Re: deny access to all but 1 folder

I don't know how else to explain it, but let me try once more:
Hiding drive C: is *only* a cosmetic thing. It's meant to make life
less complicated for normal users. It does *not* give any security,
and it does *not* disable access to the drive. For users which are
programmers, it's useless, they will know how to use a command
window.
And you can *not* deny access to C: (with NTFS), because that would
make your whole server inaccessible.

Again: what is your problem with these users having the default
NTFS permissions on c:\windows\system32\?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 28 maj 2007 in
microsoft.public.windows.terminal_services:

I have also hidden drive c:\ in the Group Policy for these
users. They have separate OU.
but it doesn't stop them type c:\windows\system32\ into my
computer address bar.
should I then deny modify access to these folders specifically ?

Thanks again

ANdy


"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns993DD6149ACCveranoesthemutforsse@xxxxxxxxxxxxxxxx
I assume that drive C: is where you installed Windows, correct?
If so, denying access to the C: drive is *not* fine, as I tried
to explain.
If you deny access to the root of the C: drive, users will not
be able to logon at all. If you deny access to \system32, they
won't be able to run pretty much anything at all.

And Read + Execute does not imply Modify or Delete. I don't
understand what files you are concerned about, and how users
would be able to delete or modify them on na system with the
default NTFS permissions.

Can you give an exact example of a file, with its default NTFS
permissions, and why you feel this isn't enough security?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:

Denying access would be fine. All I want is the user only to
have access to one folder. I thought with 2003 that users had
no access to any folder unless specifically granted. I don't
want user logging in and deleting or modifying files and
folders in drive c:.

Andy

"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns993CEC3E9CDCFveranoesthemutforsse@xxxxxxxxxxxxxxxx
You have to differentiate between "hiding" and "denying
access". These are 2 completely different things. Hiding is a
purely cosmetic feature, which doesn't provide any security
(other than by obscurity). Denying access with NTFS
permissions doesn't hide the folders, unless you use
Access-Based Enumeration on shared folders.

You cannot deny access to the whole C: drive, since users
must have at least Read + Execute rights to most parts of the
program files and system folders.
And you cannot deny access to Documents and Settings either,
because it is their own profile, so they must have full
control there.
The default NTFS permissions on a Windows 2003 TS need no
modification.

But you can hide the C: drive completely, which means that it
isn't visible in most of the "Open file" dialog boxes in most
applications (but there are exceptions).

After hiding the C: drive, you can give your users access to
the \borland folder by assigning it a different drive letter.
Put a line in your TS-specific logon script with something
like:

subst B: C:\program files\borland\

Then teach your users that the Borland files are on the B:
drive.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:

Dragos, I'll try and explain a bit better, I was a bit too
brief.

The user is existing.
My main objective is to deny access to all of drive C for a
user, except c:\program files\borland\
using NTFS security.

Thanks

Andy

"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:B4073FBF-0271-4560-B2C8-1D90A6BE00E3@xxxxxxxxxxxxxxxx
hi,
for existing users it is possible, but for the user who
will login for the first time?Another solution is to
redirect the my documents folder. --
Dragos CAMARA
MCSA Windows 2003 server


"Andy Dyble" wrote:

"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:A86AB887-B62E-4628-8A31-52427D3C480E@xxxxxxxxxxxxxxxx
hi,
create mandatory profiles for users who use TS.
--
Dragos CAMARA
MCSA Windows 2003 server


"Andy Dyble" wrote:

Hi
On our TS, we are tryong to deny access to the whole of
drive C, except
one
folder, which requires all users to have list, read,
execute rights, and
one
or more extra folder for each user (not home though),
that require modify
as
well.

We tried applying security to drice C:, this looked
like it was working
because users were getting access denied, but then
found they can open My
docouments and any other folder inside the drive.

TS= 2003 Standard, member server to 2003 Ad server.

Thanks

Andy Dyble


Cheers Dragos, but shouldn't this be possible using NTFS
permissions ?

ANdy
.

Relevant Pages

  • Re: deny access to all but 1 folder
    ... The pount of this excercise is to allow remote programmers access to our ... "Remote Developers Terminal Server", using a standard setup for Borland ... Can you give an exact example of a file, with its default NTFS ... no access to any folder unless specifically granted. ...
    (microsoft.public.windows.terminal_services)
  • Re: always being prompted for username/password??!!??
    ... My guess is that you're lacking either NTFS read permission on the ... folder or file that you are trying to access has the apropriate NTFS ... I have a win2k3 server box and winxp box on a network - very ...
    (microsoft.public.inetserver.iis.security)
  • Re: deny access to all but 1 folder
    ... is where you installed Windows, ... Can you give an exact example of a file, with its default NTFS ... MCSE, CCEA, Microsoft MVP - Terminal Server ... no access to any folder unless specifically granted. ...
    (microsoft.public.windows.terminal_services)
  • Re: deny access to all but 1 folder
    ... If you deny access to the root of the C: ... Can you give an exact example of a file, with its default NTFS ... MCSE, CCEA, Microsoft MVP - Terminal Server ... no access to any folder unless specifically granted. ...
    (microsoft.public.windows.terminal_services)
  • Re: deny access to all but 1 folder
    ... Dragos, I'll try and explain a bit better, I was a bit too brief. ... first time?Another solution is to redirect the my documents folder. ... MCSA Windows 2003 server ... On our TS, we are tryong to deny access to the whole of drive C, ...
    (microsoft.public.windows.terminal_services)