Folder Security Issue

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

Subject Author Date Folder Security Issue Bill 11-01-2007  Re: Folder Security Issue Steven L Umbach 11-01-2007  Re: Folder Security Issue Roger Abell [MV... 11-06-2007

Posted by Bill on November 1, 2007, 10:53 am Please log in for more thread options Having been through various posts about NTFS and trying many things I don't think I can do this with anything simple and easy for I am looking for some solutions. Here is the situation \DFS\Projects 2007\Project #1 \DFS\Projects 2007\Project #2 \DFS\Projects 2007\Project #3 I need to figure out a way so that you cannot MOVE any Project folder, its subfolder or files to a different project. All projects of a given year all reside on the same volume on the server. I have managed to get it so users cannot delete or move specific folders, but I need them to be able to move them around and delete them within the project. The users use mapped drives to connect to the DFS root, so I can afford to have some leeway in how the DFS is structured. Plus any short term issues of fixing broken files/programs will be nothing compared to the long term security of people not dragging and dropping folders where they shouldn't. Posted by Steven L Umbach on November 1, 2007, 6:53 pm Please log in for more thread options What you need to look at is to possibly use special permissions [in advanced security] and in that case you will see you have many options for permissions in the apply onto drop down box [folders, subfolders, and files and combinations thereof] and users/groups can have different permissions for each set available. At first this is kind of hard to figure out if you have not used special permissions before but a good place to see it configured is on the drive/root folder of an XP Pro computer. For instance you could try to deny write [or implicit lack of write] for create folders to the root folder only of each project. While that may help it may not be able to do completely what you want to do as a user can move a folder as long as he has delete folder permission at the source and write/create folder at the destination but it may stop most accidental drag and drops. Steve http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- using NTFS special permissions show/hide quoted text > Having been through various posts about NTFS and trying many things I > don't think I can do this with anything simple and easy for I am > looking for some solutions. > Here is the situation > \DFS\Projects 2007\Project #1 > \DFS\Projects 2007\Project #2 > \DFS\Projects 2007\Project #3 > I need to figure out a way so that you cannot MOVE any Project folder, > its subfolder or files to a different project. > All projects of a given year all reside on the same volume on the > server. > I have managed to get it so users cannot delete or move specific > folders, but I need them to be able to move them around and delete > them within the project. > The users use mapped drives to connect to the DFS root, so I can > afford to have some leeway in how the DFS is structured. Plus any > short term issues of fixing broken files/programs will be nothing > compared to the long term security of people not dragging and dropping > folders where they shouldn't. > Posted by Roger Abell [MVP] on November 6, 2007, 9:29 am Please log in for more thread options At the end of the day Bill I believe you will find that you have researched this issue completely (based on what you have said) and that there is no solution. If they can delete within a project area, as you indicate they do need to be allowed, then if they try to move something to a different project area where they can write, then all will move up to the point where a delete is tried that is disallowed. This usually means that substructure and its files get moved to the new location and an empty dir gets left behind. I have found no solution nor heard of one, other than user education or scheduled examine and cleanup scripts. Roger show/hide quoted text > Having been through various posts about NTFS and trying many things I > don't think I can do this with anything simple and easy for I am > looking for some solutions. > Here is the situation > \DFS\Projects 2007\Project #1 > \DFS\Projects 2007\Project #2 > \DFS\Projects 2007\Project #3 > I need to figure out a way so that you cannot MOVE any Project folder, > its subfolder or files to a different project. > All projects of a given year all reside on the same volume on the > server. > I have managed to get it so users cannot delete or move specific > folders, but I need them to be able to move them around and delete > them within the project. > The users use mapped drives to connect to the DFS root, so I can > afford to have some leeway in how the DFS is structured. Plus any > short term issues of fixing broken files/programs will be nothing > compared to the long term security of people not dragging and dropping > folders where they shouldn't. > Similar Threads Posted windows 7 - folder re-direction/offline files issue May 21, 2009, 11:48 am Security issue about NTUSER.MAN November 25, 2006, 12:45 pm Security Issue/Question April 28, 2007, 12:12 am Application security issue May 15, 2007, 2:13 pm Windows 2003 security issue January 25, 2006, 3:50 am Security Config and Analysis issue September 16, 2008, 10:15 am IIS or directory security issue on 2003 E server January 12, 2007, 9:56 pm Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) June 13, 2005, 6:37 pm Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) May 13, 2007, 5:47 pm Re: Server 2008 Domains - Security issue February 15, 2008, 2:51 am