• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 208
  • Last Modified:

Prevent directory listing of Windows 2000 server shared folder

We have Pegasus Opera II program and data files stored in a share on our Windows 2000 Server.

The data directory which holds the MS Visual Foxpro dbf database files needs to be left with the security group Domain Users having full access.  

Obviously, we can restrict access to the payroll through Pegasus Opera itself however, today a network user has browsed into the directory either via the mapped network drive letter or UNC and opened one of the payroll dbf files using MS Excel!

I now have a method to hide the payroll files in a directory of their own with restricted Windows 2000 NTFS file permissions.  However, my FD is concerned about the remaining data files which contain sensitive data such as cost prices, profit margins, customer data, etc.

Due to the way Opera works (when a sales invoice is raised for example, the user requires access to the sales ledger, stock & invoicing data files) all of the remaining data files must be left with full access permissions to all users who require access to Opera.

The user who accessed the file needs to have access to Opera to perform their duties as do about 90% of the companies computer users so I can't just deny him/them access via NTFS permissions.

As the database files can be opened with MS Excel, MS Access or an ODBC link, my thought is to "hide" them from directory listings so that users simply can't see them.

This sounds good in theory but I'm not sure that it can be done.  Does anyone have any ideas, suggestions or software solutions please?  I have asked our opera reseller who basically said, "yes, this is a known issue with no known solution" but there must be something.  Surely companies can't be expected to leave their data files open to this level of abuse.

Thanks
0
holt2000
Asked:
holt2000
  • 8
  • 5
  • 4
1 Solution
 
Jay_Jay70Commented:
Hi holt2000,

have you set up any NTFS permissions on the directory itself?

Cheers!
0
 
holt2000Author Commented:
Hi Jay_Jay70

With regard to the Data directory itself, I have left the security group domain users with full access as required for Opera.

I did try to deny the list directory permission but this completely prevented access to Opera.

thanks

Steve
0
 
Jay_Jay70Commented:
even if you denied a single user permissions? do all the users use opera?
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
holt2000Author Commented:
Unfortunately, I can't really just deny single users access to the files as the people who are, shall we say, clever enough to access the files all require legitimate acess to perform their duties.
0
 
Jay_Jay70Commented:
but you can narrow down on to that directory cant you? or even down to the files themselves??
0
 
holt2000Author Commented:
I can't narrow down because the users who are likely to abuse their access to the file via browsing to the share are also the same users who need to be able to read the files for their allowed daily usage of the Opera software.

In other words, if I set the permissions on the file and remove their read access, i prevent them from using opera and I need them to have access to Opera just not access to the directory via a browser.

As regards the individual files, there a over 500 of them anyway per company for 4 companies.

Thanks

Steve
0
 
Jay_Jay70Commented:
ah man what a pickle!

give me a minute and ill see what i can think of - just on call at the moment so minds in two places :)
0
 
Jay_Jay70Commented:
i havent dealt with opera so i dont know exactly how it works but from what you have said windows security wont do the job

you can try hiding the files, but they will be able to undo these settings by playing with their folder views

does opera not provide any secutiy itself
0
 
Rob WilliamsCommented:
Do your users need to be able to browse the folder? If not, and the file location can be specified in the application I believe you could, under advanced security permissions, remove the traverse folders and list folders permissions for the users, and they would still be able to have full control over the files but not be able to browse and "explore". If they knew the file name and location they would still be able to access by entering the UNC path in a browser, but I am guessing most do not know that information off the top of their head.
Just a thought.
0
 
holt2000Author Commented:
Jay_Jay - yes opera provides security so you can't view the files through the Opera software unless authorised but users are reaching the files via the windows explorer as they are held in a standard windows shared folder on our server.

RobWill - I have played around with the list folderNTFS permissions but unfortunately this also removed read access to the files which the opera software requires to give legitimate access to authorised users.

I have come up with a work around which improves, but does not solve, the situation.  Basically the Opera data has been moved to a new location on the server not accessible via any drive mappings - only via a UNC path to a share on the server.  I gave the share a sharename ending with a dollar symbol which hides the share from Windows explorer.  Fortunately, Opera supports UNC paths back to the data files.  Unless the users knows the exact share name, they can't find the data.

Does anyone out there know of any sofware which I could install which would give sort of an audit trail of who has used (either network username or machine IP address) individual files or directories on the Windows 2000 server?  Even better if this could be restrospective as we know who has accessed the payroll files but we now need evidential proof that he did.

Thanks
0
 
Jay_Jay70Commented:
ah i see - its bit dodgy from the OPERA side of things that those files can be opened in excel - ould have seen that as a fairly big security flaw....

you can enable audtiing on the folder itself , right click and select properties, then security - advanced - auditing    that will at least let you know any attempts on the folder....
0
 
Rob WilliamsCommented:
Enabling security auditing auditing would help track user access:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300958&sd=tech
0
 
Rob WilliamsCommented:
You being younger I guess you can type faster than we old guys James  <G>
0
 
Jay_Jay70Commented:
haha! im just trying to avoid the next phone call i have to make.......
0
 
holt2000Author Commented:
Thanks very much guys for all your valuable help.

Once again the monthly VIP membership fee has dug me out of a sticky situation.
0
 
Jay_Jay70Commented:
thats a pleasure man, my VIP membership paid off when i scored my bosses logon and  Robwill ^^^^ started helping me out on a Q

glad to be able to help
0
 
Rob WilliamsCommented:
Good luck holt2000 ,
--Rob
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 8
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now