We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Prevent directory listing of Windows 2000 server shared folder

holt2000
holt2000 asked
on
Medium Priority
226 Views
Last Modified: 2010-04-13
We have Pegasus Opera II program and data files stored in a share on our Windows 2000 Server.

The data directory which holds the MS Visual Foxpro dbf database files needs to be left with the security group Domain Users having full access.  

Obviously, we can restrict access to the payroll through Pegasus Opera itself however, today a network user has browsed into the directory either via the mapped network drive letter or UNC and opened one of the payroll dbf files using MS Excel!

I now have a method to hide the payroll files in a directory of their own with restricted Windows 2000 NTFS file permissions.  However, my FD is concerned about the remaining data files which contain sensitive data such as cost prices, profit margins, customer data, etc.

Due to the way Opera works (when a sales invoice is raised for example, the user requires access to the sales ledger, stock & invoicing data files) all of the remaining data files must be left with full access permissions to all users who require access to Opera.

The user who accessed the file needs to have access to Opera to perform their duties as do about 90% of the companies computer users so I can't just deny him/them access via NTFS permissions.

As the database files can be opened with MS Excel, MS Access or an ODBC link, my thought is to "hide" them from directory listings so that users simply can't see them.

This sounds good in theory but I'm not sure that it can be done.  Does anyone have any ideas, suggestions or software solutions please?  I have asked our opera reseller who basically said, "yes, this is a known issue with no known solution" but there must be something.  Surely companies can't be expected to leave their data files open to this level of abuse.

Thanks
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006

Commented:
Hi holt2000,

have you set up any NTFS permissions on the directory itself?

Cheers!

Author

Commented:
Hi Jay_Jay70

With regard to the Data directory itself, I have left the security group domain users with full access as required for Opera.

I did try to deny the list directory permission but this completely prevented access to Opera.

thanks

Steve
CERTIFIED EXPERT
Top Expert 2006

Commented:
even if you denied a single user permissions? do all the users use opera?

Author

Commented:
Unfortunately, I can't really just deny single users access to the files as the people who are, shall we say, clever enough to access the files all require legitimate acess to perform their duties.
CERTIFIED EXPERT
Top Expert 2006

Commented:
but you can narrow down on to that directory cant you? or even down to the files themselves??

Author

Commented:
I can't narrow down because the users who are likely to abuse their access to the file via browsing to the share are also the same users who need to be able to read the files for their allowed daily usage of the Opera software.

In other words, if I set the permissions on the file and remove their read access, i prevent them from using opera and I need them to have access to Opera just not access to the directory via a browser.

As regards the individual files, there a over 500 of them anyway per company for 4 companies.

Thanks

Steve
CERTIFIED EXPERT
Top Expert 2006

Commented:
ah man what a pickle!

give me a minute and ill see what i can think of - just on call at the moment so minds in two places :)
CERTIFIED EXPERT
Top Expert 2006

Commented:
i havent dealt with opera so i dont know exactly how it works but from what you have said windows security wont do the job

you can try hiding the files, but they will be able to undo these settings by playing with their folder views

does opera not provide any secutiy itself
CERTIFIED EXPERT
Top Expert 2013

Commented:
Do your users need to be able to browse the folder? If not, and the file location can be specified in the application I believe you could, under advanced security permissions, remove the traverse folders and list folders permissions for the users, and they would still be able to have full control over the files but not be able to browse and "explore". If they knew the file name and location they would still be able to access by entering the UNC path in a browser, but I am guessing most do not know that information off the top of their head.
Just a thought.

Author

Commented:
Jay_Jay - yes opera provides security so you can't view the files through the Opera software unless authorised but users are reaching the files via the windows explorer as they are held in a standard windows shared folder on our server.

RobWill - I have played around with the list folderNTFS permissions but unfortunately this also removed read access to the files which the opera software requires to give legitimate access to authorised users.

I have come up with a work around which improves, but does not solve, the situation.  Basically the Opera data has been moved to a new location on the server not accessible via any drive mappings - only via a UNC path to a share on the server.  I gave the share a sharename ending with a dollar symbol which hides the share from Windows explorer.  Fortunately, Opera supports UNC paths back to the data files.  Unless the users knows the exact share name, they can't find the data.

Does anyone out there know of any sofware which I could install which would give sort of an audit trail of who has used (either network username or machine IP address) individual files or directories on the Windows 2000 server?  Even better if this could be restrospective as we know who has accessed the payroll files but we now need evidential proof that he did.

Thanks
CERTIFIED EXPERT
Top Expert 2006
Commented:
ah i see - its bit dodgy from the OPERA side of things that those files can be opened in excel - ould have seen that as a fairly big security flaw....

you can enable audtiing on the folder itself , right click and select properties, then security - advanced - auditing    that will at least let you know any attempts on the folder....

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Top Expert 2013

Commented:
Enabling security auditing auditing would help track user access:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300958&sd=tech
CERTIFIED EXPERT
Top Expert 2013

Commented:
You being younger I guess you can type faster than we old guys James  <G>
CERTIFIED EXPERT
Top Expert 2006

Commented:
haha! im just trying to avoid the next phone call i have to make.......

Author

Commented:
Thanks very much guys for all your valuable help.

Once again the monthly VIP membership fee has dug me out of a sticky situation.
CERTIFIED EXPERT
Top Expert 2006

Commented:
thats a pleasure man, my VIP membership paid off when i scored my bosses logon and  Robwill ^^^^ started helping me out on a Q

glad to be able to help
CERTIFIED EXPERT
Top Expert 2013

Commented:
Good luck holt2000 ,
--Rob
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.