|
Posted by D.P. Roberts on December 12, 2007, 5:44 pm
Please log in for more thread options Were not storing anything senstive like that in the scripts, but there are
things like server names and paths to home directories which could
potentially be useful information for hackers. It just seems like it would
be nice to make all of that hidden so users can't browse those directories
but I guess that's just not possible.
Thanks for the responses!
> I'm saying I see no security risk. If you're storing passwords or
> something sensitive in the logon scripts you have a bigger issue.
>
> Even if users couldn't browse the folder they still need read access to
> run the scripts and thus can extract the info from them pretty easily.
>
> --
> Thanks,
> Brian Desmond
> Windows Server MVP - Directory Services
>
> www.briandesmond.com
>
>
>> Because our GPOs and logon/logoff scripts are located in
>> sysvol\domain\Policies and sysvol\domain\Scripts, respectively. Are you
>> saying these items should be saved somewhere else, or that it is not a
>> security risk for users to be able to view these items?
>>
>>
>>> Why is it a security risk for someone to be able to browse sysvol?
>>>
>>> --
>>> Thanks,
>>> Brian Desmond
>>> Windows Server MVP - Directory Services
>>>
>>> www.briandesmond.com
>>>
>>>
>>>> As I understand it, domain users must have access to SYSVOL in order
>>>> for GPOs and logon/logoff scripts to run. However, there is a security
>>>> risk to allow any user to simply go to dc\sysvol and browse its
>>>> contents. So here's my question: Is there a way to prevent users from
>>>> browsing the SYSVOL directory while still allowing GPOs and scripts
>>>> located in SYSVOL to run for those users?
>>>>
>>>> Thanks!
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap