Click here to get back home

Looking for best practices for setting up secure user home directory file structure
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Looking for best practices for setting up secure user home directory file structure Rob Gordon 10-06-2006
Posted by Rob Gordon on October 6, 2006, 8:47 pm
Please log in for more thread options
 I am in process of trying to set up a secure home directory structure that
would allow users to have two repositories each. One for keeping their
confidential information in, and the other as a publicly available share,
for anything they wanted to allow other users to be able to view. Domain
Admins would of course have Full Control Access over all directories.

The initial file structure that I'm considering it the following:

Top Level = Users (i.e. \Users)
Second Level = Home Directories for all corporate users (i.e. \Users\fred)
Third Level = Private folder and Public folder for each individual user
(i.e. \Users\Fred\Private would be accessible only to user Fred and
\Users\Fred\Public as a publicly R/O share accessible by all users, but
still allowing user Fred Full access to be able to post data to this
directory)

It is possible to set up this folder structure securely (both with file and
share level security), or is it more logical to set up two directory
structures (i.e. \Users\Public and \Users\Private) that each contain a
directory dedicated to each corporate user (i.e. \Users\Public\Fred and
\Users\Private\Fred)? This of course assumes that the permissions on the
\Public directories will be R/O by all, and Full Control by the directory's
owner, and permissions on the Private directory would be Full Control for
the directory's owner only.

All feedback is greatly appreciated. :)



Posted by Pegasus \(MVP\) on October 6, 2006, 9:26 pm
Please log in for more thread options
> I am in process of trying to set up a secure home directory structure that
> would allow users to have two repositories each. One for keeping their
> confidential information in, and the other as a publicly available share,
> for anything they wanted to allow other users to be able to view. Domain
> Admins would of course have Full Control Access over all directories.
>
> The initial file structure that I'm considering it the following:
>
> Top Level = Users (i.e. \Users)
> Second Level = Home Directories for all corporate users (i.e.
\Users\fred)
> Third Level = Private folder and Public folder for each individual user
> (i.e. \Users\Fred\Private would be accessible only to user Fred and
> \Users\Fred\Public as a publicly R/O share accessible by all users, but
> still allowing user Fred Full access to be able to post data to this
> directory)
>
> It is possible to set up this folder structure securely (both with file
and
> share level security), or is it more logical to set up two directory
> structures (i.e. \Users\Public and \Users\Private) that each contain a
> directory dedicated to each corporate user (i.e. \Users\Public\Fred and
> \Users\Private\Fred)? This of course assumes that the permissions on
the
> \Public directories will be R/O by all, and Full Control by the
directory's
> owner, and permissions on the Private directory would be Full Control for
> the directory's owner only.
>
> All feedback is greatly appreciated. :)
>
>

I suspect your server is called "Server", not "Users", isn't it? If so
then I recommend you set up the following shares

\Server\Public
\Server\Fred
\Server\Joe
\Server\Mary

which correspond to the following folders:
D:\Shares\Public
D:\Shares\Users\Fred
D:\Shares\Users\Joe
D:\Shares\Users\Mary

Your scheme \Server\Fred\Public / \Server\Fred\Private makes
private folders visible (though not accessible) to everyone, which
is bad policy because it tempts people.

Set you share permissions to "Full access" for everyone, then
apply your restrictions via NTFS permissions.



Posted by Rob Gordon on October 7, 2006, 1:21 am
Please log in for more thread options
What about creating the individual directories under D:\Shares\Public (i.e.
\Server\Public\Fred, \Server\Public\Larry, etc.)? Would I do the same
thing for those by creating them and setting the share permissions as you
described below?

>
>> I am in process of trying to set up a secure home directory structure
>> that
>> would allow users to have two repositories each. One for keeping their
>> confidential information in, and the other as a publicly available share,
>> for anything they wanted to allow other users to be able to view.
>> Domain
>> Admins would of course have Full Control Access over all directories.
>>
>> The initial file structure that I'm considering it the following:
>>
>> Top Level = Users (i.e. \Users)
>> Second Level = Home Directories for all corporate users (i.e.
> \Users\fred)
>> Third Level = Private folder and Public folder for each individual user
>> (i.e. \Users\Fred\Private would be accessible only to user Fred and
>> \Users\Fred\Public as a publicly R/O share accessible by all users, but
>> still allowing user Fred Full access to be able to post data to this
>> directory)
>>
>> It is possible to set up this folder structure securely (both with file
> and
>> share level security), or is it more logical to set up two directory
>> structures (i.e. \Users\Public and \Users\Private) that each contain a
>> directory dedicated to each corporate user (i.e. \Users\Public\Fred and
>> \Users\Private\Fred)? This of course assumes that the permissions on
> the
>> \Public directories will be R/O by all, and Full Control by the
> directory's
>> owner, and permissions on the Private directory would be Full Control for
>> the directory's owner only.
>>
>> All feedback is greatly appreciated. :)
>>
>>
>
> I suspect your server is called "Server", not "Users", isn't it? If so
> then I recommend you set up the following shares
>
> \Server\Public
> \Server\Fred
> \Server\Joe
> \Server\Mary
>
> which correspond to the following folders:
> D:\Shares\Public
> D:\Shares\Users\Fred
> D:\Shares\Users\Joe
> D:\Shares\Users\Mary
>
> Your scheme \Server\Fred\Public / \Server\Fred\Private makes
> private folders visible (though not accessible) to everyone, which
> is bad policy because it tempts people.
>
> Set you share permissions to "Full access" for everyone, then
> apply your restrictions via NTFS permissions.
>
>



Posted by Pegasus \(MVP\) on October 7, 2006, 2:40 am
Please log in for more thread options
No problem with this approach, provided that these
folders are meant to be visible to everyone.


> What about creating the individual directories under D:\Shares\Public
(i.e.
> \Server\Public\Fred, \Server\Public\Larry, etc.)? Would I do the same
> thing for those by creating them and setting the share permissions as you
> described below?
>
> >
> >> I am in process of trying to set up a secure home directory structure
> >> that
> >> would allow users to have two repositories each. One for keeping their
> >> confidential information in, and the other as a publicly available
share,
> >> for anything they wanted to allow other users to be able to view.
> >> Domain
> >> Admins would of course have Full Control Access over all directories.
> >>
> >> The initial file structure that I'm considering it the following:
> >>
> >> Top Level = Users (i.e. \Users)
> >> Second Level = Home Directories for all corporate users (i.e.
> > \Users\fred)
> >> Third Level = Private folder and Public folder for each individual
user
> >> (i.e. \Users\Fred\Private would be accessible only to user Fred and
> >> \Users\Fred\Public as a publicly R/O share accessible by all users,
but
> >> still allowing user Fred Full access to be able to post data to this
> >> directory)
> >>
> >> It is possible to set up this folder structure securely (both with file
> > and
> >> share level security), or is it more logical to set up two directory
> >> structures (i.e. \Users\Public and \Users\Private) that each contain
a
> >> directory dedicated to each corporate user (i.e. \Users\Public\Fred
and
> >> \Users\Private\Fred)? This of course assumes that the permissions on
> > the
> >> \Public directories will be R/O by all, and Full Control by the
> > directory's
> >> owner, and permissions on the Private directory would be Full Control
for
> >> the directory's owner only.
> >>
> >> All feedback is greatly appreciated. :)
> >>
> >>
> >
> > I suspect your server is called "Server", not "Users", isn't it? If so
> > then I recommend you set up the following shares
> >
> > \Server\Public
> > \Server\Fred
> > \Server\Joe
> > \Server\Mary
> >
> > which correspond to the following folders:
> > D:\Shares\Public
> > D:\Shares\Users\Fred
> > D:\Shares\Users\Joe
> > D:\Shares\Users\Mary
> >
> > Your scheme \Server\Fred\Public / \Server\Fred\Private makes
> > private folders visible (though not accessible) to everyone, which
> > is bad policy because it tempts people.
> >
> > Set you share permissions to "Full access" for everyone, then
> > apply your restrictions via NTFS permissions.
> >
> >
>
>



Posted by Roger Abell [MVP] on October 7, 2006, 4:00 am
Please log in for more thread options
If you were to isolate private folders at \host\private\username then
as you would be sharing the \host\private the "temptation" for user1
to poke at user2 would still be there.
Since the amount of differencing in NTFS permissions would be about
the same if one did or did not separate the private from the public there
seems no real gain in management simplicity one way or the other.

So, I would consider going with
\host\users
\host\users\username1 the public area
\host\users\username1\private username1's private area

This is more convenient for username1 as they work in one area,
published to others "up there" else shared with no one in "private".

This quite possibly also minimizes the number of NTFS inheritance
points that are set up compared to other designs.

I would strongly recommend that you share \host\users with Change,
NOT with Full in order to prevent their changing the NTFS permissions
on what they create from your intended constraints.

I would also thing about using Access Based Enumeration, so in effect
each username1 would be able to see only one (their own) "private"


Roger

>I am in process of trying to set up a secure home directory structure that
>would allow users to have two repositories each. One for keeping their
>confidential information in, and the other as a publicly available share,
>for anything they wanted to allow other users to be able to view. Domain
>Admins would of course have Full Control Access over all directories.
>
> The initial file structure that I'm considering it the following:
>
> Top Level = Users (i.e. \Users)
> Second Level = Home Directories for all corporate users (i.e.
> \Users\fred)
> Third Level = Private folder and Public folder for each individual user
> (i.e. \Users\Fred\Private would be accessible only to user Fred and
> \Users\Fred\Public as a publicly R/O share accessible by all users, but
> still allowing user Fred Full access to be able to post data to this
> directory)
>
> It is possible to set up this folder structure securely (both with file
> and share level security), or is it more logical to set up two directory
> structures (i.e. \Users\Public and \Users\Private) that each contain a
> directory dedicated to each corporate user (i.e. \Users\Public\Fred and
> \Users\Private\Fred)? This of course assumes that the permissions on
> the \Public directories will be R/O by all, and Full Control by the
> directory's owner, and permissions on the Private directory would be Full
> Control for the directory's owner only.
>
> All feedback is greatly appreciated. :)
>



Similar ThreadsPosted
Home directory permissions. What to set? September 26, 2006, 12:07 am
Home directory permission soup October 24, 2007, 11:19 am
File Server Permissions - Best Practices August 10, 2006, 4:56 am
User Home Folder August 4, 2006, 10:18 am
Setting Metabase File Permissions November 27, 2007, 6:29 pm
File System / Directory Security August 17, 2007, 1:38 pm
Disallow File or Directory Copy October 15, 2007, 11:13 am
Setting Permission to user to start a service October 19, 2006, 4:11 am
Setting Audit Permissions Differently for Each User December 26, 2006, 3:12 pm
Modify rights to single file in a directory with only list permiss September 21, 2006, 4:48 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap