Re: deny access to all but 1 folder
- From: "Andy Dyble" <andy.dyble@xxxxxxxxxxx>
- Date: Mon, 28 May 2007 10:11:37 +0100
Vera
The pount of this excercise is to allow remote programmers access to our
"Remote Developers Terminal Server", using a standard setup for Borland
Delphi. We currently give a handful of trusted programmers a bit more
freedom than we should but we've known them for years. I now want to start
allowing guest prorammers access who only work a few hours or days per
month. Therefore they must have the following access.
c:\program files borland\ - read, execute (I don;t want them to change any
of the setup or files in case it affects others)
c:\ - what ever is required for logon etc.
c:\windows and system32, again the minimum required to run programs.
c:\development - only certain sub folders to be allowed by user.
write/modify etc.
c:\development is shared as v:\
and c:\porgram files\borland\ is shared as n:\
Thanks
ANdy
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Xns993DD6149ACCveranoesthemutforsse@xxxxxxxxxxxxxxxx
I assume that drive C: is where you installed Windows, correct?
If so, denying access to the C: drive is *not* fine, as I tried to
explain.
If you deny access to the root of the C: drive, users will not be
able to logon at all. If you deny access to \system32, they won't
be able to run pretty much anything at all.
And Read + Execute does not imply Modify or Delete. I don't
understand what files you are concerned about, and how users would
be able to delete or modify them on na system with the default NTFS
permissions.
Can you give an exact example of a file, with its default NTFS
permissions, and why you feel this isn't enough security?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:
Denying access would be fine. All I want is the user only to
have access to one folder. I thought with 2003 that users had
no access to any folder unless specifically granted. I don't
want user logging in and deleting or modifying files and folders
in drive c:.
Andy
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns993CEC3E9CDCFveranoesthemutforsse@xxxxxxxxxxxxxxxx
You have to differentiate between "hiding" and "denying
access". These are 2 completely different things. Hiding is a
purely cosmetic feature, which doesn't provide any security
(other than by obscurity). Denying access with NTFS permissions
doesn't hide the folders, unless you use Access-Based
Enumeration on shared folders.
You cannot deny access to the whole C: drive, since users must
have at least Read + Execute rights to most parts of the
program files and system folders.
And you cannot deny access to Documents and Settings either,
because it is their own profile, so they must have full control
there.
The default NTFS permissions on a Windows 2003 TS need no
modification.
But you can hide the C: drive completely, which means that it
isn't visible in most of the "Open file" dialog boxes in most
applications (but there are exceptions).
After hiding the C: drive, you can give your users access to
the \borland folder by assigning it a different drive letter.
Put a line in your TS-specific logon script with something
like:
subst B: C:\program files\borland\
Then teach your users that the Borland files are on the B:
drive.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:
Dragos, I'll try and explain a bit better, I was a bit too
brief.
The user is existing.
My main objective is to deny access to all of drive C for a
user, except c:\program files\borland\
using NTFS security.
Thanks
Andy
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:B4073FBF-0271-4560-B2C8-1D90A6BE00E3@xxxxxxxxxxxxxxxx
hi,
for existing users it is possible, but for the user who will
login for the first time?Another solution is to redirect the
my documents folder. --
Dragos CAMARA
MCSA Windows 2003 server
"Andy Dyble" wrote:
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:A86AB887-B62E-4628-8A31-52427D3C480E@xxxxxxxxxxxxxxxx
hi,
create mandatory profiles for users who use TS.
--
Dragos CAMARA
MCSA Windows 2003 server
"Andy Dyble" wrote:
Hi
On our TS, we are tryong to deny access to the whole of
drive C, except
one
folder, which requires all users to have list, read,
execute rights, and
one
or more extra folder for each user (not home though),
that require modify
as
well.
We tried applying security to drice C:, this looked like
it was working
because users were getting access denied, but then found
they can open My
docouments and any other folder inside the drive.
TS= 2003 Standard, member server to 2003 Ad server.
Thanks
Andy Dyble
Cheers Dragos, but shouldn't this be possible using NTFS
permissions ?
ANdy
.
- Follow-Ups:
- Re: deny access to all but 1 folder
- From: Vera Noest [MVP]
- Re: deny access to all but 1 folder
- References:
- deny access to all but 1 folder
- From: Andy Dyble
- Re: deny access to all but 1 folder
- From: Andy Dyble
- Re: deny access to all but 1 folder
- From: Andy Dyble
- Re: deny access to all but 1 folder
- From: Vera Noest [MVP]
- Re: deny access to all but 1 folder
- From: Andy Dyble
- Re: deny access to all but 1 folder
- From: Vera Noest [MVP]
- deny access to all but 1 folder
- Prev by Date: Domain Controller Shift
- Next by Date: Re: deny access to all but 1 folder
- Previous by thread: Re: deny access to all but 1 folder
- Next by thread: Re: deny access to all but 1 folder
- Index(es):
Relevant Pages
|
