6

We have a lot of servers running Windows 2008 r2 (RDS/Citrix). We try our best to lock down remote desktop and published applications.

Recently, one of my colleague showed me how he could use 7-zip to browse our network (with a simple user account). Actually, this is something that i never though we could use to do (I rarely check "little" app like that and put all my effort on "more important apps" like Office Suite, SQL client, etc.).

After checking again, it appears that users connecting to their remote desktop can use 7-zip to browse the network and access files and folders on servers. Fortunately, they can't open files, remove or move them but still I want to find a way to disable this.

I didn't find many docs or manuals for this purpose and since I cannot disable this functionality with GPO (I wish we could keep 7-Zip and not user another apps) could anyone provide me with some help?

user3146708
  • 61
  • 2
  • 1
    Have you tried simply setting permissions to deny access to folders? – Synetech Dec 30 '13 at 18:02
  • Hello Synetech. Already done that and it doesn't work. Still able to browse the network (can't delete files or folders but I can see every thing). –  Dec 30 '13 at 18:09
  • 1
    @user3146708 Did you remove the folder traverse permission (assuming NTFS) too? Because filesystem permissions set properly would prevent *any* application from accessing them. Attempting to block this at the application level (7-zip itself) is bad practice. – Bob Dec 30 '13 at 18:10
  • The only way to disable this is to use domain permissions and prevent them from browsing the folders in the first place. Being able to view the contents of a folder and being able to read the file are seperate permissions in Windows. If you feel your permissions are where you want them, you might have to not allow 7-zip, in the end unless the contents of these folders can actually be opened there might not be a great deal you can do about it ( if you still want to allow 7-zip ). – Ramhound Dec 30 '13 at 18:38
  • 7
    This **can't** be just a 7-zip issue. 7-zip **can't** overrule Windows permission settings. If they can browse the network with 7-zip they can also browse the network with Notepad or windows Explorer for example. If they type `\\servername` in the address-bar they can browse the same way as 7-zip. If this is not wanted you need to set the permissions like the others say. – Rik Dec 30 '13 at 18:49
  • I agree with you that we shouldn't manage this at the application level and should concentrate on the server side. Tomorrow I will check all permissions again and see if I might have forgotten something.Thanks for your help guyz. –  Dec 30 '13 at 19:08
  • Notepad, Windows Explorer and other Windows apps are restricred by Group policies. But 7-zip isn't. Though it's not a 7-zip only issue. – Mikhail Tumashenko Aug 31 '17 at 09:14

1 Answers1

4

Sounds like you just need to set up Access-based Enumeration.

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

Here is a Technet article that goes into some detail.

Keltari
  • 320
  • 3
  • 12