Image viewer lockdown
I need one of two things.
1. I need to lock down the Windows Fax and Image viewer to prevent users from using the toolbar at the bottom, or I need an application like Blackice image viewer, but free.
THe problem is that I give my clients a full windws server 2003 vm and present the desktop via citrix, my applicaiton allow users to view attached images to each of their customers accounts. The problem is when my customer opens up the applciation to view one of thier customers images files, the server opens up windows fix and image viewer, this allows the users to move through the directory of other images. I need to have them only have access to the one image that they click on.
I would liek to do everything thorugh Group policy, but if i can install an applicaiton that will open pdf's and tif images with out the ability to move through the directory, I will be happy.
1. I need to lock down the Windows Fax and Image viewer to prevent users from using the toolbar at the bottom, or I need an application like Blackice image viewer, but free.
THe problem is that I give my clients a full windws server 2003 vm and present the desktop via citrix, my applicaiton allow users to view attached images to each of their customers accounts. The problem is when my customer opens up the applciation to view one of thier customers images files, the server opens up windows fix and image viewer, this allows the users to move through the directory of other images. I need to have them only have access to the one image that they click on.
I would liek to do everything thorugh Group policy, but if i can install an applicaiton that will open pdf's and tif images with out the ability to move through the directory, I will be happy.
btdownloads7
Any software you get will have the option to browse the folder. You need to create separate forlders for each user, and give each user only permissions to get into their own folder.
ASKER
not poss.
There is no other way for you to prevent users from setting each other's files
Why is it not possible? The server administrator certainly has the ability to assign folder permissions
your my application allow users to view attached images to each of their customers accounts
or include an image viewer in your code (imagebox)
Sample here
Form1.vb
your my application allow users to view attached images to each of their customers accounts
or include an image viewer in your code (imagebox)
Sample here
Form1.vb
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use AppSense to limit the toolbar specifically (Application Manager).
The thing I would look at strongly is fixing the NTFS permissions to keep users from browsing the directory structure, and combine that with a GPO to hide the drive, it should be fairly effective.
In the data directory, give Authenticated Users the ability to add a file or a folder (depending on what your app does) and that's *it*. Then give Creator Owner the rights they need (typically read or change based on what you have described). Do not give them any other rights.. that will block them from opening other users' files.
Coralon
The thing I would look at strongly is fixing the NTFS permissions to keep users from browsing the directory structure, and combine that with a GPO to hide the drive, it should be fairly effective.
In the data directory, give Authenticated Users the ability to add a file or a folder (depending on what your app does) and that's *it*. Then give Creator Owner the rights they need (typically read or change based on what you have described). Do not give them any other rights.. that will block them from opening other users' files.
Coralon
ASKER
Coralon,
The applicaiton does not use windows permissions. Thats why I can not limit the access to the fodlers, it has to be done via GPO, I know I can do a lot more with 2008 gpo and I was hoping not to have to upgrade my DC's to 2008 just yet. I have over 2000 users logging in to this system.
The applicaiton does not use windows permissions. Thats why I can not limit the access to the fodlers, it has to be done via GPO, I know I can do a lot more with 2008 gpo and I was hoping not to have to upgrade my DC's to 2008 just yet. I have over 2000 users logging in to this system.
How does the application bypass the NTFS permissions? (This is assuming the app is not storing the images internally on 1 file..) The only other way would be if the app uses a service account to open the files, which basically would keep it from *ever* being locked down.
The Windows program absolutely obeys the NTFS permissions, so in theory that should still work, unless (as mentioned above) it is using a service to "do the dirty work".
But, AppSense can definitely lock down that toolbar :-\
Coralon
The Windows program absolutely obeys the NTFS permissions, so in theory that should still work, unless (as mentioned above) it is using a service to "do the dirty work".
But, AppSense can definitely lock down that toolbar :-\
Coralon
ASKER
problem with appsense if I do not have it in the budget, the app uses its own users and the app service is started as a system account, so there is no real way to lock down the folders plus all users have access to all folders, but not from within another patients chart. The problem is that the user will open a patients chart and click on a linked image, then the image viewer opens, when i have a toolbar that allows you to explore the directory, then the office user can clci kforward or back and see other images, which they in turn are linked to this person chart, that is the problem, I do not have a sec issue, I just need an image viewer that will open tif, jpag, bmp, pdf, pretty much all images files, with out a toolbar, but the ability to see multiple pages. I will have the same problem with pdf's
Ah.. service account - that is your kicker. From your description, the service account is opening the application, which means that it is not impersonating the user, so as you said, NTFS security is useless.
Short of modifying the application, or going 3rd party (AppSense) I don't think you will be able to lock it down. The app needs to kick off the viewer application as the user (impersonation) for the security to be usable. There are some resource editors out there you could maybe modify the exe to remove the buttons from the application, but they are definitely a 'at your own risk' type of thing to do.
Coralon
Short of modifying the application, or going 3rd party (AppSense) I don't think you will be able to lock it down. The app needs to kick off the viewer application as the user (impersonation) for the security to be usable. There are some resource editors out there you could maybe modify the exe to remove the buttons from the application, but they are definitely a 'at your own risk' type of thing to do.
Coralon
What you are asking can be done though GPO. I would suggest canceling the close request and I might be able to assist you with this. Or, post another question and let me know the location.
ASKER
Never received a workable answer