Announcement

Collapse
No announcement yet.

Office 2003 Security Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Office 2003 Security Issue

    Hi

    One of our users has discovered that he can view all the servers on our network by creating a hyperlink in a word document (it also works in Excel docs etc).

    How do i stop this? I don't like the idea of users even SEEING the list of servers!

    We use Office 2003.

    Many Thanks,

  • #2
    Re: Office 2003 Security Issue

    Can you specify what the hyperlink is and what list of servers? screenshots may be handy.

    My initial thought is that it is not an Office 2003 vulnerability but more how your network is configured.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Office 2003 Security Issue

      Unfortunately due to security constraints, I cannot give details of servers but i'll give an example:

      If I open a new word document and enter \\SEVERNAME and hit enter, this obviously converts to a hyperlink. When I follow this link, an explorer window opens up, with a list of all servers and PCs on the network. The user can then view the contents of most (but not all shares) on these machines.

      The shares can be locked down and made non-accessible, however the client has concern that the standard users can see a list of all machines to start with.

      Is this helpful?

      Comment


      • #4
        Re: Office 2003 Security Issue

        Originally posted by christ0 View Post
        Unfortunately due to security constraints, I cannot give details of servers but i'll give an example:

        If I open a new word document and enter \\SEVERNAME and hit enter, this obviously converts to a hyperlink. When I follow this link, an explorer window opens up, with a list of all servers and PCs on the network. The user can then view the contents of most (but not all shares) on these machines.

        The shares can be locked down and made non-accessible, however the client has concern that the standard users can see a list of all machines to start with.

        Is this helpful?
        As I suspected, it is not an office vulnerability. The users could do the same if they enter the UNC path in explorer or the Run dialog box! You need to controll the share permissions on the servers themself to grant only authorised users the level of access they need.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Office 2003 Security Issue

          The user does not have access to the run box and using the UNC in the address bar throws up the error "Access to the resource "\\servername" has been disallowed."

          Comment


          • #6
            Re: Office 2003 Security Issue

            I think the more managable approach is to secure the resources rather than trying to obscure a way to access them.
            I am not sure about this behaviour/vulnerabilty in Office but let's say you find a way to stop office accessing UNC paths, A few more questions arise,
            Does that make your resources more secure? and will the functionality of office be affected?
            how about stopping other applications that use UNC paths in different ways!

            Instead I would use minimum share and ntfs permissions coupled maybe with Access Based Enumeration: http://www.microsoft.com/Downloads/d...displaylang=en
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Office 2003 Security Issue

              thank you!

              Comment

              Working...
              X