I look after a network where the servers are Server 2008 [Domain controllers] and the client stations are either Windows 7 Pro SP1 64 Bit or Windows XP Pro SP3 32 Bit.
I have configured GPOs to protect the workstations/servers and the network generally and I am happy with most of this. However when a user clicks 'Save' or 'Save As' in an application they can type a UNC path to a server or a client and see any shares that are not hidden.
\\Server1\
or:
\\Workstation1\
I would like a way of blocking this. Some of the server shares I have created [for operational reasons] are not hidden and are open to all users to make modifications to. Even if the shares were hidden if the users knew the path to the share then they can still open that share]
Is there a way of preventing the users form entering a named UNC, like \\server1\ without adversely affecting the performance of the workstation or the network?
Best Answer
If @drf doesn't want to post his comment...
This is a little like asking "what is the most secure doormat to hide my house key under"; the obvious answer is, if you are concerned about security, don't leave your key under the doormat at all. Ultimately, a user can enter
net view Server1 /allin the command prompt to view even hidden shares, and there are other ways for the user (or malware the user unwittingly executes) to do the same. The correct approach is to set up appropriate share and NTFS permissions on servers and workstations, not to enforce UI-level restrictions that prevent the user from seeing the vulnerable resources.