2

I'm currently trying to find a GPO or a registry edit that could either remove the address bar from Windows Explorer or prevent the bar from displaying the full UNC path. The current environment has full restrictions on the C:\ drive as well as network shares. However, the only "security breach" I could find is that users have full access to other user's Roaming Profiles. That is, if they are smart enough to use Environment variables to browse to their profile folders, and therefore displaying the Full UNC path of the share. If worse comes to worse I could always enable the below GPO entry, but enabling it just creates massive Admin headaches, since the policy strips down inherit permissions even when the Add the Administrator security Group to roaming user profiles is enable

User Config>Policies>Windows Settings>Folder Redirection>Documents>Options
Grant user exclusive rights to Documents

I have also tried making the following registry modification with no luck. 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
"ITBar7Layout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,19,00,00,00,\
  40,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
  00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,29,05,00,00,a0,0f,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"ITBar7Layout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,19,00,00,00,\
  40,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
  00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,29,05,00,00,a0,0f,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

Any other suggestion in what to do will be greatly appreciated. -Thanks

RHQ
  • 63
  • 1
  • 2
  • 8
  • 3
    Security through obscurity is *bad*...you should figure out *why* the users can read each other's roaming folders instead of hiding it. – Nathan C May 13 '14 at 18:52
  • Hiding something rather than securing it properly isn't a proper solution. Why don't you secure your roaming profiles share so that this isn't an issue rather than trying to obfuscate the problem? – joeqwerty May 13 '14 at 18:53
  • That would be like placing your door knob behind a curtain to obscure it and deter brake-ins, rather than, you know, locking the door. – Soviero May 13 '14 at 18:54
  • 1
    @NathanC he already knows "why" the users can see (not read) each other's profiles, and he knows the solution to fix that, so that's not the issue. The issue, is that it does create a headache, I agree with you RHQ, but it is there for a reason, and that reason is to stop the exact thing you are trying to prevent. – Brad Bouchard May 13 '14 at 18:56
  • @NathanC the reason to why users can read each others roaming profile is because for roaming profiles and folder redirection to work. The Authenticated user needs to be able to write to the network share for the user to properly create its profile folder at log in – RHQ May 13 '14 at 20:20
  • 1
    @joeqwerty I agree that Hiding something rather than securing it is not a proper solution. Hiding the path not only helps keep the admin/management to a minimum but also prevents users of knowing the share name and thus not able to properly browse to it and see each others folder's content and the user's name (since username is First.Last) – RHQ May 13 '14 at 20:21

2 Answers2

2

Since you already know that you should be using...

User Config>Policies>Windows Settings>Folder Redirection>Documents>Options > Grant user exclusive rights to Documents

... then your only options are do it right, thus POTENTIALLY creating some admin/management headache, or continue to try to find ways to hide the UNC path. There aren't any, I'll just let you in on that now, but you may continue to try.

The other issue that you failed to think of in trying to hide UNCs is that users can also do a File > Save As which brings up UNC paths as well. I'm sure there are more ways than just the two mentioned here as well but that just came to me, and I know you can't hide them there; they were designed to be seen.

I really am sorry if this comes off as brash, but you already know the answer to your question I'm afraid.

Brad Bouchard
  • 2,507
  • 2
  • 12
  • 22
  • I think when it comes in preventing users from accessing each other files I will, sadly, need to apply the above GPO. However, finding a way to fully hide the UNC path will also prevent users from finding other username's full Name, not a privacy concern since everyone knows each other. I guess I could create a different share location for users that require "contract" work. That way they don't have access to the "day to day" users' profile share home directory. - Thanks – RHQ May 13 '14 at 20:27
  • That isn't a bad idea. Another thing you can do is limit the location of where users are able to save when they do a Save As. The admin headache created from doing this can at times be irritating but if you only run into a time or two when you have to take ownership then restore files for a user then that's not bad. The woes of a sysadmin right? – Brad Bouchard May 13 '14 at 20:33
-1

@RHQ - Your comment to NathanC regarding permissions is incorrect. I've used roaming profiles for 10 years and have never given the Authenticated Users group access to the roaming profile share. This is how the permissions should be configured: http://technet.microsoft.com/en-us/library/cc737633(v=ws.10).aspx

Here are two screenshots of my environment. The first is a screenshot showing the effective permissions my user group has on the root folder. The second is a screenshot of my roaming profile folder. You'll see that neither my user group (Customers) or the Authenticated Users group has any permissions on my roaming profile folder. Only my user account, System and Administrator have permissions.

enter image description here

enter image description here

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I see that the link you provide is for Windows Server 2003 and NOT Windows Server 2008 R2. I did tried to setup the environment as similar as it is described in the link provided, as I saw it before, but ran into permission Errors. Maybe I missed something. I will go though the documentation again and retest the environment and will let you know. Thanks – RHQ May 13 '14 at 20:45
  • The problem is, @RHQ has a "mixed" question. He references Roaming Profiles at the beginning, but then switches to Folder Redirection if you look at the GPO setting he talks about applying. This makes it confusing to know which method he prefers/uses. Also, using the above mentioned setting on the GPO for Folder Redirection works just fine, very good actually, but does create a problem here and there when you have to try to take ownership of a whole user's folder to fix certain things. Either way the question needs a little clarity so that answers apply to what he is dealing with. – Brad Bouchard May 13 '14 at 20:45
  • @joeqwerty - First of all there is not need to give any type of attitude, as I am here asking for help from people like you that might have more experience in the field than me. Secondly, I DID NOT "down voted your answer" as I'm not here to be an arrogant guy. Please show a bit of respect and maturity, specially when you are accusing people of "down voting you answer". If you honestly don't have any useful to say please just avoid saying anything. PS - You need 125 reputation to down vote and answer and I only have 23 – RHQ May 13 '14 at 21:01
  • 1
    @BradBouchard I will try to modify my questions to prevent any type of confusion (Sorry) and thanks – RHQ May 13 '14 at 21:07
  • No worries... but what I'd actually do is create a new question dealing with Roaming Profiles/Folder Redirection as this question dealt with UNC paths and hiding them. – Brad Bouchard May 13 '14 at 21:13
  • @RHQ - I'll say what I please, thank you very much. My method of `helping` is to give you an answer that resolves the core issue, not hide it. The permissions outlined in the article are valid for any Windows OS that uses the NTFS file system, not just Windows Server 2003. What's going to happen when your users stumble on some other method of circumventing your solution? How are you going to address that? Are you going to continue to find ways of `hiding` things rather than fixing them? In addition, Brad's answer is effective only for new folders. It will have no effect on existing folders. – joeqwerty May 13 '14 at 21:17
  • @joeqwerty I appreciate your help and the efforts in showing screenshots of your environment. But, like I said before, I agree with you that `hiding` something is not a proper solution. Instead, proper methods should be implemented to actually solve the **core** issue instead of `hiding` it. I might have to re-look at my environment and see what I did wrong or what I missed. that is why I said before... "that I was going to look at your solution, the link provide and **retest** my environment to see what I missed or did wrong". -Thanks – RHQ May 13 '14 at 21:31
  • Understood. No offense intended and my apologies for going off the rails a bit. Additionally, as I stated in my previous comment, Brad's solution will work for new folders but will not change the permissions on existing folders so you're still going to have to deal with that. – joeqwerty May 13 '14 at 21:33
  • @joeqwerty Thanks for your input. I think I might have to re-look at my actual implementation and solve according. Once again, I appreciate your help, so thanks. – RHQ May 13 '14 at 21:45