Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

disallow browsing on network share

Posted on 2011-03-17
5
Medium Priority
?
356 Views
Last Modified: 2012-08-13
I need to set up network share accessible by security group with the following criteria.
1. User's can't browse it
2. Users can open any document if they know exact path.

Network share is on Windows 2008 R2 standard server.

Thank you
0
Comment
Question by:Coffinated
  • 3
5 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159135
Dear Coffinated,

you'll need to deny "List folder contents" on the top folder of the share and all folders below this, for the group you want to (only) allow to do '2'.

Kind regards,
Soren
0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159137
Dear Coffinated,

sorry - forgot to mention that "Everyone" should have no permissions at all on the top folder, but have "Full Control" on the share itself.

Kind regards,
Soren
0
 
LVL 5

Author Comment

by:Coffinated
ID: 35159276
Let's say I have the following folder structure:
D:\share\folder1 & folder2

perms for "share"
share: everyone full control
security: group1 special access:
DENY: List folder/read data
ALLOW: Everything but Full access and list folder.

Effective permissions do show lack of full control and list folder data, yet users from group1 can't open a file \\share\folder1\test.txt

Include inheritable perms from parent object is disabled.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35163022
Give them any permissions you want to> But, make the share folder a hidden share (give it the hidden attribute). Giving the share the hidden attribute will not send out the netbios broadcast to all users.

There is an alternative. You can install and configure Access Based Enumeration. This ONLY allows people who have access to the share to see it in network places. The signifigance is people don't need to know the path, necessarily. But, only people with the right permissions can see it.
0
 
LVL 11

Accepted Solution

by:
slemmesmi earned 2000 total points
ID: 35163172
Dear Coffinated,

I am not sure which permission you refer to in your sentence about "group1" "DENY: List folder/read data" - can you elaborate on the "/read data" part - exactly which permission do you refer to by "read data" being denied?

On folder permissions:
"group1" must have been allowed "Read&Execute" as well as "Read" on the folder (and contained objects).
"group1" must be denied "List folder contents"
"group1" should not be allowed/denied any other permissions.

Could you eventually make a few screen shots of the permissions you have set on the folder for the "\\share\folder1\test.txt" as well as for the specific file, and post these here please?

It could easily be that the file "test.txt" placed in the folder, did not inherit the permissions from/of the folder (which may be the case when a file is moved into the folder).

@ChiefIT: Making the share hidden, does not prevent users with the knowledge about the share to browse it and ABE still only gives the result with the proper set of permissions set.

Kind regards,
Soren
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question