none
Security Issue

    Question

  • Hello all,

    I think it's time to ask for help,

    Here is the situation: we have a server that virtualises applications that users can then run through a 3rd party software installed on their machines to execute the virtualized software program.

    in this virtualized software program there is an option to open folder, this folder opens a windows explorer window, that lets the user navigate through the server with his rights, i thought that i had found a way to prevent this from happening with GPO to hide the server drives and deny access to these drives, however i've found an issue, if the client connects to his own drive through network client/ or through librairies (on the server) he can create new folders etc, and more importantly, he can bybass a ton of security issues, just by creating a shortcut, to the same server\admin$ or server\c$, no password prompted nothing directly access to everything even though he is a simple user.

    How can i secure this server? GPO are not applying to hide network/libraries through this virtualized app, however i'm sure they are being applied because when i connect through remote desktop with another user i have access to nothing.

    if somehow i could prevent the user from creating new shortcuts,i could already stop him from bypassing security concerns

    hope i was clear on what my problem is.


    • Edited by RFU Wednesday, November 4, 2015 11:41 AM spelling
    Wednesday, November 4, 2015 11:39 AM

Answers

  • Thanks for the response,

    However the problem is not that the user can access the c$ (by default he can't), the problem is that he can create a shortcut file on the server linking it to it's hidden files, so in the "my documents" tab of the server he creates a .lnk maps it to \\srv\admin$ and connects directly to it without any prompt, therefore bypassing the security (because the link is to it's own server i think)...

    What i ended up doing was disable right click menu for windows browser, disabling the option to see the extension of a file and disabling the options menu for windows explorer, therefore he can no longer create shortcuts, only browse

    • Marked as answer by RFU Thursday, November 5, 2015 10:14 AM
    Thursday, November 5, 2015 10:14 AM

All replies

  • Without more information to go on, this sounds like this is a simple NTFS security issue. Create an AD security group "VirtualAPPUsers" and apply the restricted permissions to the \\server\c$ (or other folders as needed).

    You can configure folder permissions using group policy but since this appears to be on a single (or two) server(s), I wouldn't bother with a GPO for this. 


    Charlie Newman

    Wednesday, November 4, 2015 7:29 PM
  • Thanks for the response,

    However the problem is not that the user can access the c$ (by default he can't), the problem is that he can create a shortcut file on the server linking it to it's hidden files, so in the "my documents" tab of the server he creates a .lnk maps it to \\srv\admin$ and connects directly to it without any prompt, therefore bypassing the security (because the link is to it's own server i think)...

    What i ended up doing was disable right click menu for windows browser, disabling the option to see the extension of a file and disabling the options menu for windows explorer, therefore he can no longer create shortcuts, only browse

    • Marked as answer by RFU Thursday, November 5, 2015 10:14 AM
    Thursday, November 5, 2015 10:14 AM