Jump to content
Welcome to our new Citrix community!
  • 0

Remove run from start menu


Tomasz Murawski1709159844

Question

Hello All,

 

I have noticed an odd thing...

 

Basically I am looking for some security hardening for one customer. They have windows explorer published for browsing shares and they want to prevent users from browsing / executing things on VDAs

 

I selected many boxes from policies and profiles :) I have also disabled access to C:\ drive. A little problem after that was that they cannot access downloads, documents etc

I removed C:\ from drives to be restriced and what I noticed was that they could then access their documents and downloads but still any path you entered in the explorer for instance C:\windows was giving message that it is forbidden. The desired effect was reached, but I could not rest without finding out why you still couldnt browse files with explorer if the C:\ was no longer restricted, so I stared unticking boxes one by one and at the end I found out that "Remove run from start menu" is responsible for this.

 

Anyone has an explanation for that? I would prefer to know that it works like that by design and not by coincidence :)

Link to comment

3 answers to this question

Recommended Posts

  • 0
On 10/3/2020 at 12:42 PM, Carl Stalhood1709151912 said:

Removing the Run command does prevent users from entering explorer paths.

 

One way of avoiding C: access is to redirect Documents, Downloads, etc. to a network file share. i.e. Folder Redirection..

 

I usually hide C: instead of preventing access to C: because some apps break when C: is prevented.

 

Hi Carl

 

What does hiding do? I have also noticed that preventing access to C: stops some apps from working correctly.

 

If preventing access to C: drive is disabled but hidden, can the users delete important files on the server?

 

Regards

Edited by luanswan2002@yahoo.co.uk
Link to comment
  • 0

Hiding removes C: drive Explorer, but doesn't prevent access. I hide C: drive so users are discouraged from saving anything to C:.

 

Default NTFS permissions in Windows prevent users from deleting anything outside of their profile.

 

If you want more control, there are other tools like Ivanti Application Control that I think can restrict access without requiring you to change NTFS permissions.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...