SFM Network Trash folder security

[Bob Adams]

Is there a way to lockdown or disable the Network Trash
folder that the Win2k sfm service (file services for
macintosh) creates in mac shares?

I performed a few experiments and discovered that:

1) The sfm service automatically creates/recreates a
hidden Network Trash folder in each share when started.
2) No matter wat I set for security on the root folder,
this folder's permissions are set to everyone full.
3) If I try to lock an existing Network Trash folder
down, it is recreated with everyone full permissions
again when the service is restarted.
4) Mac connected clients operate as expected when the
Network Trash folder is unavailable (files are deleted
immediately).

I'm operating 50 win2k file servers in a mixed win98 and
mac9 environment.

Thanks.

 

[Dan Lnenicka]

I have this same problem. I have also done most of the
things you have tried with the same results. This seems
the trouble with having a mixed network with Macs and PCs.

I hope you find an answer.

Dan Lnenicka

 

[Bob Adams]

I found a MSKB article for NT4.0 server that may apply to
Win2k server as well: 103033 - Network Trash Folder While
Running SFM.

This article implies that the network trash folder cannot
be removed or its security modified (behavior by
design).

I'm surprised by the lack of discussion on the web about
this. This 'feature' allows PC users to store and access
files in any dual shared folder they have share level
write access to. No granularity. I can't turn off SFM
because we use Mac OS9 and can't afford 3rd party add-
ons. PC share access permissions can't be reduced
because it was all designed around folder level
security. User's can't be educated or disciplined
because this is a large school district with fiefdom
politics. Anyone have a technical solution or suggestion?

<rant>
ack! What's a poor sys admin to do? This violates our
security policy. I'm worried that these hidden folders
could be used for evil by viri, clever students, hostile
staff members, or crackers.