|
Posted by Steven L Umbach on September 30, 2005, 6:55 pm
Please log in for more thread options I just also want to mention that you may want to rethink having software
developers remote into a computer that has company data on it. Ideally you
would want to have that data on a separate server that they can not possibly
access. You can then also use the user rights for access this computer from
the network to restrict what users can access the server for using file
shares and then also restrict access for Remote Desktop to not include them.
For higher security ipsec polices can be used to isolate sensitive
servers/data from those users AND computers that should not have access to
the data. Ipsec policies must be thoroughly planned and tested after
reading MS documentation on the subject however. --- Steve
> Out of curiosity try using a local group instead of a domain local group
> to see if that changes anything. Also keep in mind that an explicit allow
> will override an inherited deny for ntfs permissions so you may want to
> check that possibility. It would also seem that the users that are
> remoting in are a member of a group that has allow permissions to the
> folder such as users, everyone, or domain users maybe. Even though deny
> permissions should work, if that is the case you may want to configure
> permissions so that is not the case as in remove users/everyone/domain
> users and create a global group with only the users that should have
> access and probably give administrators and system full control. When
> doing your testing and you change group memberships be sure to logoff and
> logon again to refresh the token for the test user. --- Steve
>
>
>> To anyone who can help,
>>
>> I am having the strangest problem with a Windows 2003 Server.
>> Long story short we have to let some software developers TS into one of
>> our
>> servers but the server also has company data on it that we don't want
>> them to
>> access. The data is on a separate partition from anything else. My
>> answer
>> was thus:
>> 1. Create Domain Local Security Group
>> 2. Deny Full Access at the root of the partition to the Group
>> 3. Add users to the group.
>>
>> Normally I would expect this to work but it does not. The deny is
>> supposed
>> to override everything else but for some reason it is not working.
>>
>> Here the strangeness continues:
>> If I Logon as the user and double click on the partition it says "No
>> Access"
>> as expected but I can then do a D:\Some Folder on it and it all works
>> fine.
>> They can then open documents and explore as they like.
>>
>> I have gone into Advanced and reset permissions on files and folders. I
>> have gone into effective permissions and when I choose the group it says
>> no
>> permission, when I choose one of the users it says Full Control. I have
>> removed and re-added the group to the user. The user has no special user
>> rights - we made a special group that had TS access but no ability to
>> shutdown/restart etc. so they are not system administrators.
>>
>> The server is Windows 2003 SP1 and the only thing special about it is
>> that
>> we have loaded the patch to hide folders via shares that users have no
>> permissions to.
>>
>> I can't seem to find anyone else with the same problem so I am at a loss
>> to
>> fix it? I can specifically deny it for that specific user and it works
>> but
>> this will create us a lot of maintenance in the long run.
>>
>> Does anyone have any ideas?
>>
>> Sincerely,
>> Elizabeth
>
>
| 
XML Sitemap