We help IT Professionals succeed at work.

Limit RDP Users from Viewing Folders in C: Root

204 Views
Last Modified: 2018-09-17
Hi Guys,

We would like to limit RDP users from viewing  / accessing folders in C: drive on a specific server.
Such as C:\PROGRAM FILES, C:\WINDOWS, etc

Users have dedicated folders to which they have shortcuts on the desktop, thus they don't need to browse folders.

One way is to setup a security group for RDP users
Then add a Deny permission entry for this group on C: root

Thus folders in C: root should be visible to everyone, but the RDP users

Any ideas, Is this safe to do?
Comment
Watch Question

"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Rupert EghardtProgrammer

Author

Commented:
Thanks Qlemo,

The RDP users are easily identifiable, and we can put them in a group.

My idea was to put a DENY list-folder / read data option for this group on "C-root".
I've done this for a test-folder and seems to be working.

I agree, if the user knows the folder (tree), they would still be able to navigate, but at least they will be some restriction.

I just don't want to mess with the Windows installation, or structure in C: root
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
The file selection dialog used to open or save files is running an Explorer window too.
Aside from that, don't. As said, you block access to Windows and subfolders, and there are a lot of checks for optionally existing files in there. Denying access will certainly lead to changed behaviour or even failure.
You can deny access to particular folders, but don't for C: with inheritance.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
about all you can do is restrict explorer and other items that the user uses to access the file system from seeing c:
user group policy  (for versions of windows server prior to 2016 replace file explorer with windows explorer
2018-09-03_22-36-53.png2018-09-03_22-36-25.png
Rupert EghardtProgrammer

Author

Commented:
Thanks David,

Unfortunately they need to browse for documents in a specific folder.
I was hoping to restrict them to one folder, but doesn't seem plausible at this time.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Why would you want to limit read access on c:\windows and c:\program files? These users don't have write access already, why limit read as well? It is possible, but why would you?
Rupert EghardtProgrammer

Author

Commented:
Users have been saving personal documents in strange places (outside their assigned user folders)
Not necessarily in Windows and Program Files, but we would like to restrict their access as much as possible.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yes, it's already restricted. Writing there is not possible, no need for action.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions