Folder Security

[Guest]

I have one computer on the network that is in a somewhat insecure location. I
would like to restrict certain shared folders on the server from being
accessed by any user who logs in from that computer, but other shared files
would still be accessable. After fighting 'shares' and 'permissions' and
'security' unsucessfully for a couple days, does anyone have suggestions?

 

[Guest]

Additional information that may be usefull.
All workstations running XP Pro.
One folder is on Windows 2000 Server
Other folder is on Windows 2003 Server
Both folders part of DFS.

 

[Steven L Umbach]

Keep in mind that NTFS permissions apply to any users that accesses the
computer either through the network or logged on interactively. Share
permissions apply only to network users. A network user's effective access
will be the most restrictive of the two. In other words if a use has full
control permission to the share but only read NTFS permissions to the folder
that is shared the network user can only read files in the folder. So you
need to configure the NTFS permissions on the folders to restrict those that
logon locally. If a user has no permissions to a folder then that user has
no access to the folder. Keep in mind that a users access is also based on
group membership so if users/everyone have access to a folder then any user
can access the folder assuming they do not explicitly or by group membership
have a deny permission also the folder. For instance if you have a folder
called data1 that you want to restrict local user access to then remove
users/everyone from the list and make sure that only the users or group you
want to have access have the necessary permissions. You can create your own
group and add local users to the group rather than add a bunch of users in
the permission list.

XP Pro can use simple file sharing so disable that if you want to control
what users can access a network share on the computer and make sure the
guest account is disabled. Also keep in mind that if a computer is not
physically secured to some degree then is usually is trivial for a malicious
user to access non encrypted data on the computer without you ever knowing
it and that any local administrator can do the same. The links below may
help if you have not seen them yet. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml

 

[Guest]

I want it to be 'machine' selective. My users all have access to the folders
in question from their own or other machines on the network. This machine is
in a location where our customer could gain access if my user should fail to
log out, etc. I don't want information on other customers and/or projects to
be available at that machine, but adminstrative functions such as time
sheets, ect. should still be available. So I guess my question really is, is
there a way to secure folder access by which machine is trying to access it
rather than by which user?

 

[Steven L Umbach]

OK. I think I got what you are asking. You have a server with shares and you
want to any user who logs onto the insecure location from being able to
access those sensitive shares but be able to access other shares on the same
server. I don't know of any way to do that as from what I know is that other
then configuring share permissions for "users" it is an all or nothing
affair and you may want to consider moving the public shares to another
computer that does not have any sensitive data. Ipsec can be used to
authenticate computers with each other before network access is allowed but
it can not be share selective as you can only list ports/protocols/IP in the
ipsec rules. --- Steve

 

[Guest]

Thanks, Steve.
You have pretty much verified the conclusion that I came up with this
morning. Now I just have to convince my supervisor. My problem - not yours.

Robert

 

[Steven L Umbach]

Another possibility is to put another workstation in that location. Then
have one workstation for your users and another for public users. You can
configure the user rights for logon locally and deny logon locally to make
sure which users can logon to which computer and keep the password for the
local administrator account confidential. The workstation for your users
should be physically secured to reduce the risk of compromise such as
keyboard loggers if that is a concern. If it was me I would still rather
move public shares to another computer but adding another workstation may be
more economical if you want don't mind that added risk and would be much
better than using a shared workstation. -- Steve