how do I protect users privacy from each other?

Hi All,

I have a WS08-1 TS that several of our customers use.

Problem: with Windows Explorer (not IE), they can browse
to the C: drive, click on "users" and see the names of all the
other users (a list of our customers essentially).

I need to protect the user's privacy (their names) from everyone
else. How do I make it so they only see their own name and
none of the other user's names?

Many thanks,
-T

 

"ToddAndMargo" <ToddAndMargo@invalid.com> wrote in message
news:uBrM%23U$PKHA.3540@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi All,
>
> I have a WS08-1 TS that several of our customers use.
>
> Problem: with Windows Explorer (not IE), they can browse
> to the C: drive, click on "users" and see the names of all the
> other users (a list of our customers essentially).
>
> I need to protect the user's privacy (their names) from everyone
> else. How do I make it so they only see their own name and
> none of the other user's names?
>
> Many thanks,
> -T<!--colorc--><!--/colorc-->


Yup.I would rename each folder to something else, such as a customer number,
or other identifier, instead of using the customer name. This way they don't
know who your other customers are by looking at the list.

Then for each folder NTFS security permissions:

Disable Inheritance. Remove All. Then replace with:
Domain Admins = FC
Specific Customer User or Group Name = FC
System = FC

Nothing else.

You can also look into ABE:

Windows Server 2003 Access-based Enumeration


Or 2008:

Enable Access-Based Enumeration on a Namespace

()

Using Inherited Permissions with Access-Based Enumeration


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uRsBae$PKHA.5108@TK2MSFTNGP02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "ToddAndMargo" <ToddAndMargo@invalid.com> wrote in message
> news:uBrM%23U$PKHA.3540@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Hi All,
>>
>> I have a WS08-1 TS that several of our customers use.
>>
>> Problem: with Windows Explorer (not IE), they can browse
>> to the C: drive, click on "users" and see the names of all the
>> other users (a list of our customers essentially).
>>
>> I need to protect the user's privacy (their names) from everyone
>> else. How do I make it so they only see their own name and
>> none of the other user's names?
>>
>> Many thanks,
>> -T<!--colorc--><!--/colorc-->
>
>
> Yup.I would rename each folder to something else, such as a customer
> number, or other identifier, instead of using the customer name. This way
> they don't know who your other customers are by looking at the list.
>
> Then for each folder NTFS security permissions:
>
> Disable Inheritance. Remove All. Then replace with:
> Domain Admins = FC
> Specific Customer User or Group Name = FC
> System = FC
>
> Nothing else.
>
> You can also look into ABE:
>
> Windows Server 2003 Access-based Enumeration
>
>
> Or 2008:
>
> Enable Access-Based Enumeration on a Namespace
>
> ()
>
> Using Inherited Permissions with Access-Based Enumeration
>
><!--colorc--><!--/colorc-->

One more suggestion, move all folders to another server. Then set them up as
mapped drives directly to their own individually shared out folders. Do not
share the parent folder. If you do, share it as hidden (by putting a $ on
the end of the sharename). Then create subfolders, one for each customer,
then share them individually as hidden, as well. You can then set their
respective locations as their home folders. Set permissions as such:

Share
Shared as CustomerName$
Domain ADmins = FC
Customer Name or Group = FC

NTFS Security Perms
Disable Inheritance. Remove All. Then replace with:
Domain Admins = FC
Specific Customer User or Group Name = FC
System = FC

Ace

 

ToddAndMargo <ToddAndMargo@invalid.com> wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi All,
>
> I have a WS08-1 TS that several of our customers use.
>
> Problem: with Windows Explorer (not IE), they can browse
> to the C: drive, click on "users" and see the names of all the
> other users (a list of our customers essentially).
>
> I need to protect the user's privacy (their names) from everyone
> else. How do I make it so they only see their own name and
> none of the other user's names?
>
> Many thanks,
> -T<!--colorc--><!--/colorc-->

Pulling back a little, they shouldn't be able to see/explore the C drive (or
any local drives) at all. The TS box should be hosting TS sessions only, not
serving files, etc. Don't store data on the TS box itself, but use folder
redirection (I'm assuming you have a domain) for My Documents, Desktop,
Application Data, and perhaps also Start Menu, to your file server(s).

