Limit RDP Users from Viewing Folders in C: Root

Hi Guys,

We would like to limit RDP users from viewing  / accessing folders in C: drive on a specific server.
Such as C:\PROGRAM FILES, C:\WINDOWS, etc

Users have dedicated folders to which they have shortcuts on the desktop, thus they don't need to browse folders.

One way is to setup a security group for RDP users
Then add a Deny permission entry for this group on C: root

Thus folders in C: root should be visible to everyone, but the RDP users

Any ideas, Is this safe to do?
Rupert EghardtProgrammerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Using RDP means to have the same privileges as the logged-in user. You can restrict log in based on whether RDP is used, a network login or local login is performed, but that's it.
So you indeed have to create particular RDP users, manage them via a group, and assign proper privileges to that group.
However, you cannot limit read access for the Windows or Program Files folder, because the system needs to have access. You can put some effort into restricitng directory/file browsing, which then still allows access to folders and files with a full-known path, but that is very messy, and I predict system failures if you do.
Also, privilege changes on Windows and other system folders are subject to automatic correction by some of the repair and security systems implemented.

The Program Files folder's subfolders can receive different privileges for those the respective users do not need to have access to.

IMHO  it is not worth the effort you need to put in.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rupert EghardtProgrammerAuthor Commented:
Thanks Qlemo,

The RDP users are easily identifiable, and we can put them in a group.

My idea was to put a DENY list-folder / read data option for this group on "C-root".
I've done this for a test-folder and seems to be working.

I agree, if the user knows the folder (tree), they would still be able to navigate, but at least they will be some restriction.

I just don't want to mess with the Windows installation, or structure in C: root
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The file selection dialog used to open or save files is running an Explorer window too.
Aside from that, don't. As said, you block access to Windows and subfolders, and there are a lot of checks for optionally existing files in there. Denying access will certainly lead to changed behaviour or even failure.
You can deny access to particular folders, but don't for C: with inheritance.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

David Johnson, CD, MVPOwnerCommented:
about all you can do is restrict explorer and other items that the user uses to access the file system from seeing c:
user group policy  (for versions of windows server prior to 2016 replace file explorer with windows explorer
2018-09-03_22-36-53.png2018-09-03_22-36-25.png
0
Rupert EghardtProgrammerAuthor Commented:
Thanks David,

Unfortunately they need to browse for documents in a specific folder.
I was hoping to restrict them to one folder, but doesn't seem plausible at this time.
0
McKnifeCommented:
Why would you want to limit read access on c:\windows and c:\program files? These users don't have write access already, why limit read as well? It is possible, but why would you?
0
Rupert EghardtProgrammerAuthor Commented:
Users have been saving personal documents in strange places (outside their assigned user folders)
Not necessarily in Windows and Program Files, but we would like to restrict their access as much as possible.
0
McKnifeCommented:
Yes, it's already restricted. Writing there is not possible, no need for action.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.