Sign in with
Sign up | Sign in
Your question

Users accessing C$

Last response: in Windows 2000/NT
Share
Anonymous
July 14, 2005 11:43:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I've recently discovered one user saving files while in a Terminal Server
session to the 'C:' drive - which is the server root. Obviously users have
files on other servers but should not be saving anything to our Terminal
Server.

I'm a little hazy on how the permissions should be set-up to allow people to
log in but not access the actual server HDD itself

Any ideas? Thanks!

-------
Tech Admin
West Midlands, England
Stressed and Tired!
--------

More about : users accessing

Anonymous
July 14, 2005 2:54:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

A user will not need write/modify/full control permissions to logon to a TS
or other computer with the possible exception of their user profile if they
are allowed to save and manage files there. So what I would do is to make
sure that users have no more then read/list/execute permissions to any
folder where you do not want them to store files to. Other then the system
folders, root folder, user profiles, and folders that they need to write to
or run applications from they need no permissions on other folders. The link
below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
http://support.microsoft.com/?scid=327522

WORKAROUND
To work around this issue, reset the permissions for the root directory on
the system drive. The default permissions for Windows XP can serve as a
guide for a set of permissions that have been thoroughly designed and
tested. The following are the default permissions for the root directory on
the system drive for Windows XP: . Administrators: Full (This Folder,
Subfolders, and Files)
. Creators Owners: Full (Subfolders and Files)
. System: Full (This Folder, Subfolders, and Files)
. Everyone: Read and Execute (This Folder Only)


"Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
news:A15D2BDF-11E0-4C37-9E38-9E4759E0B070@microsoft.com...
> I've recently discovered one user saving files while in a Terminal Server
> session to the 'C:' drive - which is the server root. Obviously users
> have
> files on other servers but should not be saving anything to our Terminal
> Server.
>
> I'm a little hazy on how the permissions should be set-up to allow people
> to
> log in but not access the actual server HDD itself
>
> Any ideas? Thanks!
>
> -------
> Tech Admin
> West Midlands, England
> Stressed and Tired!
> --------
Anonymous
July 15, 2005 5:17:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for your help Steven; I feel I should have known this, but we learn by
asking I believe. I am beginning to put your advice into practise, thanks
once again

-------
Tech Admin
West Midlands, England
Stressed and Tired!
--------


"Steven L Umbach" wrote:

> A user will not need write/modify/full control permissions to logon to a TS
> or other computer with the possible exception of their user profile if they
> are allowed to save and manage files there. So what I would do is to make
> sure that users have no more then read/list/execute permissions to any
> folder where you do not want them to store files to. Other then the system
> folders, root folder, user profiles, and folders that they need to write to
> or run applications from they need no permissions on other folders. The link
> below may help. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
> http://support.microsoft.com/?scid=327522
>
> WORKAROUND
> To work around this issue, reset the permissions for the root directory on
> the system drive. The default permissions for Windows XP can serve as a
> guide for a set of permissions that have been thoroughly designed and
> tested. The following are the default permissions for the root directory on
> the system drive for Windows XP: . Administrators: Full (This Folder,
> Subfolders, and Files)
> . Creators Owners: Full (Subfolders and Files)
> . System: Full (This Folder, Subfolders, and Files)
> . Everyone: Read and Execute (This Folder Only)
>
>
> "Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
> news:A15D2BDF-11E0-4C37-9E38-9E4759E0B070@microsoft.com...
> > I've recently discovered one user saving files while in a Terminal Server
> > session to the 'C:' drive - which is the server root. Obviously users
> > have
> > files on other servers but should not be saving anything to our Terminal
> > Server.
> >
> > I'm a little hazy on how the permissions should be set-up to allow people
> > to
> > log in but not access the actual server HDD itself
> >
> > Any ideas? Thanks!
> >
> > -------
> > Tech Admin
> > West Midlands, England
> > Stressed and Tired!
> > --------
>
>
>
Related resources
Anonymous
July 15, 2005 5:37:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

On checking Steven I noticed our rights were set as you mentioned, however,
if I checked the security on the root and went to 'Advanced' then the 'Users'
group had Allow rights to 'Create folders & append data' on this root.

I have now Denied this and tested creating a folder with a user with
standard privileges and this has worked. Would someone have enabled this by
default and what are the possible ramifications of me denying this option?

