how do I protect users privacy from each other?

T

ToddAndMargo

Hi All,

I have a WS08-1 TS that several of our customers use.

Problem: with Windows Explorer (not IE), they can browse
to the C: drive, click on "users" and see the names of all the
other users (a list of our customers essentially).

I need to protect the user's privacy (their names) from everyone
else. How do I make it so they only see their own name and
none of the other user's names?

Many thanks,
-T
 
A

Ace Fekay [MCT]

"ToddAndMargo" wrote in message
news:uBrM%23U$PKHA.3540@TK2MSFTNGP04.phx.gbl...
> Hi All,
>
> I have a WS08-1 TS that several of our customers use.
>
> Problem: with Windows Explorer (not IE), they can browse
> to the C: drive, click on "users" and see the names of all the
> other users (a list of our customers essentially).
>
> I need to protect the user's privacy (their names) from everyone
> else. How do I make it so they only see their own name and
> none of the other user's names?
>
> Many thanks,
> -T


Yup.I would rename each folder to something else, such as a customer number,
or other identifier, instead of using the customer name. This way they don't
know who your other customers are by looking at the list.

Then for each folder NTFS security permissions:

Disable Inheritance. Remove All. Then replace with:
Domain Admins = FC
Specific Customer User or Group Name = FC
System = FC

Nothing else.

You can also look into ABE:

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/windowsserver2003...erview/abe.mspx

Or 2008:

Enable Access-Based Enumeration on a Namespace
http://technet.microsoft.com/en-us/library/dd759150.aspx
(http://technet.microsoft.com/en-us/library/dd759150.aspx)

Using Inherited Permissions with Access-Based Enumeration
http://technet.microsoft.com/en-us/library/dd834874.aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
 
A

Ace Fekay [MCT]

"Ace Fekay [MCT]" wrote in message
news:uRsBae$PKHA.5108@TK2MSFTNGP02.phx.gbl...
> "ToddAndMargo" wrote in message
> news:uBrM%23U$PKHA.3540@TK2MSFTNGP04.phx.gbl...
>> Hi All,
>>
>> I have a WS08-1 TS that several of our customers use.
>>
>> Problem: with Windows Explorer (not IE), they can browse
>> to the C: drive, click on "users" and see the names of all the
>> other users (a list of our customers essentially).
>>
>> I need to protect the user's privacy (their names) from everyone
>> else. How do I make it so they only see their own name and
>> none of the other user's names?
>>
>> Many thanks,
>> -T
>
>
> Yup.I would rename each folder to something else, such as a customer
> number, or other identifier, instead of using the customer name. This way
> they don't know who your other customers are by looking at the list.
>
> Then for each folder NTFS security permissions:
>
> Disable Inheritance. Remove All. Then replace with:
> Domain Admins = FC
> Specific Customer User or Group Name = FC
> System = FC
>
> Nothing else.
>
> You can also look into ABE:
>
> Windows Server 2003 Access-based Enumeration
> http://www.microsoft.com/windowsserver2003...erview/abe.mspx
>
> Or 2008:
>
> Enable Access-Based Enumeration on a Namespace
> http://technet.microsoft.com/en-us/library/dd759150.aspx
> (http://technet.microsoft.com/en-us/library/dd759150.aspx)
>
> Using Inherited Permissions with Access-Based Enumeration
> http://technet.microsoft.com/en-us/library/dd834874.aspx
>

One more suggestion, move all folders to another server. Then set them up as
mapped drives directly to their own individually shared out folders. Do not
share the parent folder. If you do, share it as hidden (by putting a $ on
the end of the sharename). Then create subfolders, one for each customer,
then share them individually as hidden, as well. You can then set their
respective locations as their home folders. Set permissions as such:

Share
Shared as CustomerName$
Domain ADmins = FC
Customer Name or Group = FC

NTFS Security Perms
Disable Inheritance. Remove All. Then replace with:
Domain Admins = FC
Specific Customer User or Group Name = FC
System = FC

Ace
 
L

Lanwench [MVP - Exchange]

ToddAndMargo wrote:
> Hi All,
>
> I have a WS08-1 TS that several of our customers use.
>
> Problem: with Windows Explorer (not IE), they can browse
> to the C: drive, click on "users" and see the names of all the
> other users (a list of our customers essentially).
>
> I need to protect the user's privacy (their names) from everyone
> else. How do I make it so they only see their own name and
> none of the other user's names?
>
> Many thanks,
> -T

Pulling back a little, they shouldn't be able to see/explore the C drive (or
any local drives) at all. The TS box should be hosting TS sessions only, not
serving files, etc. Don't store data on the TS box itself, but use folder
redirection (I'm assuming you have a domain) for My Documents, Desktop,
Application Data, and perhaps also Start Menu, to your file server(s).

