Redirected Start Menu Security Issue

wedge1988

Hi all,

Im not sure if you are aware about this one, but its been a thorn in my a** for a whole 2 years now. and yet, still no solution.

Basically, if you redirect your start menu to a UNC path, then explore one of the folders on the redirected start menu, it takes you to the path of the folder, disregarding any security and the fact that my network places should be fully hidden.

Im sure this is to do with the system permissions, but ive looked all over the internet for a solution, and there are other people with the problem, but nobody has found a solution to it yet. In fact, on one website, sombody claims to have found a solution, by phoning microsoft and paying £90 for it! But i dont think that is appropriate, you shouldnt have to pay microsoft for their problems.

So has anybody come accross this, and have you found a way around it? I have a few ideas, but they reduce the functionality for the user?

genXrcist

wedge1988 wrote: »

Hi all,

Im not sure if you are aware about this one, but its been a thorn in my a** for a whole 2 years now. and yet, still no solution.

Basically, if you redirect your start menu to a UNC path, then explore one of the folders on the redirected start menu, it takes you to the path of the folder, disregarding any security and the fact that my network places should be fully hidden.

Im sure this is to do with the system permissions, but ive looked all over the internet for a solution, and there are other people with the problem, but nobody has found a solution to it yet. In fact, on one website, sombody claims to have found a solution, by phoning microsoft and paying £90 for it! But i dont think that is appropriate, you shouldnt have to pay microsoft for their problems.

So has anybody come accross this, and have you found a way around it? I have a few ideas, but they reduce the functionality for the user?

I only know of one way to fix this but in order to make it scalable you have to be using Roaming Profiles. From a machine that you're developing a default profile you go to Folder Options & uncheck the 'Display Full Path in Address Bar'.

Then logoff and log back on as a different administrator acct and copy that user profile out to your Network.

Then use GPO to force roaming profiles and point to that UNC.

Otherwise, if you have access to the imaging folks you can ask that they make that setting a part of their imaging process.

Hope that helps!

dynamik

You're talking about "hiding" a share with $? Those aren't really hidden or any more secure than visible shares. While they don't show up while browsing for shares, there tools that easily reveal them. I also prefer that some shares are not visible to users, but I really don't rely on that for security. You should focus on your NTFS and share permissions. If there are things in that same share you don't want users seeing or accessing, move them to a different share and set appropriate permissions.

wedge1988

thanks genXcist, thats a good security measure, but it wont fix the problem. Sorry dynamik, you have the wrong end of the stick.

Your both correct in assuming the $ for the shares, but i have locked them down with security very heavily. To the point of them being able to access the files but not actually see them.

This is essentially what i need to do. But its very tricky.

Understand that its the start menu. I cannot deny them access to the start menu because they need to see the shortcuts. I have locked down the server shares with NTFS permissions, so they cant get into those. They can however see the structure and browse the my network places even though ive blocked access to it all.

Im currently looking into disabling NetBIOS because this is what allows you to browse my network places, and microsoft recommend that it is not sued anymore (I agree) but they can still see the structure of the local server. Its a friggin pain.

If you use redirected start menus, you will have the same problem!

Claymoore

I believe what you're looking for is Access Based Enumeration. Basically you don't want users to see folders to which they do not have access. NTFS permissions prevent them from actually opening the files, but you would prefer they never even see them. This has been a feature of Novell forever, but only introduced in Windows Server 2003 R2.

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
Implementing Access-Based Enumeration in Windows Server 2003 R2
Download details: Windows Server 2003 Access-based Enumeration
How to implement Windows Server 2003 Access-based Enumeration in a DFS environment

wedge1988

wow, thanks claymoore. That looks as though its what i need! Ill try it out when i go back to work monday. The fact that it was only released at sp2 was a bit of a shock, but at least its out there now!

thanks, ill let you know how i get on!

wedge1988

Works like a charm Claymoore, thanks for that! all i need to do now is figure out how im going to remove NetBIOS from my network

wedge1988

Well, i thought that it would work, but it doesnt

It does help with security by hidng folders not accessible, but im still having issues with the start menu. The problem is you cannot lock down the folders from being viewed, because you need them to be accessible. (You dont want them to be explorable in windows explorer, but you do want them to show files and folders in their own directory) which is impossible.

Im really starting to get annoyed with this one now. I cant prevent my users from browsing the folder structure on the server!

dynamik

Just out of curiosity, why is this an issue? If they're supposed to have access to it, why does it matter if they're able to browse around with explorer?

WanBoy67

Could you go to the root of the folder, go to the advanced NTFS permissions and deny the Traverse folder item for everyone? Try using the drop down box when you add an advanced entry and apply it only to the folder and not subfolders and files. You should still be able to open files but not look through the root folder contents. Something tells me this won't work in particular for a Start Menu, I haven't try it but maybe worth a go?

wedge1988

I know its confusing, its been a pain for me for a while. Users are supposed to have access to the folder, but not to view the folder at the explorer level.

The problem is this; My network places is hidden. I dont want anybody looking through the network. No way can users do this, unless they explore a start menu folder. The problem is, they can then view my network places and start browsing the network with it. I will disable NetBIOS soon which will fix this, however, it still brings up the tree of where the share is, such as SYSVOL. (they're denied access to this)

Nice Try WanBoy67, but I have added granular permissions to the top folder of the start menu. Yes this does work, but it will not work on sub-folders within the start menu; if you set the same permissions then you cant view inside the folder. (which ironically is what i need to do but not at the start menu level)

traverse folder will not fix this, its the list folder permission.

I have a feeling that the system permissions have something to do with it all...

and i work in a school, so thats why i need security to come first!

Non-Profit Techie

I have never worked with these start menu options that you are working with, but have you ever thought of turning off browsing from explorer? I may be way off track but it was just a thought i had. Perhaps your start menu items will still allow them to go to location, but if they use the up arrow or type anything in explorer, maybe it will block them. Its just a simple gpo to test out anyway....

Aaron

wedge1988

Turn off browsing? what gpo would do that then?

Non-Profit Techie

Im not 100% sure, but i think this disables browsing from explorer address bar and IE.

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searchinghide
Policy Setting Comment
Prevent configuration of search from the Address bar Enabled
When searching from the address bar: Do not search from the address bar

I was having trouble finding it, so I hope thats it.

wedge1988

I wont be able to try it out until tomorrow now, but from the looks of it, thats for internet explorer not windows explorer.

Its not along the lines of what my problem really is either sorry dude.

Non-Profit Techie

Yeah, I wasnt sure it would work for you. At our schools I set that gpo, or at least I think its that one, and nobody can use UNCs from IE or Explorer to browse to network or local locations.

dynamik

He might be along the right track though. If you go to User Configuration\Administrative Templates\Start Menu and Taskbar, there is an option to "Remove access to the context menus for the taskbar". I assume they're right-clicking and choosing, "Explore".

Good idea, NPT

RobertKaucher

wedge1988 wrote: »

I know its confusing, its been a pain for me for a while. Users are supposed to have access to the folder, but not to view the folder at the explorer level.

The problem is this; My network places is hidden. I dont want anybody looking through the network. No way can users do this, unless they explore a start menu folder. The problem is, they can then view my network places and start browsing the network with it. I will disable NetBIOS soon which will fix this, however, it still brings up the tree of where the share is, such as SYSVOL. (they're denied access to this)

I really do not get what you are trying to do. But it sounds like you need to allow access to file shares without allowing users to enumerate the shares via an explorer window.

I assume you have used group policy to remove the "My Network Places" icon from the start menu as well as the address bar from explorer windows? There are alos group policies to remove "computers near me" and "Entire Network." But really all of these things are just dust in the wind because I will always be able to randomly search for file shares using Internet Explorer. I will just open it and type in \\NameOfServer and I will be able to view the file shares even if you do not have NetBIOS in use on the network.

I think you really need to consider if this is a security issue or not. Why should users not be allowed to see shares that they have read access to? One thing I have learned is that hiding things from users only provides me with a false sense of security and is not worth my time. If your network is secure, it should not matter if users are able to see the file shares they have access to or not, unless there are situations where they can escelate their access level to gain rights they should not have. But any user capable of doing this would not be detered very long by not being able to browse "my network places" or enumerate file shares via explorer. And that is an entire other security issue in itself.

Yes, it may remove temptation from users if they cannot see the shares, but does it even matter if they are tempted so long as the network is secure?

wedge1988

They can only right click on the programs button and choose explore (which i have managed to block with security) I have enabled pretty much every group policy you can think of, including hiding my network places, computers near me, right clicking, searching etc etc.

They double click the folders on the start menu, which opens them up, then they can browse through explorer.

This is a really stupid thing microsoft havnt found yet. Anybody that redirects their start menu to a server share will have this problem!

Security wise, all folders are locked down, so no, nobody but me cn access certain folders. The fact still remains that there is an unnecessary hole in windows, and i intend to close it some how!!!

thanks all so far, i appreciate it.

