2

We are trying to lock down a Terminal Server, and want to remove a commercial package's ability to accept UNC file paths, ie. paths in the app can then only be entered using the windows drive letters.

Is there any way to do this in Windows?

Can we disallow UNC paths for just the app?

Can we disallow UNC paths for the entire Terminal Server session?

The intention is to allow the application to only write to certain directories (as mapped in the Terminal Server session). The aim is to prevent the output of files to directories that the users have access to, but are not mapped in the Terminal Server session.

  • Evan, did you ever find a solution to your problem? if not let me ask you where does the database reside on the Terminal server or a data server? The database you speak of, i assume it has system settings that if you changed servers the programmers would need to change the data path to reflect the new data location, is this correct? –  Jun 22 '11 at 23:30

4 Answers4

6

Internally (in the Windows code) a drive letter is nothing more than a wrapper for a UNC path. This suggests to me that what you ask is not possible.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
  • Do you know what UNC prefix replaces the drive letter internally? Perhaps `\\localhost\C$` for `C:`? (If so, it would seem to imply that all local filesystem access goes through the network layer (resolving `localhost`), which doesn't sound right to me.) – Roy Tinker Oct 16 '13 at 21:06
3

This forum post seems to imply that setting the group policy "Remove run menu from start menu" disables the use of UNC paths in applications that use the common dialogs for Open and Save.

However, I would counsel against this course of action. There are almost certainly ways around this policy, particularly if you allow execution of arbitrary code.

Zanchey
  • 3,051
  • 22
  • 28
2

Interesting question. I'm 99% sure the answer is "no" on the grounds that I've never come across such a thing. UNC names are more "fundamental" than network drive letters so I'd be very surprised if they could be disabled, or at least not without some hackery (e.g. putting servers in the lmhosts file with the wrong IP address).

The way to control access is by ACLs on the shares or the directories behind the share.

JR

John Rennie
  • 7,776
  • 1
  • 23
  • 35
0

Personally I'd think of this as a policy question and not a technical question. Whatever "bad" stuff that happens if the user writes outside the session mapped drives - you'd need to inform, educate and entertain them about the issue at hand and have them not do that. It can't be disastrous if they do that, can it? Just inconvenient to some degree?


You should be able to add a group policy that applies only to the user when he logs onto a terminal server - in which you adjust the permissions accordingly somehow.

Perhaps by adding the terminal servers into a group, adding that group with denied permissions on the unc paths in question, and turning on loop-back processing for that policy? Not sure exactly that would work without testing it but alas...

Trying to prevent stuff by removing parts of the UI is mostly a bad idea as it's too often easily circumvented - and UNC is the basis of a Windows network so removing support for it would mean removing all network share/printer/addressing abilities including home folders and stuff.

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • We have locked down the Terminal Server session. The problem is that the commercial application in question has no concept of security, requires the user to have write access to its database directories, allows the users to enter any path to save files, including the aforementioned database directories (so wiping out the database is fairly easy) or directories on non-mapped network drives. Controlling the users is next to impossible... Thanks for the ideas, they will be explored. –  Jul 16 '09 at 00:53