Users accessing C$

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've recently discovered one user saving files while in a Terminal Server
session to the 'C:' drive - which is the server root. Obviously users have
files on other servers but should not be saving anything to our Terminal
Server.

I'm a little hazy on how the permissions should be set-up to allow people to
log in but not access the actual server HDD itself

Any ideas? Thanks!
 
A user will not need write/modify/full control permissions to logon to a TS
or other computer with the possible exception of their user profile if they
are allowed to save and manage files there. So what I would do is to make
sure that users have no more then read/list/execute permissions to any
folder where you do not want them to store files to. Other then the system
folders, root folder, user profiles, and folders that they need to write to
or run applications from they need no permissions on other folders. The link
below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
http://support.microsoft.com/?scid=327522

WORKAROUND
To work around this issue, reset the permissions for the root directory on
the system drive. The default permissions for Windows XP can serve as a
guide for a set of permissions that have been thoroughly designed and
tested. The following are the default permissions for the root directory on
the system drive for Windows XP: . Administrators: Full (This Folder,
Subfolders, and Files)
. Creators Owners: Full (Subfolders and Files)
. System: Full (This Folder, Subfolders, and Files)
. Everyone: Read and Execute (This Folder Only)
 
Thanks for your help Steven; I feel I should have known this, but we learn by
asking I believe. I am beginning to put your advice into practise, thanks
once again
 
On checking Steven I noticed our rights were set as you mentioned, however,
if I checked the security on the root and went to 'Advanced' then the 'Users'
group had Allow rights to 'Create folders & append data' on this root.

I have now Denied this and tested creating a folder with a user with
standard privileges and this has worked. Would someone have enabled this by
default and what are the possible ramifications of me denying this option?
 
I believe that is the default setting in that users can not write files to
the drive/root folder but can create folders and write files to those
folders. If you do not want users to be able to create folders in the root
folder then you did the right thing by changing the permission which could
be done with a deny or simply removing the unneeded permission [implicit
deny] which is most common method to do such. --- Steve


Chris Hagon said:
On checking Steven I noticed our rights were set as you mentioned,
however,
if I checked the security on the root and went to 'Advanced' then the
'Users'
group had Allow rights to 'Create folders & append data' on this root.

I have now Denied this and tested creating a folder with a user with
standard privileges and this has worked. Would someone have enabled this
by
default and what are the possible ramifications of me denying this option?
Click to expand...
 
Back
Top