petroleumman |
Hello,
Use NTFS permissions to control user and user group access to a drive (local or shared). To prevent access simply remove a user or group from the security ACL for the drive.
Note: Removing or restricting user access to a local drive may cause problems using installed software on a machine. I’d recomend testing your changes prior to putting them in production.
Good luck!
skepticals |
Does this mean there is no way of hiding the c: completely while keeping the same permissions? These computers run office, IE, games, and other applications. I am not sure which permissions they need.
Swiftd |
Warning: Test before implementing in a production environment.
Users in your circumstance probably require the maximum of Execute on Program Files and some files in the Windows directory. One does not require read access to execute a file. So, what you do is take away all rights for the users in question to all directories except for these. Keep in mind, this will take awhile to go through each directory off the root directory.
See if this solves your problem. The only directory that they need write permissions to is their Documents and Settings directory - but they don’t require read… It could be fun watching them try to figure out how to get around it :).
Of course, all of this security means nothing if you don’t secure the box physically. IE: no thumb drives, no direct access to open the case (lock case or put in a sealed cabinet), no removable media, etc. Of course, since you have network access, you’ll have to secure the box as well.
All this said, you should buy a Wyse Terminal and setup one with IE and another with terminal access to a Citrix or Terminal Server. This would give them no physical way to get media out of the terminal. They would have to use your network to do so.
Don
skepticals |
I’m curious,
I notice that if I type in C: in a web browser, I get a message that says “Access Denied”. Why can’t I get the same message when entering C: in the save box?
buddyfarr |
if you require such restrictions to the machines then I would agree with swiftd that a wyse terminal or other thin client linking to a terminal server is the way to go. we use a lot of wyse terminals at my work and they are great. not only for security but for management also. there is no software on them at all so no patches to worry about. except maybe the occasional firmware update if needed. also no moving parts so they last longer. Neoware also makes thin clients. we just purchased some of their laptops that are thin client only. no MB or HD. just thin client pcb with a screen. more expensive but you get an all in one item.
buddyfarr |
if you require such restrictions to the machines then I would agree with swiftd that a wyse terminal or other thin client linking to a terminal server is the way to go. we use a lot of wyse terminals at my work and they are great. not only for security but for management also. there is no software on them at all so no patches to worry about. except maybe the occasional firmware update if needed. also no moving parts so they last longer. Neoware also makes thin clients. we just purchased some of their laptops that are thin client only. no MB or HD. just thin client pcb with a screen. more expensive but you get an all in one item.
bejjrk |
Hi,
Try in this way…Create a Group or use existing group from domain or local…add it to C: drive security context and once you add the group U will get defailut applicable permissions under allow column change them to deny.This wont disturb the folder security under C: why bcoz the folders under C: doesn’t inherit the security from C:
Now login with user account who is member of new group for which we denied the access.Now that user will not be able to access c: because we denied the access for the group but he can save the documents to his profile folder as denied permissions not inherited to “Docs and Settings ” folder.The trick is denied permissions take precednce over allow permissions.
I tested this on windows2003 Server box with local gorup.it is working.Test it and if this works write a cacls script and apply to OU using group policy.
OS, Servers, SQL Server, Security, Desktops, Management, Microsoft Office, Microsoft Windows, Development, DataCenter, Desktop management applications
I recently found a way to access a local drive that is supposed to be hidden using group policy. I configured the policy to block the c: drive which works great - the drive is not listed in any program or my computer.
0
