RG002 Only allow Shortcuts on the Explorer Desktop
This article has been updated April 6th 2010
The article describes how you can tweak the security modules of PowerFuse 2008 SR3 and higher to help you gain better control over your windows environment, specifically the Windows Desktop folder. One of the key things that admins have been struggeling with over the years is how to control that damned explorer desktop! Given the opportunity the users will store everything they can on the desktop, hence making your life as an admin even more miserable :)
A few notes before we begin:
- This article is Level 400. Working knowledge of PowerFuse is required.
- If you want the fast track without the flowery screeshots, scroll down to the bottom of this article.
- The described scenario only works with the Windows Shell in PowerFuse, so you cannot do this with the oldschool PowerMenu desktop.
The most often applied solution in the field to the described problem above, is redirecting shell folders via registry or policies, redirecting the desktop folder to the users homedrive. This is all and well, perhaps except for the fact that network traffic is generated every time any data is placed here. Redirection works great – especially if we could minimize the amount of data which is affected. This is what we’re going to look at here.
You can also completely restrict users from placing anything on the desktop. While this may work well in a SBC environment, your laptop and workstation users are likely to slap you silly in the hallway if you impose this kind of restriction on their computers. If you want to go this route, you can opt to use the built-in PowerFuse shell and forget about this article.
A third and perhaps better alternative is using a nifty combination of PowerFuse File and Folder security combined with some smart authorizations, to allow them to drag shortcuts to everything out onto the desktop. Net result? The users can have shortcuts to anything they want, and you do not have to worry about huge desktop folders.
This has the added bonus that the shortcuts in the user’s homedirectory folder can be quickly sync’ed to a laptop using the built in File Synchronization feature of PowerFuse 2010 and up. So, let’s have a look at how we put this together:
1) Set up a PowerLaunch environment variable to determine the homedirectory.
(Note: You can click all shrinked screenshots in this post to see their original size. It will open in a new window)
The variable above is strictly not neccessary to create. Do it anyway, as it makes things nice and dynamic. Go to Configuration Managment | PowerLaunch | Environment Variables:
2) Set up the desktop blocking rule.
Now we need to configure the rule for File and Folder security which will block everything. The trick is obviously later to authorize the right stuff, but for now go to Security Management | Files and Folders and enable it.
Consider if you want to have logging enabled – if you are in a large production environent, plenty of users might try dropping data on their desktops – you probably don’t care about that, as PowerFuse will keep things under control.
Also, it might be a good idea to notify the users. Checking the “Notify user about security events” will give them a nice “Sorry Dave, you can’t do that” kind of message. The rule which is displayed in the listbox, denoted with a shield icon, is configured by hitting the Add button.
You might note that the path refers to the homedrive and might ask; “Hey, I thought you wanted to avoid redirecting?” – Nope, not neccessarily. In this example we’re just augument the redirection with some security. Second, if you want to use Read-Only Blanketing, you actually will need to redirect the desktop, as enabeling Read-Only Blanketing will override File and Folder security on specific folders, namely the desktop folder as it’s part of the user’s profile. Note it is important to add the * after the desktop folder.
3) Set up the proper authorizations
Go to Security Management | Global Authorized files. Add the followwing 5 rules. Please make sure to match the exact Authorized operations, using the proper checkboxes when defining the rule.
The rule for ‘new shortcut’ is to allow the user to invoke the shortcut wizzard (rightclick desktop, new, shortcut). Note that .URL files also are allowed, which means the user is allowed to drag-n-drop a website shortcut directly out from the browser of your choice. Explorer.exe and Rundll32.exe both needs read access to the desktop folder, if not things go haywire. Nuff said.
UPDATE: In Vista and Win7 you have other processes that read the desktop. Since this is no big issue, replace the two last rules in the screenshot above with one that allows * to read %reshomedrive%\windows\desktop\* instead.
4) Redirect the desktop using PowerFuse
Create a new global registry setting, by going to Configuration Managment | PowerLaunch | User Registry. Use the Add Registry button to create a new reghack. Inside the PowerFuse registry buffer, select Registry | Import from the menu. Save reghack below to a .reg file and import it into PowerFuse. Don’t worry about all the spooky Hex numbers. It will look just fine when imported with comments and all. If you don’t like the paths, edit them accordingly.
To download the Folder Redirection Regfile for PowerFuse, click here: 
(the .reg file has been renamed to .re_g)
5) Making sure the right folders exist in the users homedirectory
This last part is to make sure everything fits together. As both the security rules and the registry settings refer to the %reshomedrive%windowsdesktop, it’s important that this folder exists. You can make sure this is the case by using PowerFuse directory maintainance. Here we can setup the file and directory structures we want the user to have in their home directory. PowerFuse can do tonnes of other stuff here, including changing contens of ini files, datestamping files, etc. For now we will just use PowerFuse to create the necessary folder structures. Go to Configuration Management | PowerLaunch | Directory Maintainance | Home Directory | Maintainance.
In directory maintainance, create the folder structures you want using the New Folder button. These folders will be created automagically by PowerFuse the next time you log in, unless you have modified the settings in Directory Maintainance | Home Directory | Settings.
6) Add registry setting to compensate for explorer file extension problem
This step is the updated part which was omitted previously. The buildingblock has been updated accordingly. If you have already imported the buildingblock in it’s former version, you can download the registry file to import into PowerFuse below. So what’s this step all about? Well, when redirecting the Explorer desktop to another folder, you may experience getting a security warning when clicking on the shortcuts on the desktop, even though they have been generated by PowerFuse. This is fortunatly easy to circumvent by allowing .URL and .LNK as trusted file extensions. Normally one would probably frown on such, however when running things inside the PowerFuse environment, we don’t have to worry about it, as we got 5 layers of security to ward off any foreign code sneaking in anyway.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
“LowRiskFileTypes”=”.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.lnk;.url”
To make a long story short, download the missing reghack here: (file is renamed to .re_g)
There, that’s it! – A really cool and slick way for PowerFuse admins to managing what the users can do on their windows desktop.
The Fast-Track
Okay, as promised there is also a really super quick way of doing all this. RES Buildingblocks! If you’re not familiar with these, this is the time! Both PowerFuse and Wisdom offers a really cool way of exporting settings from one environment to another.
Before you download any building block, two words of warning:
- ALWAYS test foreign (i.e. not made by yourself) buildingblocks. Build an empty PowerFuse database and import things there and test them out.
- NEVER import unknown buildingblocks into a production environment.
Okay, enough said. We’re all adults in here. Download the RAR file here: 
Unpack it somewhere where you have a PowerFuse console running. Go to the File | Import menu. It will show a dialog box like this one:
Hit OK and all the stuff above will be imported into the database. Have fun - Post a comment if you have questions.
RESguru | 
2009/01/04 00:26
Subscribe