You should lock down the TS box via GPO so it can't be accessed this way. I
don't know if KB 278295 works with W2008 exactly as is, but it works very
well on W2003.
 
T

ToddAndMargo

Ace Fekay [MCT] wrote:

> One more suggestion, move all folders to another server. Then set them up as
> mapped drives directly to their own individually shared out folders. Do not
> share the parent folder. If you do, share it as hidden (by putting a $ on
> the end of the sharename). Then create subfolders, one for each customer,
> then share them individually as hidden, as well. You can then set their
> respective locations as their home folders. Set permissions as such:

Hi Ace,

Thank you for the suggestions. The stinkin' program I
am hosting does not network. (As far as I can tell, it
has code in it to fight you if you try). My attempt at folder
redirection and off computer networking came down
around my ears.

Is there a way to set the users so they can only see their
own My Docs and their Desktop?

-T
 
T

ToddAndMargo

Ace Fekay [MCT] wrote:

> Or 2008:
>
> Enable Access-Based Enumeration on a Namespace
> http://technet.microsoft.com/en-us/library/dd759150.aspx
> (http://technet.microsoft.com/en-us/library/dd759150.aspx)
>
> Using Inherited Permissions with Access-Based Enumeration
> http://technet.microsoft.com/en-us/library/dd834874.aspx
>

Oh Poop! (Not the real word I said, but I am trying to keep
it polite.) Access-Based Enumeration only works on network
shares and the program I am TS sharing must work off a local
drive. Poop!

If I am not mistaken, that leaves me with scrambled
user names. Any other ideas.

-T
 
A

Ace Fekay [MCT]

"ToddAndMargo" wrote in message
news:Oc9BCNHQKHA.4428@TK2MSFTNGP02.phx.gbl...
> Ace Fekay [MCT] wrote:
>
>> Or 2008:
>>
>> Enable Access-Based Enumeration on a Namespace
>> http://technet.microsoft.com/en-us/library/dd759150.aspx
>> (http://technet.microsoft.com/en-us/library/dd759150.aspx)
>>
>> Using Inherited Permissions with Access-Based Enumeration
>> http://technet.microsoft.com/en-us/library/dd834874.aspx
>>
>
> Oh Poop! (Not the real word I said, but I am trying to keep
> it polite.) Access-Based Enumeration only works on network
> shares and the program I am TS sharing must work off a local
> drive. Poop!
>
> If I am not mistaken, that leaves me with scrambled
> user names. Any other ideas.
>
> -T


Local only? Yikes!

Yep, scramble them up like eggs, and set the permissions as I mentioned.

Ace
 
L

Lanwench [MVP - Exchange]

Ace Fekay [MCT] wrote:
> "ToddAndMargo" wrote in message
> news:Oc9BCNHQKHA.4428@TK2MSFTNGP02.phx.gbl...
>> Ace Fekay [MCT] wrote:
>>
>>> Or 2008:
>>>
>>> Enable Access-Based Enumeration on a Namespace
>>> http://technet.microsoft.com/en-us/library/dd759150.aspx
>>> (http://technet.microsoft.com/en-us/library/dd759150.aspx)
>>>
>>> Using Inherited Permissions with Access-Based Enumeration
>>> http://technet.microsoft.com/en-us/library/dd834874.aspx
>>>
>>
>> Oh Poop! (Not the real word I said, but I am trying to keep
>> it polite.) Access-Based Enumeration only works on network
>> shares and the program I am TS sharing must work off a local
>> drive. Poop!
>>
>> If I am not mistaken, that leaves me with scrambled
>> user names. Any other ideas.
>>
>> -T
>
>
> Local only? Yikes!
>
> Yep, scramble them up like eggs, and set the permissions as I
> mentioned.
> Ace

....and if this application isn't "network ready" I doubt it's certified to
run on TS. I'd question the wisdom of using it.
 
You must log in or register to reply here.

Similar threads

D
  • Article
Update on Recall security and privacy architecture
Replies
0
Views
47
David Weston, Vice President Enterprise and OS
D
B
  • Article
Limited Preview of Privacy-Preserving Ads API coming to Microsoft Edge
Replies
0
Views
29
Brandon Maslen
B
T
  • Article
Microsoft Trustworthy AI: Unlocking human potential starts with trust
Replies
0
Views
43
Takeshi Numoto
T
A
How to Prevent a Domain User from Logging into Other Domain Users' Computers?
Replies
0
Views
64
AVIJIT DAS3
A
M
How to let users domain users to let edit their network configuration without giving them excess privileges.?
Replies
0
Views
15
Monika Bisht
M
Back
Top Bottom