Help ! Need to disable network browsing on 2000 pro clients

[Guest]

Hello ALL


We have a 2003 AD domain with windows 2000 pro clients. I would like to prevent the clients from being able to browse the network and see the other computers as well as prevent them from browsing the Directory and seeing the different OU's that are setup. Is there a way of preventing a user from browsing for folders, computers, drives, ect on the domain, and not prevent the PC from participating on the domain normally ? I would like to accomplish this without having to setup a new domain just for these pc’s

These PC's that I want to lock down are Public PC's that anyone off the street can use to surf the net. So you can see why I’m so concerned about preventing them from seeing the domain

Thank you so much !!!

 

[Lanwench [MVP - Exchange]]

Disable NetBIOS over TCP/IP.

Maybe you need to lock down these systems more tightly if they're to be used
by 'people off the street', though. Group policies, mandatory profiles, etc.
What are they used for?

 

[Steven L Umbach]

I suggest that you consider removing those computers from the domain and putting them
in a workgroup and either using ipsec filtering or personal firewalls allow them to
access only the internet and not any IP addresses on the lan.

If for some reason they must be in your domain, it can be difficult to prevent users
from browsing the network. You can use Group Policy/user configuration to hide
Network Places though that will not be 100 percent effective as there are many ways
to work around that such as using or creating shortcuts. Disabling netbios over
tcp/ip on those computers would also deter casual domain browsing. I would also use
Group Policy to disable the command prompt and registry editing, use computer cases
that lock access to the computer drives and interior access and disable USB ports in
cmos and password protect cmos settings, configure Group Policy so that users can not
modify IE settings, do not allow downloads in any of the IE Web Content Zones, make
sure that users/everyone have no more than read/list/execute permissions to the
drive/root folder, and modify the user account used for public access to have only
read/list/execute permissions to the desktop folder in the user profile if you are
not using the guest account that will not save changes to the profile [understanding
the risks of enabling the guest account]. If possible use XP Pro computers for public
access and use Software Restriction Policies to lock down users so they can run ONLY
what is authorized and not be able to install any software. Finally on W2K or XP pro
you can implement ipsec filtering policy on those computer to allow them access to
only the computers they need on the domain such as domain controllers to log on by
starting with a mirrored block all IP rule and then add a permit rule that contains
the allowed lan IP addresses in the filter and entries for internet access. The links
below may be helpful. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://www.securityfocus.com/infocus/1559

Hello ALL,


We have a 2003 AD domain with windows 2000 pro clients. I would like to prevent

the clients from being able to browse the network and see the other computers as well
as prevent them from browsing the Directory and seeing the different OU's that are
setup. Is there a way of preventing a user from browsing for folders, computers,
drives, ect on the domain, and not prevent the PC from participating on the domain
normally ? I would like to accomplish this without having to setup a new domain just
for these pc's

These PC's that I want to lock down are Public PC's that anyone off the street

can use to surf the net. So you can see why I'm so concerned about preventing them
from seeing the domain.

 

[Guest]

Hello Lanwench

We do have group polices, Mandatory Profiles, NTFS Permissions enforced but yesterday i found out a public user can browse the network buy going into Microsoft Word, then selecting Save AS, then on the window that comes up click on Tools, and then they have the option to MAP Network Drive...from this option they can browse the entire network. I need to prevent this, but i need the station to have access to the network

The stations are used for browsing the internet and using Microsoft wor

 

[Guest]

Hello Steven

Thank you for the reply,

I want to morethe Public PC's to Windows XP later when we have time setup an image for the new OS

Currently we are using Group Polices, USBStorage is disabled, NTFS Permissions are set, I went ahead and disable netbios over TCP and now im not able to browse our network. But i can still browse the Active Directory. How can I disable this feature so a user can no browse the directoy and the different OU's ?

 

[Steven L Umbach]

I don't know how well this will work but under user configuration/administrative
templates/desktop/active directory - enable hide Active Directory folder.

The other thing you can do is to modify the permissions on AD objects much like you
do on ntfs for folders. If a user does not have read permissions, they can not see an
AD object. However there are a couple of problems and I have never seen good
documentation on the subject so trial and error is needed. A user needs permissions
to at least part of AD or the user will to be able to change their password or have
Group Policy apply to them. So I believe you do not want to remove read permissions
to the domain, domain controllers container, the container where their user account
is located, and if they are in an OU where Group Policy is applied to them you want
them to have permissions to read that OU. If they do not need to change their
password then you might also be able to not give them read permissions to the users
container or put them in their own container and deny read permissions for all the
other users. Other than that you can deny those users permissions to any other OU's
that they have no need to see or have policy applied from. The best way would
probably be to put those users for those public computers in a group and give them
deny permissions to the OU's or containers that you do not want them to see. ---
Steve

Hello Steven ,

Thank you for the reply,

I want to morethe Public PC's to Windows XP later when we have time setup an image for the new OS.

Currently we are using Group Polices, USBStorage is disabled, NTFS Permissions

are set, I went ahead and disable netbios over TCP and now im not able to browse our
network. But i can still browse the Active Directory. How can I disable this feature
so a user can no browse the directoy and the different OU's ?

 

[Guest]

Hello Steven ,

Thank you for the reply,

 

[Steven L Umbach]

Great Jay and thanks for reporting back the results. --- Steve

Hello Steven,

Enabling that policy did it! The Diretory doesn't show up now ... thank you so

much !!!