Announcement

Collapse
No announcement yet.

Prevent users from creating files and folders in C:\

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent users from creating files and folders in C:\

    Hello,

    I was thinking of locking down our domain computers so that the users can only create items under their own profile and in c:\temp, but i want to make sure they can't create files/folder in c:\

    I thought about using:

    http://www.microsoft.com/technet/pro.../scthch01.mspx

    but i really only want prevent users from creating files and folders in C:\

    it is one of the listed things this tool will do. Does anyone know how can i modify ntfs permission on c:\ so that:

    1. users can't create files and folder in c:\
    2. ACL's for all other folders stay the same

    thanks.

  • #2
    Re: Prevent users from creating files and folders in C:\

    you can script it.
    http://support.microsoft.com/kb/825751

    However make sure you test it before hardening (including every app)!!!
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Prevent users from creating files and folders in C:\

      Super!!

      thanks,

      Looking at the c:\ ntfs permissions.

      default was:

      Administrators Full Control
      System Full Control
      Creator owner Full Control
      Users Read / Execute
      Users Create Folder s/ Append Data
      Users Create Files / Write Data
      Everyone Read / Execute

      I was thinking of changing to the following:

      Administrators Full Control
      System Full Control
      Creator owner Full Control
      Users Read / Execute


      Of course i won't force it to replace all child permissions. I tihnk thats ok because i'm doing this on a fresh install with no apps installed yet. so all default folders by windows installation is pretty locked to only administrator privileged users can tamper with it and normal users can at most read.

      I will run all the apps after i install them of course, but do you guys think my plan is sound? I tried to think of all the scenarios that might affect ppl if i change the c:\ permissions.

      Since only domain users are using the computer, there's no need for the everyone group to even have read/exe since i have Users (and domain users are in Users). I don't want the Users to create folders / files / write data/ append anything in C:\. They can do that in the folders they are allowed to (their own profile and c:\ temp which i will manually set).


      Thanks for helping me out!

      Comment


      • #4
        Re: Prevent users from creating files and folders in C:\

        this is an option to read:
        http://www.microsoft.com/downloads/d...displaylang=en
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Prevent users from creating files and folders in C:\

          thanks!

          looks like the documents i'm looking for.

          Comment

          Working...
          X