02.13.08
Hardened ntfs permisions for specific tasks
Included below are common share and ntfs permissions that I am constantly setting up and instead up referring to the countless kb articles and notes I have summarized them here.
Basic - Default User Folder
By default these settings allow one to specify settings for automatic home folder creation if the home folder is specified in ADUC. Select a folder, Share it. by default you need to add write permision to the share permission. This article documents what ntfs permissions are required for automatic folder creation from ADUC on the parent folder.
Share
Permissions –> EVERYONE Full Control (Everyone currently)
Security
Advanced –> UNCHECK Allow inheritable permissions
Select Copy
Administrators –> Full Control –> This Folder, Subfolders and files
Creator Owner –> Full Control –> Subfolders and files only
System –> Full Control –> This Folder, Subfolders and files
SECUREGROUP (DOMAIN\SECUREGROUP) –> List Folder / Read Data & Create Folders / Append Data –> This Folder Only (Domain\User Currently)
Authenticated Users –> Special - Traverse Folder / Execute File,List Folder / Read Data,Read Attributes, Read Permission –> This folder Only
Add a login script in group policy and you are done..
Basic - Hardened User Folder
TBD - This prevents other users from examining the contents of your folders
Same as above but You may need to disable permission inheritance and make sure that the speical permissions don’t apply to subfolders of the root folder (”Apply Onto:” “This Folder Only”).
Basic ”Team” or “Department” shared folder
Allows you to team or department documents on a share for shareing with anyone in your security group or department.
Select or create a security group of users who will use the department share. (SECUREGROUP). I am going to create vi_team group for this.
Share
Permissions –> SECUREGROUP Full Control (Everyone currently)
Security
Advanced –> UNCHECK Allow inheritable permissions
Select CopyAdministrators–> Full Control –> This Folder, Subfolders and files
Creator Owner –> Full Control –> Subfolders and files only
System –> Full Control –> This Folder, Subfolders and files
SECUREGROUP (DOMAIN\SECUREGROUP) –> Modify –> subfolders and files only)
Advanced ”Team” or “Department” shared folder
Similar to basic but root folder structure does not allow writes and predetermined folders have their ntfs permissions set correctly for shareing within departments.
ensure “delete subfolder and files box is not checked
(Used Domain\Users, Modify, subfolders and files only)
Authenticated Users –> Special - Traverse Folder / Execute File,List Folder / Read Data,Read Attributes, Read Permission –> This folder Only
Subfolders
each subfolder has a unique group created for it
Permission setting are: as normal with modify perms set on security group,
Roaming Profile folder settings
Allows you to store secure roaming user profiles on a server.
Prepend a $ to the end of the share name to hide it from prying eyes.
Select or create a security group of users who will use the roaming profiles. (SECUREGROUP). I am using the default DOMAIN\Users group for this.
Share
Permissions –> SECUREGROUP Full Control (Everyone currently)
Caching -> Files or Folders will not be available offlineSecurity
Advanced –> UNCHECK Allow inheritable permissions
Select CopyAdministrators–> Full Control –> This Folder, Subfolders and files
Creator Owner –> Full Control –> Subfolders and files only
System –> Full Control –> This Folder, Subfolders and files
SECUREGROUP (DOMAIN\SECUREGROUP) –> List Folder / Read Data & Create Folders / Append Data –> This Folder Only (Domain\User Currently)Now insert a \\SERVERNAME\PROFILENAME$\%username% in the ADUC Profile –> Profile Path path and you are done.
Student/Employee Drop Folder
TBD
Implementing My Documents Redirection using group policy