• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1852
  • Last Modified:

How to disable UNC pathing in applications' open and save dialogs?

I am trying to lock down UNC pathing for applications hosted through citrix sessions on 2003 server. For IE I implemented the GPO to disable the run command on the server, which in turn disables UNC pathing in IE. Users are still able to open apps off server and go to file open and then enter UNC path in file name and get error message to file name but the directory in the background takes them to the system share on the server. Even through local policy rights prevents immediate tampering, you can create a new folder, then back out, then save file  to the folder you created and inherit rights as owner to, and it proves to be a sercurity risk. So simply put, how can I disable UNC pathing locally or globally to applications or users on the server without disabling NetBIOS over TCP/IP?
0
ehesik
Asked:
ehesik
1 Solution
 
SysExpertCommented:
I don't think that you can, but maybe someone else has more info.

0
 
ehesikAuthor Commented:
Ok, instead of trying to selectively disable UNC to apps.. What about a solid GPO I can apply to the users to specifically prevent drive or share access on the specific server?
0
 
JaredJ1Commented:
Maybe I've not grasped what you're asking, but if you don't want the users to be able to have "Owner" permissions on files, don't give them "Full Control" NTFS permissions. If you only give "Modify" they will never be able to change permissions of the files, thereby negating the rights associated with file ownership.

I don't believe there is a GPO that will disable drive or share access.
0
 
Ron9909Commented:
Try the Login Consultants True Control Templates - these are some custom ADM templates for Citrix/TS.  I think its the W2003 template that includes options to force explorer settings - Display the full path in the address bar & Display the full path in title bar  - set both to disabled.  This is a great template and worth a look, but the following code will do the same job:

CLASS USER

CATEGORY Addressbar

POLICY "Enable full path in address bar"

KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState"

EXPLAIN !!Address_Bar_Help

VALUENAME "FullPathAddress"

VALUEON NUMERIC 1

VALUEOFF NUMERIC 0

END POLICY

END CATEGORY

[strings]

Address_Bar_Help="Enable displaying the full path in the address bar by selecting ENABLED. To disable, select DISABLED."

 Its also possible to modify the behaviour of the common file/save dialog in the Microsoft white paper entitled W2003_Terminal_Server_Lockdown (http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en)


0
 
ehesikAuthor Commented:
there was a link to a MS white paper on terminal services grou ppolicy settings that put me on the right track to lockdown explorer acces on the machine and user to prevent any pathing or tampering with directory files... thanks for the help..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now