Avatar of Rupert Eghardt
Rupert Eghardt
Flag for South Africa asked on

Limit RDP Users from Viewing Folders in C: Root

Hi Guys,

We would like to limit RDP users from viewing  / accessing folders in C: drive on a specific server.
Such as C:\PROGRAM FILES, C:\WINDOWS, etc

Users have dedicated folders to which they have shortcuts on the desktop, thus they don't need to browse folders.

One way is to setup a security group for RDP users
Then add a Deny permission entry for this group on C: root

Thus folders in C: root should be visible to everyone, but the RDP users

Any ideas, Is this safe to do?
DesktopsSecurityWindows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Qlemo

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Rupert Eghardt

ASKER
Thanks Qlemo,

The RDP users are easily identifiable, and we can put them in a group.

My idea was to put a DENY list-folder / read data option for this group on "C-root".
I've done this for a test-folder and seems to be working.

I agree, if the user knows the folder (tree), they would still be able to navigate, but at least they will be some restriction.

I just don't want to mess with the Windows installation, or structure in C: root
Qlemo

The file selection dialog used to open or save files is running an Explorer window too.
Aside from that, don't. As said, you block access to Windows and subfolders, and there are a lot of checks for optionally existing files in there. Denying access will certainly lead to changed behaviour or even failure.
You can deny access to particular folders, but don't for C: with inheritance.
David Johnson, CD

about all you can do is restrict explorer and other items that the user uses to access the file system from seeing c:
user group policy  (for versions of windows server prior to 2016 replace file explorer with windows explorer
2018-09-03_22-36-53.png2018-09-03_22-36-25.png
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Rupert Eghardt

ASKER
Thanks David,

Unfortunately they need to browse for documents in a specific folder.
I was hoping to restrict them to one folder, but doesn't seem plausible at this time.
McKnife

Why would you want to limit read access on c:\windows and c:\program files? These users don't have write access already, why limit read as well? It is possible, but why would you?
Rupert Eghardt

ASKER
Users have been saving personal documents in strange places (outside their assigned user folders)
Not necessarily in Windows and Program Files, but we would like to restrict their access as much as possible.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
McKnife

Yes, it's already restricted. Writing there is not possible, no need for action.