Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2008 R2 GPO Disable Network Discovery


  • Please log in to reply
13 replies to this topic

#1 bpammer

bpammer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA
  • Local time:08:25 AM

Posted 12 February 2014 - 11:27 AM

My goal is to turn off network discovery as a GPO. I do not want our users to be able to see or transverse the network to other computers unless they are network administrators. Also I don't want our file shares to disappear as well. I attached a file of what the users can see now that we do not want them to see. 

 

I did do a search via google and there seems to be not an exact response. It seems like it would be a simple GPO but for some reason I can't figure it out. Any help would be greatly appreciated. Thank you all in advance. 

Attached Files



BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:25 PM

Posted 13 February 2014 - 07:27 AM

What OS are the clients running?

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:25 PM

Posted 13 February 2014 - 08:02 AM

May want to read this http://community.spiceworks.com/topic/234079-i-can-t-disable-network-discovery?page=2#entry-2088515

#4 bpammer

bpammer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA
  • Local time:08:25 AM

Posted 13 February 2014 - 08:23 AM

What OS are the clients running?

 

97% of the clients are Windows 7. The rest are XP. 



#5 bpammer

bpammer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA
  • Local time:08:25 AM

Posted 13 February 2014 - 08:29 AM

 

This helped but I need to restrict users from using the UNC path or IP address in search or the RUN command. As our company becomes larger, I am worried we will hire someone in our production who thinks he is a "script" junkie and will try to mess with some files. 

 

Thanks for the response. 



#6 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:25 PM

Posted 13 February 2014 - 09:37 AM

To be homest, the thing to do would be to become confident in the user of Windows file/folder permissions etc, and use those to secure your resources. The result would be far more effective (if done properly) than the obscurity that you are proposing.

 

Obviously this involes setting proper permissions and also nto giving users local admin or power user rights etc...


Edited by x64, 13 February 2014 - 09:37 AM.


#7 bpammer

bpammer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA
  • Local time:08:25 AM

Posted 13 February 2014 - 10:04 AM

To be homest, the thing to do would be to become confident in the user of Windows file/folder permissions etc, and use those to secure your resources. The result would be far more effective (if done properly) than the obscurity that you are proposing.

 

Obviously this involes setting proper permissions and also nto giving users local admin or power user rights etc...

 

This option wouldn't be feasible for us. We need our local users to have local admin rights. Otherwise, our users would have to call us to install anything and we do not have the time nor man power to do this.

 

Thank you for the suggestion however.  



#8 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:25 PM

Posted 13 February 2014 - 02:38 PM

Whilst local admin is indvisable, it does not in most cases prevent users only having local admin on the desktop or laptop which is allocated to them (and no super-powers on anybody elses pc). You should still (hopefully) :rolleyes: be able to protect data on servers with suitable permissons. Even this setup would be far better than hoping your users don't discover another PC.

 

Re the local admin thing.. I'd also strongly encourage you you leave UAC on at a sensible level, maybe even mandate that by group policy..

 

x64



#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:25 PM

Posted 13 February 2014 - 07:24 PM

Have a read here on disabling the UNC Path:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c52a4b1b-2ff8-4dcc-9329-fe075a5185a5/restrict-unc-share-access

Not sure if this would prevent it from people running it in IE Address bar since they are one in the same.

#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:11:25 PM

Posted 16 February 2014 - 08:25 PM

i cannot for the life of me understand why you would give anyone local admin rights(installing can eb done through GPO and automated), if they need software installed just setup a install script using WMIC commands in a  batch file. If they ring and ask for software to be deploy, it literally takes one line of txt (The machien name) in a batch file to trigger the install.

That is the bigegst No No of administering any network. If you need a hand deploying software then DesktopCenteral can be installed for free upto 50 nodes and it has predefiend installations for common software.

 

Anyway create a GPO for the OU groups and assign the following

 

ComputerConfig\Preferances\Control panel Settings\Services.

 

Now disable the following services when the computer starts.

Function Discovery Resource Publication,

SSDP Discovery

UPnP Device Host

 

An example of installing say Pidgin across any branch running from a replicated software DFSR

@ECHO OFF
cls
    set /p target=What is the name of the Target computer:
ECHO Copying over Pidgin to %target%'s C:\ drive
    XCOPY /e /q /y "\\someUNCorFQDN\pidgin.exe" "\\%target%\C$"
ECHO Now installing Pidgin
    wmic /node:%target% process call create "\\%target%\C$\pidgin.exe  /DS=1 /SMS=1 /S"
    ping -n 60 127.0.0.1 > %TMP%\NULL
ECHO Cleaning up files........................
    del "\\%target%\C$\pidgin.exe"
ECHO Done.......................................
    pause

This will only take the time it takes to enter the machine name mate. I wouldnt have room on this page to describe why you dont give the end users admin rights and like old mate above said, file permissions wont matter when you give admin rights to a standard user because a simple token kidnap is all thats needed to get admin rights to the whole domain.



#11 bpammer

bpammer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA
  • Local time:08:25 AM

Posted 19 February 2014 - 11:10 AM

i cannot for the life of me understand why you would give anyone local admin rights(installing can eb done through GPO and automated), if they need software installed just setup a install script using WMIC commands in a  batch file. If they ring and ask for software to be deploy, it literally takes one line of txt (The machien name) in a batch file to trigger the install.

That is the bigegst No No of administering any network. If you need a hand deploying software then DesktopCenteral can be installed for free upto 50 nodes and it has predefiend installations for common software.

 

 

I have a simple answer for you. The president of the company wanted this. Yes I no it's not idea for administering. But one does not simply argue with the president and owner. 



#12 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:11:25 PM

Posted 19 February 2014 - 07:14 PM

Yeh i know what you mean and i had this discussion the first week i was here and i asked them 1 question mate, How many infections have you had since the last sysadmin has been operating this network.
Answer: over 10, its now been over 2 years since i started and not one single infection to date.
You need to do some documentation on the reasons why and the cost to down time especially if you get hit by something like Crypto locker, it only takes one person with write permissions on the network and the game is over.

EDIT:I forgot to add i single handily manager over 100 nodes and manage all servers, i basically do everything IT related by my self but because i dont give them any admin rights is the reason it allows me to have time studying or writing software/scripts for the company to help improve stability.

Edited by JohnnyJammer, 19 February 2014 - 07:17 PM.


#13 stanvsam

stanvsam

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 02 June 2014 - 02:00 AM

Yeh i know what you mean and i had this discussion the first week i was here and i asked them 1 question mate, How many infections have you had since the last sysadmin has been operating this network.
Answer: over 10, its now been over 2 years since i started and not one single infection to date.
You need to do some documentation on the reasons why and the cost to down time especially if you get hit by something like Crypto locker, it only takes one person with write permissions on the network and the game is over.

EDIT:I forgot to add i single handily manager over 100 nodes and manage all servers, i basically do everything IT related by my self but because i dont give them any admin rights is the reason it allows me to have time studying or writing software/scripts for the company to help improve stability.

 

Hi Johny, Would you join a user as power user when you add to the domain? our users would need to change the network settings when they are not in office or go to clients. I understand that will be an issue if you join them as power users.



#14 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:11:25 PM

Posted 19 June 2014 - 12:32 AM

It depends on your needs, not sure what you mean by network as long as the DHCP is enabled thats all they need.

GPO's are ebst used in any sitsuation and never add anyone to any high level Domain wide.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users