Blocking access to local Drive Win XP Server 2003 GPO

pts.
Tags:
DataCenter
Desktop management applications
Desktops
Development
Management
Microsoft Office
Microsoft Windows
OS
Security
Servers
SQL Server
I recently found a way to access a local drive that is supposed to be hidden using group policy. I configured the policy to block the c: drive which works great - the drive is not listed in any program or my computer. The issue is this. If I open Notepad, Word, or most any application and choose save as, a dialogue box appears (that does not show the c: drive) and if I type c: in the save box it will give me access to the c: drive. Any ideas on how to block this? Also, in group policy I do not see a setting to block the d: drive. There are combinations that I can configure, but there is not one that allows me to block the c: and d: drive. Thanks for the help, J

Answer Wiki

Thanks. We'll let you know when a new response is added.

Making the drive hidden from browsing is not the same as making the drive inaccessable. Any explicit reference to the drive will always work unless you use security to prevent access as well.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Petroleumman
    Hello, Use NTFS permissions to control user and user group access to a drive (local or shared). To prevent access simply remove a user or group from the security ACL for the drive. Note: Removing or restricting user access to a local drive may cause problems using installed software on a machine. I'd recomend testing your changes prior to putting them in production. Good luck!
    0 pointsBadges:
    report
  • Skepticals
    Does this mean there is no way of hiding the c: completely while keeping the same permissions? These computers run office, IE, games, and other applications. I am not sure which permissions they need.
    0 pointsBadges:
    report
  • Swiftd
    Warning: Test before implementing in a production environment. Users in your circumstance probably require the maximum of Execute on Program Files and some files in the Windows directory. One does not require read access to execute a file. So, what you do is take away all rights for the users in question to all directories except for these. Keep in mind, this will take awhile to go through each directory off the root directory. See if this solves your problem. The only directory that they need write permissions to is their Documents and Settings directory - but they don't require read... It could be fun watching them try to figure out how to get around it :). Of course, all of this security means nothing if you don't secure the box physically. IE: no thumb drives, no direct access to open the case (lock case or put in a sealed cabinet), no removable media, etc. Of course, since you have network access, you'll have to secure the box as well. All this said, you should buy a Wyse Terminal and setup one with IE and another with terminal access to a Citrix or Terminal Server. This would give them no physical way to get media out of the terminal. They would have to use your network to do so. Don
    0 pointsBadges:
    report
  • Skepticals
    I'm curious, I notice that if I type in C: in a web browser, I get a message that says "Access Denied". Why can't I get the same message when entering C: in the save box?
    0 pointsBadges:
    report
  • Buddyfarr
    if you require such restrictions to the machines then I would agree with swiftd that a wyse terminal or other thin client linking to a terminal server is the way to go. we use a lot of wyse terminals at my work and they are great. not only for security but for management also. there is no software on them at all so no patches to worry about. except maybe the occasional firmware update if needed. also no moving parts so they last longer. Neoware also makes thin clients. we just purchased some of their laptops that are thin client only. no MB or HD. just thin client pcb with a screen. more expensive but you get an all in one item.
    6,850 pointsBadges:
    report
  • Bejjrk
    Hi, Try in this way...Create a Group or use existing group from domain or local...add it to C: drive security context and once you add the group U will get defailut applicable permissions under allow column change them to deny.This wont disturb the folder security under C: why bcoz the folders under C: doesn't inherit the security from C: Now login with user account who is member of new group for which we denied the access.Now that user will not be able to access c: because we denied the access for the group but he can save the documents to his profile folder as denied permissions not inherited to "Docs and Settings " folder.The trick is denied permissions take precednce over allow permissions. I tested this on windows2003 Server box with local gorup.it is working.Test it and if this works write a cacls script and apply to OU using group policy.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following