?
-
Hello,
I am implementing a policy that removes the "My Network Places" from the
Desktop. In Addition, I am removing the Active Directory icon from the
"Entire Network" whose icon is also removed by policy. The problem is that
there are two security loopholes that a knowledgeable user could exploit and
circumvent this security measure.
1. If a user simply puts their own machine name on the run line i.e.,
\\Computer, then clicks the Up Folder arrow, the contents of the domain will
be displayed just as if they had the icon available to them to open that
list.
2. Even if the icon for Active Directory (within My Network Places) is
removed, if a user has access to a shortcuts to an OU or AD object via
NTDS:// protocol, it will open. Then by clicking the Folders button, they
will have access to the logical structure just as if the policy were not in
place.
Due to internal applications that need to perform NetBIOS resolution on the
PDC Emulator for name browsing enumeration, we don't wish to use the "net
config server /hidden:yes" option. Is there any way to lock these
interfaces down from the shell standpoint that is airtight?
If anyone could advise I would be most appreciative.
Thank you.
I am implementing a policy that removes the "My Network Places" from the
Desktop. In Addition, I am removing the Active Directory icon from the
"Entire Network" whose icon is also removed by policy. The problem is that
there are two security loopholes that a knowledgeable user could exploit and
circumvent this security measure.
1. If a user simply puts their own machine name on the run line i.e.,
\\Computer, then clicks the Up Folder arrow, the contents of the domain will
be displayed just as if they had the icon available to them to open that
list.
2. Even if the icon for Active Directory (within My Network Places) is
removed, if a user has access to a shortcuts to an OU or AD object via
NTDS:// protocol, it will open. Then by clicking the Folders button, they
will have access to the logical structure just as if the policy were not in
place.
Due to internal applications that need to perform NetBIOS resolution on the
PDC Emulator for name browsing enumeration, we don't wish to use the "net
config server /hidden:yes" option. Is there any way to lock these
interfaces down from the shell standpoint that is airtight?
If anyone could advise I would be most appreciative.
Thank you.