How to hide specific shares like "SYSVOL"

  • Thread starter Thread starter Michael Schaefer
  • Start date Start date
M

Michael Schaefer

Hi,

I'm just installed a new SBS-2000 Server in our small company and detected,
that users can see system shares like "SYSVOL" and "address" when tey browse
the network with windows explorer. I think, that this could be critical
because a user can manipulate items in such folders. Therfore, I want to
hide these objects from beeing browsed using Group Policy, so that the users
do not see these shares.

Can anybody advice me how to accomplish that? I'm a newbie and it's really
hard for me to understand all the possibilities here.

Thanks a lot in advance

Michael Schaefer
 
Hello Michael,

No domain users have the ability to modify the Sysvol directory or it's
contents. And all domain users need access to this directory. You should be
able to accomplish what you want to some degree by removing the NTFS
permission "LIST" from the root of SYSVOL for the Everyone or the
Authenticated Users group. Then they cannot browse the policy structure. Be
careful as incorrectly modifying permissions on the sysvol folder can cause
undesirable consequences.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
You can also mark the folders as "hidden" as an added precaution. Users that
have the show hidden files and folders will still see the folder though.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Hi Buz,

Thank you very much for your information. But a last question: In general,
is it possible to hide certain shares using Group Policy instead of using
security settings?

Michael
 
Yes you can change File System security but you DO NOT want to do this on a
Domain Controller in regards to the Sysvol directory or it's contents. The
policy will reACL the folders every five minutes and the contents will be
marked as changed. This will be fire off excessive replication and 13567s in
the event log.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Back
Top