Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] GP setting for IE lockdown
Prev Next
You are not authorized to post a reply.

AuthorMessages
CKaiserUser is Offline

Posts:2

08/26/2005 10:27 AM  
I've been tasked with the following project...

Provide access for partner company personnel to a LOB app and our
intranet via a terminal server session Ώ]. The IE session should allow
access to the intranet site and nothing else, no internet, no local
machine, no customization.

Plan is to create a VM with the appropriate restricted desktop access
and the LOB app. That part's ok; however, I'm having trouble finding
good info on securing IE so that it can only get to our intranet.
I can set a non-existent proxy and add our intranet to the proxy bypass
sites; that's easy enough.

What I can't remember is how to lock down IE so no one can type "c:\" or
some other folder name and get to the local file system. I tried the
NoFileURL setting under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but
it's not restricting the test user.
Anyone remember a good way to prevent local file system access through
IE?

A good ADM file that chokes IE to the bone would be nice, too, but I
haven't found one of those lately either.

My Google Mojo isn't working today...

Thanks!

Ώ] I know; running IE on a server is bad juju. That's why it's going to
be in a snapshotted VM I can wipe daily. :-) You don't want to know how
ugly the other alternatives were...

**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AD000001365User is Offline

Posts:0

08/29/2005 1:07 AM  
If I read you right they will only be accessing the website thru this
Terminal Service. If this is the case there are a few settings you
would need to set to lock down the system. It is not just IE you have
to think about.

User Configuration > Windows Components > Windows Explorer

Hide These Drives in My Computer Enabled
Restrict a,b,c,d drives only
Remove "Map Network drive and disconnect network Enabled
Remove CD Burning Features
Enabled
Remove Hardware tab
Enabled

Start Menu and Taskbar

Remove Run menu from Start Menu Enabled
Another area to look at is

http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebb
f834fc6f7/Win2003_Teminal_Server_Lockdown.doc

I found that document invaluable when I had to create a locked down TS
system.

One Item to note. Your gonna want to make the TS system part of the
domain definitely and use group policies to apply the settings as it
makes it hard to change settings once you lock it down if you do it on
the local policy.

Jeff Cothern
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Friday, August 26, 2005 6:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GP setting for IE lockdown

I've been tasked with the following project...

Provide access for partner company personnel to a LOB app and our
intranet via a terminal server session Ώ]. The IE session should allow
access to the intranet site and nothing else, no internet, no local
machine, no customization.

Plan is to create a VM with the appropriate restricted desktop access
and the LOB app. That part's ok; however, I'm having trouble finding
good info on securing IE so that it can only get to our intranet.
I can set a non-existent proxy and add our intranet to the proxy bypass
sites; that's easy enough.

What I can't remember is how to lock down IE so no one can type "c:\" or
some other folder name and get to the local file system. I tried the
NoFileURL setting under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but
it's not restricting the test user.
Anyone remember a good way to prevent local file system access through
IE?

A good ADM file that chokes IE to the bone would be nice, too, but I
haven't found one of those lately either.

My Google Mojo isn't working today...

Thanks!

Ώ] I know; running IE on a server is bad juju. That's why it's going to
be in a snapshotted VM I can wipe daily. :-) You don't want to know how
ugly the other alternatives were...

**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] GP setting for IE lockdown



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:cmilte
New TodayNew Today:1
New YesterdayNew Yesterday:1
User CountOverall:4264
People OnlinePeople Online:
VisitorsVisitors:409
MembersMembers:0
TotalTotal:409
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use