Solved

disallow browsing on network share

Posted on 2011-03-17
5
348 Views
Last Modified: 2012-08-13
I need to set up network share accessible by security group with the following criteria.
1. User's can't browse it
2. Users can open any document if they know exact path.

Network share is on Windows 2008 R2 standard server.

Thank you
0
Comment
Question by:Coffinated
  • 3
5 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159135
Dear Coffinated,

you'll need to deny "List folder contents" on the top folder of the share and all folders below this, for the group you want to (only) allow to do '2'.

Kind regards,
Soren
0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159137
Dear Coffinated,

sorry - forgot to mention that "Everyone" should have no permissions at all on the top folder, but have "Full Control" on the share itself.

Kind regards,
Soren
0
 
LVL 5

Author Comment

by:Coffinated
ID: 35159276
Let's say I have the following folder structure:
D:\share\folder1 & folder2

perms for "share"
share: everyone full control
security: group1 special access:
DENY: List folder/read data
ALLOW: Everything but Full access and list folder.

Effective permissions do show lack of full control and list folder data, yet users from group1 can't open a file \\share\folder1\test.txt

Include inheritable perms from parent object is disabled.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35163022
Give them any permissions you want to> But, make the share folder a hidden share (give it the hidden attribute). Giving the share the hidden attribute will not send out the netbios broadcast to all users.

There is an alternative. You can install and configure Access Based Enumeration. This ONLY allows people who have access to the share to see it in network places. The signifigance is people don't need to know the path, necessarily. But, only people with the right permissions can see it.
0
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 35163172
Dear Coffinated,

I am not sure which permission you refer to in your sentence about "group1" "DENY: List folder/read data" - can you elaborate on the "/read data" part - exactly which permission do you refer to by "read data" being denied?

On folder permissions:
"group1" must have been allowed "Read&Execute" as well as "Read" on the folder (and contained objects).
"group1" must be denied "List folder contents"
"group1" should not be allowed/denied any other permissions.

Could you eventually make a few screen shots of the permissions you have set on the folder for the "\\share\folder1\test.txt" as well as for the specific file, and post these here please?

It could easily be that the file "test.txt" placed in the folder, did not inherit the permissions from/of the folder (which may be the case when a file is moved into the folder).

@ChiefIT: Making the share hidden, does not prevent users with the knowledge about the share to browse it and ABE still only gives the result with the proper set of permissions set.

Kind regards,
Soren
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question