disallow browsing on network share

I need to set up network share accessible by security group with the following criteria.
1. User's can't browse it
2. Users can open any document if they know exact path.

Network share is on Windows 2008 R2 standard server.

Thank you
Who is Participating?
slemmesmiConnect With a Mentor Commented:
Dear Coffinated,

I am not sure which permission you refer to in your sentence about "group1" "DENY: List folder/read data" - can you elaborate on the "/read data" part - exactly which permission do you refer to by "read data" being denied?

On folder permissions:
"group1" must have been allowed "Read&Execute" as well as "Read" on the folder (and contained objects).
"group1" must be denied "List folder contents"
"group1" should not be allowed/denied any other permissions.

Could you eventually make a few screen shots of the permissions you have set on the folder for the "\\share\folder1\test.txt" as well as for the specific file, and post these here please?

It could easily be that the file "test.txt" placed in the folder, did not inherit the permissions from/of the folder (which may be the case when a file is moved into the folder).

@ChiefIT: Making the share hidden, does not prevent users with the knowledge about the share to browse it and ABE still only gives the result with the proper set of permissions set.

Kind regards,
Dear Coffinated,

you'll need to deny "List folder contents" on the top folder of the share and all folders below this, for the group you want to (only) allow to do '2'.

Kind regards,
Dear Coffinated,

sorry - forgot to mention that "Everyone" should have no permissions at all on the top folder, but have "Full Control" on the share itself.

Kind regards,
CoffinatedAuthor Commented:
Let's say I have the following folder structure:
D:\share\folder1 & folder2

perms for "share"
share: everyone full control
security: group1 special access:
DENY: List folder/read data
ALLOW: Everything but Full access and list folder.

Effective permissions do show lack of full control and list folder data, yet users from group1 can't open a file \\share\folder1\test.txt

Include inheritable perms from parent object is disabled.
Give them any permissions you want to> But, make the share folder a hidden share (give it the hidden attribute). Giving the share the hidden attribute will not send out the netbios broadcast to all users.

There is an alternative. You can install and configure Access Based Enumeration. This ONLY allows people who have access to the share to see it in network places. The signifigance is people don't need to know the path, necessarily. But, only people with the right permissions can see it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.