[gptalk] Re: drive access attention Doug

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 22 Sep 2006 11:22:33 -0700

Eric,
 
So what goal are you really trying to achieve?
 
Is this for a terminal server or for workstations or for branch office
servers or what?
 
I can understand you not wanting end users to create additional folders on
the C drive- but what if they do- what is the real problem or issue
regarding that?
 
Just curious to know because there may be a different resolution or option. 
 
seems like the C drive -root lockdown is pretty painful- even in my test
scripts which I tried to put together the time to get it working as expected
does not seem worthy of the solution. You can lock down the C: root but what
about the temp folder- where does it end?
 
If this is all about Security- Check the NSA recommendations for locking
down Windows boxes.
 
Attached is an NSA doc for security W2k boxes file and disk resources and
they are not locking down the root C drive. www.nsa.gov
 
Food for thought.
 
BTW- I don't follow these guide myself but I do reference them and implement
some of the recommendations are best practices- just in case you were
wondering.
 
Omar
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Friday, September 22, 2006 10:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug


An Admin is a user too...  And, Deny always takes precedence.
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 


  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Eric Middleton
Sent: Friday, September 22, 2006 12:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug



Well I spoke to soon.  It is working for users but it also will not let me
make a new folder on c.  I have added admins and gave full control but still
not letting anyone create a new folder to c

 


  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Friday, September 22, 2006 10:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug

 

Eric,

 

in the normal security properties dialog, you will need to add all accounts,
such as Administrators, System, Power Users, etc. that match the current
permissions on the C: drive.  Then using the advanced button, you can add
the users group multiple times.  One of them is configured as the left side,
and this is the key... the Apply onto field, needs to be set to "this folder
only", then add the second entry for the Users group, and in the apply onto
field, make it "subfolders and files only".  and configure that as the right
diagram.  This makes the first entry remove the users right to create
folders or files on C:, but allows them read/write access to all subfolders
and files of C:.

 

We can take this offline, if you need more help.  Glad to see you're testing
it, as that is very important.  Crucial, in fact.

 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 

 


  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Eric Middleton
Sent: Thursday, September 21, 2006 11:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug

Ok I have tried this a few times and still am a little confused. How do I do
this 2 different ways like shown below?  I can only do one or the other
correct?  when I attempt to recreate what is in the left pic the system wont
let anyone log on

 


  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Wednesday, September 20, 2006 12:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access

 

I would add the %SystemDrive% to the File System entries, under Computer
Configuration | Windows Settings | Security Settings | File System and
configure the (Advanced) permissions for the user group required (my example
user the "Users" built-in group).  Ensure you select This folder only in the
apply onto field, and deny creating files and folders.  Also ensure that you
configure all other security settings required (to match what they are
locally) as this will replace the existing permissions with a new set of
permissions... so be VERY careful w/regard to inheritance.  This means you
be replacing the entire set of permissions on drive C: so will will have to
add an addition entry for Users (in my example) that apply onto is set to
"subfolders and files only".   When you click ok, then click on Configure
this file or folder then, select replace permissions on all subfolders and
files.  Please ensure you include ALL other groups currently defined on
Drive C...  Everywhere, paying special attention to Program Files, Documents
and Settings, and the %SystemRoot% folders.  AGAIN, you are replacing ALL
security settings on drive C: using this method.  But, it gives you complete
and granular control.  You also want to TEST using only one entry for users
at the root of C:, and see if that does or does not replace all lower
permissions (subfolders) if you select propagate inheritable permissions on
all subfolders and files (instead of replace), but I have not had the
expected results using that in the past.  Warning: Don't lock out
Administrators or SYSTEM...

 

 

Such as 

  

 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail:  <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.

 

 


  _____  


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Eric Middleton
Sent: Wednesday, September 20, 2006 12:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] drive access

Anyone know how to make the root of c non accessible.  I have told the group
policy not to allow saving of files to c however if you creat a new folder
you can save to that folder.  Anyone know how to stop this?

JPEG image

JPEG image

Other related posts: