pupils don't have access to things you don't want them to have access to.
0
 
JSoupCommented:
HOW TO: Use Xcacls.exe to modify NTFS permissions
http://support.microsoft.com/kb/318754
0
 
ictmanAuthor Commented:
I have locked down as much as i can as some of the shares they need. There is no way i can lock it down?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
"I have locked down as much as i can as some of the shares they need."
Sounds good.
They can access the stuff they need access to and they can't access the stuff they don't need, right? So what is the issue?  
0
 
ictmanAuthor Commented:
They are still seeing the servers/domains i want to stop that.
0
 
chuck-williamsCommented:
Okay I did the research and figured it out I believe. Test it out and let me know. If you set a policy to remove the My Network places AND disable the run command, they should not be able to browse the network or get to it using UNC paths (\\server\share). Then I would see if there are any small ways around it and possible add to the policy until you get the disired effect. I would also suggest disabling the ability to map network drives and possibly lock down windows and internet explorer features in group policy.

Hope this helps.
0
 
chuck-williamsCommented:
I meant windows explorer and internet explorer in the above statement
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
There's still ways around that but it will limit the users.

If the users need access to files in a shared folder and they have a shortcut linking to it, they are still able to browse to other places by clicking the folder up button. OK, lets say you remove that. The user can still create a shortcut if they know the path. Or they could create a simple script to open the path.

The point is you can make it difficult to find the resources but what you really need to be worrying about is the permissions they have to those resources.
0
 
ictmanAuthor Commented:
How do we disable the folder up button?
0
 
ictmanAuthor Commented:
Anymore ideas :-(
0
 
JSoupCommented:
Security links

http://www.microsoft.com/technet/sysinternals/Security/AccessChk.mspx 
AccessChk v4.02  http://download.sysinternals.com/Files/accesschk.zip
By Mark Russinovich
Published: September 4, 2007
Introduction
As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.


http://www.microsoft.com/technet/sysinternals/Security/AccessEnum.mspx
AccessEnum v1.32   http://download.sysinternals.com/Files/AccessEnum.zip 
By Bryce Cogswell
Published: November 1, 2006
Introduction
While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary.
Read Mark's Windows IT Pro Magazine article that describes how to use AccessEnum.
AccessEnum works on Windows NT/2000/XP/2003.

http://www.microsoft.com/technet/sysinternals/Security/ShareEnum.mspx 
ShareEnum v1.6 http://download.sysinternals.com/Files/ShareEnum.zip 
By Bryce Cogswell
Published: November 1, 2006
Introduction
An aspect of Windows NT/2000/XP network security that's often overlooked is file shares. A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. There are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network.
When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within the domains accessible to it, showing file and print shares and their security settings. Because only a domain adminstrator has the ability to view all network resources, ShareEnum is most effective when you run it from a domain adminstrator account.
ShareEnum works on Windows NT/2000/XP.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 8
  • 8
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now