After installing Terminal Services on my Win 2k Adv
server and Office XP, I've been servicing our users
without issue except how my C: and D: permissions can be
set correctly. I found that even though I'd hidden these
drives from my users, they could still save documents by
typing C:\mydoc.doc and it would save on the server
drive. I decided to change the permissions to match my XP
Pro system and it's worked almost perfect except having
to make minor tweaks to certain Office directories.

I'm looking for a definitive document that perhaps spells
out the 'best practice' for NTFS permissions in a
Terminal Server environment keeping in mind that users
should not be able to save things to the system drives.

Sandy, I set the NTFS Permissions the same for all systems that non-admins use interactively:

C:\ - System & Administrators (Full), Authenticated Users (Read & Execute)
C:\Program Files - System & Administrators (Full), Authenticated Users (Read & Execute)

I allow write access to local directories & registry keys as needed, i.e. but these are all non-Microsoft Programs and are few for me.

I also restrict access (remove authenticated users from the ACL, leave only system & administrators) to any CPL File that the user has no business playing with, all MSC Files, hordes of exe files in the System32 Directory, i.e. arp, at, attrib, bootcfg, cacls, chkntfs, cipher, convert, cleanmgr, defrag, diskpart, eventvwr, finger, ftp, hostname, ipconfig, mnmsrvc, mobsync, mstsc, nbtstat, netstat, netsh, nslookup, ntbackup, pathping, ping, progman, reg, regedt32, regsrv32, route, secedit, syncapp, telnet, tracert, utilman, winchat, regedit (in windows directory)

In conjunction with Group Policy these keep users out of things they shouldn't be using, either on purpose or by accident. I find allowing users to create any local directories outside of their user profile to be a BAD Idea.

Patrick Rouse
Microsoft MVP - Terminal Server
www.patrickrouse.com

Patrick,

Thanks for the information - this is very helpful and
will allow me to lock some things down a bit more while
allowing program access!
>-----Original Message-----
>Sandy, I set the NTFS Permissions the same for all
systems that non-admins use interactively:
>
>C:\ - System & Administrators (Full), Authenticated
Users (Read & Execute)
>C:\Program Files - System & Administrators (Full),
Authenticated Users (Read & Execute)
>
>I allow write access to local directories & registry
keys as needed, i.e. but these are all non-Microsoft
Programs and are few for me.
>
>I also restrict access (remove authenticated users from
the ACL, leave only system & administrators) to any CPL
File that the user has no business playing with, all MSC
Files, hordes of exe files in the System32 Directory,
i.e. arp, at, attrib, bootcfg, cacls, chkntfs, cipher,
convert, cleanmgr, defrag, diskpart, eventvwr, finger,
ftp, hostname, ipconfig, mnmsrvc, mobsync, mstsc,
nbtstat, netstat, netsh, nslookup, ntbackup, pathping,
ping, progman, reg, regedt32, regsrv32, route, secedit,
syncapp, telnet, tracert, utilman, winchat, regedit (in
windows directory)
>
>In conjunction with Group Policy these keep users out of
things they shouldn't be using, either on purpose or by
accident. I find allowing users to create any local
directories outside of their user profile to be a BAD
Idea.
>
>Patrick Rouse
>Microsoft MVP - Terminal Server
>www.patrickrouse.com
>.
>