Block access to C Drive Windows XP and 2003 server

windows windows-server-2003 windows-xp

8,165

Solution 1

We do this all the time with our terminal servers, just in case someone somehow manages to figure out how to open a traditional browse dialogue, Windows simply pops up a message saying that the current policy is denying them access.

In your Group Policy, find the following:

User Configuration
Administrative Template
Windows Components
Windows Explorer
- "Hide these specified drives in My Computer"
- "Prevent access to drives from My Computer"

It's been a while since I did it but I'm fairly sure these are the settings you will require. There are ways to override the default options provided, so that you can modify the drives past the fairly restrictive options provided if you need them.

Solution 2

Another alternative is to let them have access. We ended up curbing their behavior (well, destructive behavior) using Deep Freeze from Faronics; it lets you "freeze" the hard disk and then on reboot it goes back to the default state. It was cathartic when we tested it by wiping the Windows subdirectory until Windows kind of lurched and fell over...then rebooted and it came back up.

That allows the students to do whatever they want without destroying your configuration; we also found that it eliminated a lot of corruption issues with profiles and caches.

I think there are a couple other alternatives out there but I only have used DeepFreeze. There's a central console used to monitor workstations and can remotely thaw and freeze them, we also use it to get IP addresses for particular workstations.

I've worked in labs that were locked down to the point of being nearly unusable for anything. Even in class we couldn't get, for example, certain documents to open or use notepad to read source code because it wasn't allowed by the sysadmin who happened to be two hours away in a central site, and the local admin guy lamented not being able to fix certain issues without prearranging things with the central admins. And this was a college. Deep Freeze gave more freedom for getting work done without interference (it also allows at our site for certain people to get higher privileges on the local machine since any malware or alterations are erased at reboot; if they're going out of their way to install "personal" software they grow weary of having to constantly reinstall at each reboot; at least that's what we've seen).

We tried locking out things through policy when we ran 2000 terminal services; we found that the policy only locked out access from certain things like explorer. It looked like some programs (like an old copy of file manager from the 3.x days) was able to still browse the C: drive, along with some freeware file managers! Unless that was fixed, it looks like certain APIs still allowed users to get access to local drives that were supposed to be blocked out by policy. Plus we have systems that for reasons we never understood will sometimes not get the policy right away or act as if they wouldn't get any policy updates until after a reboot or two, so sometimes we had people that could bypass configuration lockouts and do things they weren't supposed to.

8,165

JohnyV

Updated on September 17, 2022

Comments

JohnyV over 1 year

I have tried everything to prevent users from accessing the C: on the network through group policy but they always find a way around it (students).

They cant right click to create shortcuts but they have the shortcuts on USB and are able to run the shortcuts to access the c:.

There isnt a specific group policy that prevents access to the C drive. Any thoughts?

Using windows xp clients with 2003 server for AD and GPolicy
- Garrett almost 15 years
  
  NTFS perms, perhaps? Maybe I'm not understanding your objective here.
- Spence almost 15 years
  
  The objective is a false sense of "security" by having the Explorer GUI hide things. What the poster is really looking for is restricting the user's ability to execute arbitrary code, which could be satisfied with "Software Restriction Policies" in a real and substantive way. Hiding things is security-by-obscurity and is counter-productive (since it will make you feel secure while not actually being secure).
JohnyV almost 15 years

Perfect Worked very well, Cheers
slothy almost 15 years

We do the same thing with DF. The logged in lab user even has admin rights on the box! It's amazing the kinds of things you can find installed, so we don't limit users much at all, but we can always get back to a good state.
slothy almost 15 years

And, of course, Windows Steady State is a free alternative, if anyone is looking
JohnyV almost 15 years

Yeah We already use deep freeze but the kids put games on the C: and play them. I have group policy to block MD5 of games they play but when a new version comes out it is a game of cat and mouse. But Depp freeze saves the day. Thanks for the tip about Windows Steady State.
JohnyV almost 15 years

Had an issue that forced me to disable it. There was a computer lab that uses autocad and it needs access to the libraries on the C: which caused it not to work. I will have to apply a loopback policy to all other devices to run this GP.
user1364702 almost 15 years

If you really want to lock it down, you can whitelist the executables with another tool from Faronics. But like I said, I've tried working in a school where things were fanatically locked down and it was nigh impossible to actually get anything done. Many of the students opted not to use the computers unless they had to. All that equipment hardly utilized...
MrGigu almost 15 years

You could assign a GPO to just the machines in that lab that overrides this property. Gotta love those legacy apps!