-------
Tech Admin
West Midlands, England
Stressed and Tired!
--------


"Chris Hagon" wrote:

> Thanks for your help Steven; I feel I should have known this, but we learn by
> asking I believe. I am beginning to put your advice into practise, thanks
> once again
>
> -------
> Tech Admin
> West Midlands, England
> Stressed and Tired!
> --------
>
>
> "Steven L Umbach" wrote:
>
> > A user will not need write/modify/full control permissions to logon to a TS
> > or other computer with the possible exception of their user profile if they
> > are allowed to save and manage files there. So what I would do is to make
> > sure that users have no more then read/list/execute permissions to any
> > folder where you do not want them to store files to. Other then the system
> > folders, root folder, user profiles, and folders that they need to write to
> > or run applications from they need no permissions on other folders. The link
> > below may help. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
> > http://support.microsoft.com/?scid=327522
> >
> > WORKAROUND
> > To work around this issue, reset the permissions for the root directory on
> > the system drive. The default permissions for Windows XP can serve as a
> > guide for a set of permissions that have been thoroughly designed and
> > tested. The following are the default permissions for the root directory on
> > the system drive for Windows XP: . Administrators: Full (This Folder,
> > Subfolders, and Files)
> > . Creators Owners: Full (Subfolders and Files)
> > . System: Full (This Folder, Subfolders, and Files)
> > . Everyone: Read and Execute (This Folder Only)
> >
> >
> > "Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
> > news:A15D2BDF-11E0-4C37-9E38-9E4759E0B070@microsoft.com...
> > > I've recently discovered one user saving files while in a Terminal Server
> > > session to the 'C:' drive - which is the server root. Obviously users
> > > have
> > > files on other servers but should not be saving anything to our Terminal
> > > Server.
> > >
> > > I'm a little hazy on how the permissions should be set-up to allow people
> > > to
> > > log in but not access the actual server HDD itself
> > >
> > > Any ideas? Thanks!
> > >
> > > -------
> > > Tech Admin
> > > West Midlands, England
> > > Stressed and Tired!
> > > --------
> >
> >
> >
Anonymous
July 16, 2005 1:00:13 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I believe that is the default setting in that users can not write files to
the drive/root folder but can create folders and write files to those
folders. If you do not want users to be able to create folders in the root
folder then you did the right thing by changing the permission which could
be done with a deny or simply removing the unneeded permission [implicit
deny] which is most common method to do such. --- Steve


"Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
news:F20397F2-B747-4451-8D18-055B4AE12BC8@microsoft.com...
> On checking Steven I noticed our rights were set as you mentioned,
> however,
> if I checked the security on the root and went to 'Advanced' then the
> 'Users'
> group had Allow rights to 'Create folders & append data' on this root.
>
> I have now Denied this and tested creating a folder with a user with
> standard privileges and this has worked. Would someone have enabled this
> by
> default and what are the possible ramifications of me denying this option?
>
> -------
> Tech Admin
> West Midlands, England
> Stressed and Tired!
> --------
>
>
> "Chris Hagon" wrote:
>
>> Thanks for your help Steven; I feel I should have known this, but we
>> learn by
>> asking I believe. I am beginning to put your advice into practise,
>> thanks
>> once again
>>
>> -------
>> Tech Admin
>> West Midlands, England
>> Stressed and Tired!
>> --------
>>
>>
>> "Steven L Umbach" wrote:
>>
>> > A user will not need write/modify/full control permissions to logon to
>> > a TS
>> > or other computer with the possible exception of their user profile if
>> > they
>> > are allowed to save and manage files there. So what I would do is to
>> > make
>> > sure that users have no more then read/list/execute permissions to any
>> > folder where you do not want them to store files to. Other then the
>> > system
>> > folders, root folder, user profiles, and folders that they need to
>> > write to
>> > or run applications from they need no permissions on other folders. The
>> > link
>> > below may help. --- Steve
>> >
>> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
>> > http://support.microsoft.com/?scid=327522
>> >
>> > WORKAROUND
>> > To work around this issue, reset the permissions for the root directory
>> > on
>> > the system drive. The default permissions for Windows XP can serve as a
>> > guide for a set of permissions that have been thoroughly designed and
>> > tested. The following are the default permissions for the root
>> > directory on
>> > the system drive for Windows XP: . Administrators: Full (This Folder,
>> > Subfolders, and Files)
>> > . Creators Owners: Full (Subfolders and Files)
>> > . System: Full (This Folder, Subfolders, and Files)
>> > . Everyone: Read and Execute (This Folder Only)
>> >
>> >
>> > "Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
>> > news:A15D2BDF-11E0-4C37-9E38-9E4759E0B070@microsoft.com...
>> > > I've recently discovered one user saving files while in a Terminal
>> > > Server
>> > > session to the 'C:' drive - which is the server root. Obviously
>> > > users
>> > > have
>> > > files on other servers but should not be saving anything to our
>> > > Terminal
>> > > Server.
>> > >
>> > > I'm a little hazy on how the permissions should be set-up to allow
>> > > people
>> > > to
>> > > log in but not access the actual server HDD itself
>> > >
>> > > Any ideas? Thanks!
>> > >
>> > > -------
>> > > Tech Admin
>> > > West Midlands, England
>> > > Stressed and Tired!
>> > > --------
>> >
>> >
>> >
!