Re: deny access to all but 1 folder

Do not change the default NTFS permissions on the root of C: , or
any folder beneath C:\Windows. The default permissions are what
they should be.

For the Borland and Developers folders, just set the NTFS
permissions as you want them to be.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 28 maj 2007 in
microsoft.public.windows.terminal_services:

Vera

The pount of this excercise is to allow remote programmers
access to our "Remote Developers Terminal Server", using a
standard setup for Borland Delphi. We currently give a handful
of trusted programmers a bit more freedom than we should but
we've known them for years. I now want to start allowing guest
prorammers access who only work a few hours or days per month.
Therefore they must have the following access.

c:\program files borland\ - read, execute (I don;t want them to
change any of the setup or files in case it affects others)
c:\ - what ever is required for logon etc.
c:\windows and system32, again the minimum required to run
programs. c:\development - only certain sub folders to be
allowed by user. write/modify etc.

c:\development is shared as v:\
and c:\porgram files\borland\ is shared as n:\

Thanks

ANdy


"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns993DD6149ACCveranoesthemutforsse@xxxxxxxxxxxxxxxx
I assume that drive C: is where you installed Windows, correct?
If so, denying access to the C: drive is *not* fine, as I tried
to explain.
If you deny access to the root of the C: drive, users will not
be able to logon at all. If you deny access to \system32, they
won't be able to run pretty much anything at all.

And Read + Execute does not imply Modify or Delete. I don't
understand what files you are concerned about, and how users
would be able to delete or modify them on na system with the
default NTFS permissions.

Can you give an exact example of a file, with its default NTFS
permissions, and why you feel this isn't enough security?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:

Denying access would be fine. All I want is the user only to
have access to one folder. I thought with 2003 that users had
no access to any folder unless specifically granted. I don't
want user logging in and deleting or modifying files and
folders in drive c:.

Andy

"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns993CEC3E9CDCFveranoesthemutforsse@xxxxxxxxxxxxxxxx
You have to differentiate between "hiding" and "denying
access". These are 2 completely different things. Hiding is a
purely cosmetic feature, which doesn't provide any security
(other than by obscurity). Denying access with NTFS
permissions doesn't hide the folders, unless you use
Access-Based Enumeration on shared folders.

You cannot deny access to the whole C: drive, since users
must have at least Read + Execute rights to most parts of the
program files and system folders.
And you cannot deny access to Documents and Settings either,
because it is their own profile, so they must have full
control there.
The default NTFS permissions on a Windows 2003 TS need no
modification.

But you can hide the C: drive completely, which means that it
isn't visible in most of the "Open file" dialog boxes in most
applications (but there are exceptions).

After hiding the C: drive, you can give your users access to
the \borland folder by assigning it a different drive letter.
Put a line in your TS-specific logon script with something
like:

subst B: C:\program files\borland\

Then teach your users that the Borland files are on the B:
drive.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andy Dyble" <andy.dyble@xxxxxxxxxxx> wrote on 26 maj 2007 in
microsoft.public.windows.terminal_services:

Dragos, I'll try and explain a bit better, I was a bit too
brief.

The user is existing.
My main objective is to deny access to all of drive C for a
user, except c:\program files\borland\
using NTFS security.

Thanks

Andy

"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:B4073FBF-0271-4560-B2C8-1D90A6BE00E3@xxxxxxxxxxxxxxxx
hi,
for existing users it is possible, but for the user who
will login for the first time?Another solution is to
redirect the my documents folder. --
Dragos CAMARA
MCSA Windows 2003 server


"Andy Dyble" wrote:

"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:A86AB887-B62E-4628-8A31-52427D3C480E@xxxxxxxxxxxxxxxx
hi,
create mandatory profiles for users who use TS.
--
Dragos CAMARA
MCSA Windows 2003 server


"Andy Dyble" wrote:

Hi
On our TS, we are tryong to deny access to the whole of
drive C, except
one
folder, which requires all users to have list, read,
execute rights, and
one
or more extra folder for each user (not home though),
that require modify
as
well.

We tried applying security to drice C:, this looked
like it was working
because users were getting access denied, but then
found they can open My
docouments and any other folder inside the drive.

TS= 2003 Standard, member server to 2003 Ad server.

Thanks

Andy Dyble


Cheers Dragos, but shouldn't this be possible using NTFS
permissions ?

ANdy
.

Relevant Pages

  • Re: Q.) NTFS rights - How to Append NTFS assignments
    ... The Share is setup to Everyone with Full access and the NTFS ... security restricts the permissions to only those authorized. ... via NTFS from the parent folder being requested to change - however I ... permissions on subfolders, set up different *shares* for your departments.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Folder Access Restriction
    ... I found out that I am using NTFS system. ... Now are you suggesting that I click on the box in the second line titled as ... 'Share this folder' .....> ... In the Share Permissions Dialog Box, I can see the Group or user name = ...
    (microsoft.public.windowsxp.general)
  • Re: FTP Newbie Question
    ... OK, I have the folder created, but I don't know what you mean by "use ... I have assigned NTFS file permissions to give the group ... Isolation Mode has not been configured. ... Keep the anonymous account out of the NTFS ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: WinXP home edition file permissions
    ... If your hard disk/partition is not NTFS you will need to convert ... In Windows Explorer, go to Tools, Folder Options, View and uncheck ... Here you can assign or deny permissions based on user name or user ... Set, View, Change, or Remove File and Folder Permissions in Windows ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Passwords
    ... Run diskmgmt.msc via Start/Run. ... Click Start/Help and look for "Permissions" to see how ... Is there a way to put a password on a folder, ... If the folder resides on an NTFS volume then you can control ...
    (microsoft.public.win2000.file_system)
Loading