Solved

How to disable UNC pathing in applications' open and save dialogs?

Posted on 2008-10-10
5
1,766 Views
Last Modified: 2013-11-25
I am trying to lock down UNC pathing for applications hosted through citrix sessions on 2003 server. For IE I implemented the GPO to disable the run command on the server, which in turn disables UNC pathing in IE. Users are still able to open apps off server and go to file open and then enter UNC path in file name and get error message to file name but the directory in the background takes them to the system share on the server. Even through local policy rights prevents immediate tampering, you can create a new folder, then back out, then save file  to the folder you created and inherit rights as owner to, and it proves to be a sercurity risk. So simply put, how can I disable UNC pathing locally or globally to applications or users on the server without disabling NetBIOS over TCP/IP?
0
Comment
Question by:ehesik
5 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I don't think that you can, but maybe someone else has more info.

0
 

Author Comment

by:ehesik
Comment Utility
Ok, instead of trying to selectively disable UNC to apps.. What about a solid GPO I can apply to the users to specifically prevent drive or share access on the specific server?
0
 
LVL 10

Expert Comment

by:JaredJ1
Comment Utility
Maybe I've not grasped what you're asking, but if you don't want the users to be able to have "Owner" permissions on files, don't give them "Full Control" NTFS permissions. If you only give "Modify" they will never be able to change permissions of the files, thereby negating the rights associated with file ownership.

I don't believe there is a GPO that will disable drive or share access.
0
 
LVL 2

Accepted Solution

by:
Ron9909 earned 500 total points
Comment Utility
Try the Login Consultants True Control Templates - these are some custom ADM templates for Citrix/TS.  I think its the W2003 template that includes options to force explorer settings - Display the full path in the address bar & Display the full path in title bar  - set both to disabled.  This is a great template and worth a look, but the following code will do the same job:

CLASS USER

CATEGORY Addressbar

POLICY "Enable full path in address bar"

KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState"

EXPLAIN !!Address_Bar_Help

VALUENAME "FullPathAddress"

VALUEON NUMERIC 1

VALUEOFF NUMERIC 0

END POLICY

END CATEGORY

[strings]

Address_Bar_Help="Enable displaying the full path in the address bar by selecting ENABLED. To disable, select DISABLED."

 Its also possible to modify the behaviour of the common file/save dialog in the Microsoft white paper entitled W2003_Terminal_Server_Lockdown (http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en)


0
 

Author Closing Comment

by:ehesik
Comment Utility
there was a link to a MS white paper on terminal services grou ppolicy settings that put me on the right track to lockdown explorer acces on the machine and user to prevent any pathing or tampering with directory files... thanks for the help..
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Citrix XenDesktop, gold image, VMware, vSphere.
Several part series to implement Internet Explorer 11 Enterprise Mode
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now