Sign in with
Sign up | Sign in
Your question

Group policy to disable network hyperlinks in Word

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
June 2, 2005 5:27:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Unfortunately students have learned/guessed the server names at our school
and are demonstrating their ability to "see" all of our network shares by
just typing in "\\data\c$" (or similar) into a Word document and clicking the
provided hyperlink.
Is there a Group Policy to disable network hyperlinks in Word?
Any other tips on preventing this?
Thanks
Anonymous
a b 8 Security
June 3, 2005 12:20:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First, admin shares are by default only accessible to admin accounts,
so if they are accessing such as c$ you need to investigate why as
either they are being recognized as admins on the accessed machine
or the share permissions have been changed.

For tweaking Word, if there is a setting in the Office application for
this, they you could write a custom adm file to deliver with GP.
You should ask over in an Office newsgroup how to, if possible,
affect that behavior of Office applications.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"tharcleroad@taconichills.k12.ny.us"
<tharcleroadtaconichillsk12nyus@discussions.microsoft.com> wrote in message
news:5447E4C8-E4D4-4928-8A7F-23AA7B4D4283@microsoft.com...
> Unfortunately students have learned/guessed the server names at our school
> and are demonstrating their ability to "see" all of our network shares by
> just typing in "\\data\c$" (or similar) into a Word document and clicking
the
> provided hyperlink.
> Is there a Group Policy to disable network hyperlinks in Word?
> Any other tips on preventing this?
> Thanks
Anonymous
a b 8 Security
June 3, 2005 3:08:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I don't know if such policy exists but I have never heard of it but beware
there are many ways to "see" network shares particularly if you have netbios
over tcp/ip enabled on the network. If a network can exist without netbios
over tcp/ip you can publish shares to AD and then set permissions on the
share object in that if a user does not have read permissions they will not
see the share via AD. It is possible to disable NBT in an all W2K/W2003?XP
Pro network if you do not use any applications that require it nor want to
use My Network Places to find network resources that will show via the
browser service. Keep in mind that I believe the Exchange may still require
NBT.

Having said that pay heed to Roger's reply. Ultimately you need to control
access to network resources by using the principle of least privilege for
group membership, user rights [access this computer from network], and
share/folder [ntfs] permissions instead of trying to hide access. Depending
on your network configuration you may also be able to use an ipsec "require"
policy to protect access to computers from computers that should not ever be
able to access it. Ipsec can encrypt/maintain integrity traffic and require
computer authentication before access is allowed. Ipsec is a more advanced
topic however and ipsec policies need to be thoroughly tested before rolling
out. --- Steve

http://www.microsoft.com/windows2000/technologies/commu...
--- Windows 2000 ipsec center.

"tharcleroad@taconichills.k12.ny.us"
<tharcleroadtaconichillsk12nyus@discussions.microsoft.com> wrote in message
news:5447E4C8-E4D4-4928-8A7F-23AA7B4D4283@microsoft.com...
> Unfortunately students have learned/guessed the server names at our school
> and are demonstrating their ability to "see" all of our network shares by
> just typing in "\\data\c$" (or similar) into a Word document and clicking
> the
> provided hyperlink.
> Is there a Group Policy to disable network hyperlinks in Word?
> Any other tips on preventing this?
> Thanks
Related resources
Anonymous
a b 8 Security
June 3, 2005 6:03:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The manually set up shares (who were setup years ago by an outside vendor)
were Everyone group with full access. I have manually changed them to Admins
and Faculty only. But those darn hyperlinks still let the kids "surf" the
entire network (the new permissions do keep them from entering the
folders/shares).
Thanks

"Roger Abell" wrote:

> First, admin shares are by default only accessible to admin accounts,
> so if they are accessing such as c$ you need to investigate why as
> either they are being recognized as admins on the accessed machine
> or the share permissions have been changed.
>
> For tweaking Word, if there is a setting in the Office application for
> this, they you could write a custom adm file to deliver with GP.
> You should ask over in an Office newsgroup how to, if possible,
> affect that behavior of Office applications.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "tharcleroad@taconichills.k12.ny.us"
> <tharcleroadtaconichillsk12nyus@discussions.microsoft.com> wrote in message
> news:5447E4C8-E4D4-4928-8A7F-23AA7B4D4283@microsoft.com...
> > Unfortunately students have learned/guessed the server names at our school
> > and are demonstrating their ability to "see" all of our network shares by
> > just typing in "\\data\c$" (or similar) into a Word document and clicking
> the
> > provided hyperlink.
> > Is there a Group Policy to disable network hyperlinks in Word?
> > Any other tips on preventing this?
> > Thanks
>
>
>
Anonymous
a b 8 Security
June 6, 2005 6:20:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

tharcleroad@taconichills.k12.ny.us wrote:
> Unfortunately students have learned/guessed the server names at our school
> and are demonstrating their ability to "see" all of our network shares by
> just typing in "\\data\c$" (or similar) into a Word document and clicking the
> provided hyperlink.
> Is there a Group Policy to disable network hyperlinks in Word?
> Any other tips on preventing this?
> Thanks

Are they trying to do this, or succeeding? I would worry about the
latter more than the former.
!