You should lock down the TS box via GPO so it can't be accessed this way. I
don't know if KB 278295 works with W2008 exactly as is, but it works very
well on W2003.

 

Ace Fekay [MCT] wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> One more suggestion, move all folders to another server. Then set them up as
> mapped drives directly to their own individually shared out folders. Do not
> share the parent folder. If you do, share it as hidden (by putting a $ on
> the end of the sharename). Then create subfolders, one for each customer,
> then share them individually as hidden, as well. You can then set their
> respective locations as their home folders. Set permissions as such:<!--colorc--><!--/colorc-->

Hi Ace,

Thank you for the suggestions. The stinkin' program I
am hosting does not network. (As far as I can tell, it
has code in it to fight you if you try). My attempt at folder
redirection and off computer networking came down
around my ears.

Is there a way to set the users so they can only see their
own My Docs and their Desktop?

-T

 

Ace Fekay [MCT] wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Or 2008:
>
> Enable Access-Based Enumeration on a Namespace
>
> ()
>
> Using Inherited Permissions with Access-Based Enumeration
>
> <!--colorc--><!--/colorc-->

Oh Poop! (Not the real word I said, but I am trying to keep
it polite.) Access-Based Enumeration only works on network
shares and the program I am TS sharing must work off a local
drive. Poop!

If I am not mistaken, that leaves me with scrambled
user names. Any other ideas.

-T

 

"ToddAndMargo" <ToddAndMargo@invalid.com> wrote in message
news:Oc9BCNHQKHA.4428@TK2MSFTNGP02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Ace Fekay [MCT] wrote:
><!--coloro:green--><span style="color:green <!--/coloro-->
>> Or 2008:
>>
>> Enable Access-Based Enumeration on a Namespace
>>
>> ()
>>
>> Using Inherited Permissions with Access-Based Enumeration
>>
>><!--colorc--><!--/colorc-->
>
> Oh Poop! (Not the real word I said, but I am trying to keep
> it polite.) Access-Based Enumeration only works on network
> shares and the program I am TS sharing must work off a local
> drive. Poop!
>
> If I am not mistaken, that leaves me with scrambled
> user names. Any other ideas.
>
> -T<!--colorc--><!--/colorc-->


Local only? Yikes!

Yep, scramble them up like eggs, and set the permissions as I mentioned.

Ace

 

Ace Fekay [MCT] <aceman@mvps.RemoveThisPart.org> wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "ToddAndMargo" <ToddAndMargo@invalid.com> wrote in message
> news:Oc9BCNHQKHA.4428@TK2MSFTNGP02.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Ace Fekay [MCT] wrote:
>><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Or 2008:
>>>
>>> Enable Access-Based Enumeration on a Namespace
>>>
>>> ()
>>>
>>> Using Inherited Permissions with Access-Based Enumeration
>>>
>>><!--colorc--><!--/colorc-->
>>
>> Oh Poop! (Not the real word I said, but I am trying to keep
>> it polite.) Access-Based Enumeration only works on network
>> shares and the program I am TS sharing must work off a local
>> drive. Poop!
>>
>> If I am not mistaken, that leaves me with scrambled
>> user names. Any other ideas.
>>
>> -T<!--colorc--><!--/colorc-->
>
>
> Local only? Yikes!
>
> Yep, scramble them up like eggs, and set the permissions as I
> mentioned.
> Ace<!--colorc--><!--/colorc-->

....and if this application isn't "network ready" I doubt it's certified to
run on TS. I'd question the wisdom of using it.