(I did come accross the ability to stop users from double clicking the folders on the start menu, but it also stops users double clicking shortcuts. If there is a registry way of doing this, i can make a custom gpo to enforce it)

WanBoy67

wedge1988 wrote: »

The fact still remains that there is an unnecessary hole in windows

What one might see as a hole, another might see as a feature. That sounds dirty doesn't it LOL

wedge1988

well, i meant, its a security risk for me. Besides, i blocked my network places, so i didnt want it as a feature

WanBoy67

Could you run with a roaming, mandatory profile instead?

wedge1988

do roaming mandatory profiles work differently then than a .man mandatory file? i wasnt aware of this?

WanBoy67

wedge1988 wrote: »

do roaming mandatory profiles work differently then than a .man mandatory file? i wasnt aware of this?

A mandatory profile would be on each machine (difficult to update), a roaming mandatory profile would be on the network copied down to each machine each time there is a change. But since there are no changes everything is managed from the network instead on each machine. If you need to update the profile you only have to change 1 profile instead of x amount. I haven't tried renaming the ntuser.dat to .man on a roaming profile but I see no reason why it wouldn't work.

dynamik

wedge1988 wrote: »

They double click the folders on the start menu, which opens them up, then they can browse through explorer.

That's hilarious; I had no idea you could even do that

Try disabling double-clicking

Oh, and it doesn't work like that in Vista (unless you revert to the classic start menu). Maybe it's time for an upgrade...

wedge1988

WanBoy67, i have the .man roaming profile on a share. Just because its a .man doesnt mean that its a local profile. In fact, mandatory profiles are not local profiles, mandatory means the profile cannot be changed when a user loggs off. I doubt its the profile anyway, since the start menu has been redirected. (Not in the profile)

Dynamik, I dont see the point in spending £5000 on licences just to stop users double clicking the folders. I wont disable double clicking, that would render most things useless, wouldnt you agree?

It is rather a stupid thing, and im still surprised there isnt a solution to the issue. Its the first time i have to say that im disappointed with xp.

btw, how do you manage your start menus? See if they have security flaws like this.

dynamik

wedge1988 wrote: »

Dynamik, I dont see the point in spending £5000 on licences just to stop users double clicking the folders.

Who said high security was cheap?

wedge1988 wrote: »

I wont disable double clicking, that would render most things useless, wouldnt you agree?

There's always a trade-off between security and functionality. The question is: how far are you willing to go

wedge1988 wrote: »

btw, how do you manage your start menus? See if they have security flaws like this.

As I alluded to earlier; I simply don't care. I'm not saying you're wrong for looking into this, but I personally don't see this as a legitimate threat. Everything is locked down with appropriate NTFS permissions, and I'm not worried if a user somehow learns of the existence of a share he or she doesn't have access to. Plus, there are many tools* out there that will provide a wealth of information to someone who knows how to use them. I'd be more concerned with thwarting those. If you're really dealing with highly sensitive information, you'd be better off doing something like moving that to a different file server and using IPSec to limit access to it.

*Check out Hacking Exposed, Hacked Exposed: Windows, any of the CEH books, The Open-Source Penetration Tester's Toolkit, etc.

Claymoore

Wedge, I think you're tilting at windmills here. If your file and folder permissions are correct, who (else) cares if the users can view the contents of the start menu? You are welcome to play around with the Traverse Folder/Execute File and List Folder/Read Data advanced file rights and the Bypass Traverse Checking privilege but I think you are going to find that it just doesn't work the way you want it to.

File and Folder Permissions

Anytime you work with file and folder permissions, you should keep the following in mind:

• Read is the only permission needed to run scripts. Execute permission doesn't matter.
• Read access is required to access a shortcut and its target.

Table 13-3 File and Folder Permissions Used by Windows 2000
Read
Permits viewing and listing of files and subfolders
Permits viewing or accessing of the file's contents
Write
Permits adding of files and subfolders
Permits writing to a file
Read & Execute
Permits viewing and listing of files and subfolders as well as executing of files; inherited by files and folders
Permits viewing and accessing of the file's contents as well as executing of the file
List Folder Contents
Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only

Non-Profit Techie

If it is really something that MUST be taken care of and you have been looking for a solution for over 2 years, you could always just put in a premier support issue with microsoft. I'm sure that is cheaper then upgrading.

wedge1988

Ok guys, i think ill leave it there. Thanks for all of your help, as always its invaluable. Im willing to help others here when its back scratching time

Ill look into the premier support thing too, thats interesting...