'No Entire Network' bug?!?



Peter Stam
07-09-2005, 11:53 PM
Hello everybody,


We have a terminal server that is locked down to the bone (i tried that
is). There is a policy under 'User configuration --> Administrative
templates --> windows components --> windows explorer --> 'No Entire
Network'. I enabled this policy so that you can't browse the entire
network from the terminal server. Here's the thing:


When I connect with RDP (local drives connected) and start Microsoft
Office in the terminal session, I open a document from my local drive
in the RDP session and 'save as' it once again. The standard dialog
comes with the path \\desktop\my network places\entire
network\\tsclient\d (the local drive). So as you might see I can then
select 'Entire Network' and browse through the 'entire network'?!?. I
know that the policy only removes the icon from the 'My network places'
but how am I suppose to block this problem then? Any ideas because I
realy like to close the 'Entire Network' option due to security issues.


I know that the server can be hidden by 'net config server /hidden:yes'
but connected sessions keep rembering this so I can't remove the
servers once they browsed the network once.


Best Regards,
Peter

Phillip Windell
07-09-2005, 11:53 PM
Well, I don't think you really can. But I don't think it is a real problem.
You going through great pains to do something that really hasn't much point
anyway. What a user can access is based on the share Permissions and the
NTFS Permissions on the "targets". Whether or not they can "see" (browse to)
the machine icons really doesn't matter. If the permissions aren't correct
and they have permission to resources that you didn't intend they can easily
get to them by typing \\machinename from the Run Line or from IE's Address
Bar or the Address Bar in Windows Explorer. So the permissions is what you
need to focus on and not the Browse List. I understand why you want it to
be the way you want, but it just isn't worth the hassle in the end.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Peter Stam" <PeterStam@discussions.microsoft.com> wrote in message
news:A9DDAB6B-491B-4083-BE5D-741458587568@microsoft.com...
> Hello everybody,
>
>
> We have a terminal server that is locked down to the bone (i tried that
> is). There is a policy under 'User configuration --> Administrative
> templates --> windows components --> windows explorer --> 'No Entire
> Network'. I enabled this policy so that you can't browse the entire
> network from the terminal server. Here's the thing:
>
>
> When I connect with RDP (local drives connected) and start Microsoft
> Office in the terminal session, I open a document from my local drive
> in the RDP session and 'save as' it once again. The standard dialog
> comes with the path \\desktop\my network places\entire
> network\\tsclient\d (the local drive). So as you might see I can then
> select 'Entire Network' and browse through the 'entire network'?!?. I
> know that the policy only removes the icon from the 'My network places'
> but how am I suppose to block this problem then? Any ideas because I
> realy like to close the 'Entire Network' option due to security issues.
>
>
> I know that the server can be hidden by 'net config server /hidden:yes'
> but connected sessions keep rembering this so I can't remove the
> servers once they browsed the network once.
>
>
> Best Regards,
> Peter
>
>
>


'No Entire Network' bug?!?