Solved

disallow browsing on network share

Posted on 2011-03-17
5
350 Views
Last Modified: 2012-08-13
I need to set up network share accessible by security group with the following criteria.
1. User's can't browse it
2. Users can open any document if they know exact path.

Network share is on Windows 2008 R2 standard server.

Thank you
0
Comment
Question by:Coffinated
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159135
Dear Coffinated,

you'll need to deny "List folder contents" on the top folder of the share and all folders below this, for the group you want to (only) allow to do '2'.

Kind regards,
Soren
0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 35159137
Dear Coffinated,

sorry - forgot to mention that "Everyone" should have no permissions at all on the top folder, but have "Full Control" on the share itself.

Kind regards,
Soren
0
 
LVL 5

Author Comment

by:Coffinated
ID: 35159276
Let's say I have the following folder structure:
D:\share\folder1 & folder2

perms for "share"
share: everyone full control
security: group1 special access:
DENY: List folder/read data
ALLOW: Everything but Full access and list folder.

Effective permissions do show lack of full control and list folder data, yet users from group1 can't open a file \\share\folder1\test.txt

Include inheritable perms from parent object is disabled.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35163022
Give them any permissions you want to> But, make the share folder a hidden share (give it the hidden attribute). Giving the share the hidden attribute will not send out the netbios broadcast to all users.

There is an alternative. You can install and configure Access Based Enumeration. This ONLY allows people who have access to the share to see it in network places. The signifigance is people don't need to know the path, necessarily. But, only people with the right permissions can see it.
0
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 35163172
Dear Coffinated,

I am not sure which permission you refer to in your sentence about "group1" "DENY: List folder/read data" - can you elaborate on the "/read data" part - exactly which permission do you refer to by "read data" being denied?

On folder permissions:
"group1" must have been allowed "Read&Execute" as well as "Read" on the folder (and contained objects).
"group1" must be denied "List folder contents"
"group1" should not be allowed/denied any other permissions.

Could you eventually make a few screen shots of the permissions you have set on the folder for the "\\share\folder1\test.txt" as well as for the specific file, and post these here please?

It could easily be that the file "test.txt" placed in the folder, did not inherit the permissions from/of the folder (which may be the case when a file is moved into the folder).

@ChiefIT: Making the share hidden, does not prevent users with the knowledge about the share to browse it and ABE still only gives the result with the proper set of permissions set.

Kind regards,
Soren
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question