Prevent "Microsoft Windows Network" icon via Policy?

Hello,

I am implementing a policy that removes the "My Network Places" from the
Desktop. In Addition, I am removing the Active Directory icon from the
"Entire Network" whose icon is also removed by policy. The problem is that
there are two security loopholes that a knowledgeable user could exploit and
circumvent this security measure.

1. If a user simply puts their own machine name on the run line i.e.,
\\Computer, then clicks the Up Folder arrow, the contents of the domain will
be displayed just as if they had the icon available to them to open that
list.

2. Even if the icon for Active Directory (within My Network Places) is
removed, if a user has access to a shortcuts to an OU or AD object via
NTDS:// protocol, it will open. Then by clicking the Folders button, they
will have access to the logical structure just as if the policy were not in
place.

Due to internal applications that need to perform NetBIOS resolution on the
PDC Emulator for name browsing enumeration, we don't wish to use the "net
config server /hidden:yes" option. Is there any way to lock these
interfaces down from the shell standpoint that is airtight?

If anyone could advise I would be most appreciative.

Thank you.




-

I know of know way to totally hide netbios access [try right clicking
desktop/new/shortcut/browse]. Much of Group Policy simply hides items and is not
meant to "secure" resources - that is what share/ntfs/object permissions are for. You
may be able to hide objects in AD by changing permissions on the AD objects. If a
user does not have read access to an AD object, then the should not be able to see
it. However keep in mind that users/everyone will need read access to domain, domain
controller container, their user account, and any OU that they are in or they may not
be able to change their password or have Group policy applied to them. If you decide
to try changing permissions on AD objects, be sure to document changes/backup first.
Dsacls can also be used to change AD permissions back to default. --- Steve

http://support.microsoft.com/default...b;en-us;281146

"-" <-@-.com> wrote in message news:(E-Mail Removed)...
> Hello,
>
> I am implementing a policy that removes the "My Network Places" from the
> Desktop. In Addition, I am removing the Active Directory icon from the
> "Entire Network" whose icon is also removed by policy. The problem is that
> there are two security loopholes that a knowledgeable user could exploit and
> circumvent this security measure.
>
> 1. If a user simply puts their own machine name on the run line i.e.,
> \\Computer, then clicks the Up Folder arrow, the contents of the domain will
> be displayed just as if they had the icon available to them to open that
> list.
>
> 2. Even if the icon for Active Directory (within My Network Places) is
> removed, if a user has access to a shortcuts to an OU or AD object via
> NTDS:// protocol, it will open. Then by clicking the Folders button, they
> will have access to the logical structure just as if the policy were not in
> place.
>
> Due to internal applications that need to perform NetBIOS resolution on the
> PDC Emulator for name browsing enumeration, we don't wish to use the "net
> config server /hidden:yes" option. Is there any way to lock these
> interfaces down from the shell standpoint that is airtight?
>
> If anyone could advise I would be most appreciative.
>
> Thank you.
>
>