tkgallagher
asked on
WIN2003 Server Security
We have Win2003 Server and a server folder of program files & data is being shared with access from Windows XP PC's. The server folder is set-up as a mapped drive on the client PCs. We want the users to be able to run the program files which will access the data, but not be able to get to the data via other software such as Windows Explorer. How can we restrict users in this way?
Additionaly have a look at
Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
ASKER
Hi,
Access-based Enumeration sounds useful, but I dont think it addreses our core issue, whixh I will try to explain more clearly with a simplified example.
The Win 2003 Server has a folder called BIZAPP. On the WinXP client machines BIZAPP is mapped to say the G: drive.
Then the user will use a shortcut to run G:\APP1.EXE on his PC and APP1.EXE will read and write data files G:\DATA1.DAT, G:\DATA2.DAT, etc (about 100 data files in reality).
We want the security set-up to allow the user to use APP1.EXE to access the data files on G:\ i.e. the server's BIZAPP folder,
but the user must NOT be able to view/copy those data fiels usin gother applications such as Windows Explorer.
We can split the APP1.EXE and the DATA files into separate folders if that helps.
(For other reasons Terminal Services cannot be used as the workaround.) Thanks.
Access-based Enumeration sounds useful, but I dont think it addreses our core issue, whixh I will try to explain more clearly with a simplified example.
The Win 2003 Server has a folder called BIZAPP. On the WinXP client machines BIZAPP is mapped to say the G: drive.
Then the user will use a shortcut to run G:\APP1.EXE on his PC and APP1.EXE will read and write data files G:\DATA1.DAT, G:\DATA2.DAT, etc (about 100 data files in reality).
We want the security set-up to allow the user to use APP1.EXE to access the data files on G:\ i.e. the server's BIZAPP folder,
but the user must NOT be able to view/copy those data fiels usin gother applications such as Windows Explorer.
We can split the APP1.EXE and the DATA files into separate folders if that helps.
(For other reasons Terminal Services cannot be used as the workaround.) Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
Overview
Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature.