Hi Everyone,
I am setting up a new Windows 2003 Server as a domain controller. I am also
going to add the terminal services role to it. (Yes yes i know this is not
reccomended but you try convincing a client to purchase two servers!!!).
I have setup several servers before and did most of my training on the old
NT4 system where login scripts mapped home directories etc etc. I decided
with this server to download some of MS doco and follow the step by step
guides from the technet web site on configuring roaming profiles and
redirecting the My Docs directory using group policy. I also read up on the
MS Best practices guides.
After following the guides and testing the configuration i have found a
number of security flaws that are so obvious that they couldn't possibly be
recommended by MS so have decided to pose the question here.
Basically i am wanting advise on how others setup roaming profiles and do
their folder redirection, in particular the security permissions that they
assign and how they setup their user groups. I have searched the web for a
clear consise doco but have come up empty handed.
To explain the problem i will do a comparision between how i usually
configure folder redirection and how the MS doco reccomends doing it.
*****************My time tested old fashion way. *******************
Create a company data directory.
In this directory create a User directory and DO NOT SHARE IT.
Change the permissions of this dir so only admins have full access. Remove
domain user group.
Create a home directory for each user in the User directory.
Share it as their name with a dollar sign. I.E Joe Blogs would be JoeB$
Give the specific user full permissions to the home directory.
Assign this drive as their home dir in AD user profile.
Use the net use h: /home in the login script to map their home directory.
Set the users profile directory to h:\profile
Use group policy to redirect My Docs to h:\My Docs
This configuration works and works well. Users have only access to their own
home directory. There are no global shares that all users can access and
write files to. The only down side is setting this up for 50 users can be
extremely time consuming.
***********************MS Doco Recomended y********************
Create a profiles directory. I.E C:\profiles.
Share it as profiles (Not a hidden share!!!)
Network Permissions Everyone Full Control
NTFS Permissions domain\Users default permissions + write.
Create a user set the profile path to \\servername\profiles\%username%
This works great once the first user is setup you can copy their template
and add each user and the profile and login script is added for you. My gripe
is that you now have a profile share that is accessible by everyone with full
control. Even if you only give domain users full control, it doesnt stop my
users from downloading all their mp3's to this dir or virus using this share
to propagate.
The folder redirection follows the same instructions as above however it is
a hidden share and the dir name is User Data. First im not a believer in
using spaces for folder names but thats neither here nor there.
My gripe with this setup is that once you redirect the users My Docs to
\\server\UserData$\%username%
All users have full access to the \\server\UserData$ direcotry, which i
explained earlier is bad for virus's and users mp3s, and whats more is that
each user can view inside each others folders i.e
\\server\userdata$\%username%. Now sure the folder redirection grants
exclusive access to the My Docs folder that is located within the
\\userdata$\%username% folder but this stops even the administrator from
getting in their which is a real pain in the ass when you want to transfer
files or delete a file etc.
Sure this method is more convenient when setting up user accounts and less
time consuming but you end up with three shares that any authenticated domain
user has full access to. Namely \\server\profiles, \\server\userdata$ and
\\server\userdata$\%username%. This security just doesn't seem tight enough
for me.
Is this the way that the new generation of MCP & MCSE's setup their servers?
Surely their is a more secure way!!!! Please any advice would be much
apreciated even a link to some doco or step by step guides would be good.
The current doco i was refering to is from
Thanks to everyone who has stuck with this post and read it all i know its a
long one!!!!
Cheers
Chiper
I am setting up a new Windows 2003 Server as a domain controller. I am also
going to add the terminal services role to it. (Yes yes i know this is not
reccomended but you try convincing a client to purchase two servers!!!).
I have setup several servers before and did most of my training on the old
NT4 system where login scripts mapped home directories etc etc. I decided
with this server to download some of MS doco and follow the step by step
guides from the technet web site on configuring roaming profiles and
redirecting the My Docs directory using group policy. I also read up on the
MS Best practices guides.
After following the guides and testing the configuration i have found a
number of security flaws that are so obvious that they couldn't possibly be
recommended by MS so have decided to pose the question here.
Basically i am wanting advise on how others setup roaming profiles and do
their folder redirection, in particular the security permissions that they
assign and how they setup their user groups. I have searched the web for a
clear consise doco but have come up empty handed.
To explain the problem i will do a comparision between how i usually
configure folder redirection and how the MS doco reccomends doing it.
*****************My time tested old fashion way. *******************
Create a company data directory.
In this directory create a User directory and DO NOT SHARE IT.
Change the permissions of this dir so only admins have full access. Remove
domain user group.
Create a home directory for each user in the User directory.
Share it as their name with a dollar sign. I.E Joe Blogs would be JoeB$
Give the specific user full permissions to the home directory.
Assign this drive as their home dir in AD user profile.
Use the net use h: /home in the login script to map their home directory.
Set the users profile directory to h:\profile
Use group policy to redirect My Docs to h:\My Docs
This configuration works and works well. Users have only access to their own
home directory. There are no global shares that all users can access and
write files to. The only down side is setting this up for 50 users can be
extremely time consuming.
***********************MS Doco Recomended y********************
Create a profiles directory. I.E C:\profiles.
Share it as profiles (Not a hidden share!!!)
Network Permissions Everyone Full Control
NTFS Permissions domain\Users default permissions + write.
Create a user set the profile path to \\servername\profiles\%username%
This works great once the first user is setup you can copy their template
and add each user and the profile and login script is added for you. My gripe
is that you now have a profile share that is accessible by everyone with full
control. Even if you only give domain users full control, it doesnt stop my
users from downloading all their mp3's to this dir or virus using this share
to propagate.
The folder redirection follows the same instructions as above however it is
a hidden share and the dir name is User Data. First im not a believer in
using spaces for folder names but thats neither here nor there.
My gripe with this setup is that once you redirect the users My Docs to
\\server\UserData$\%username%
All users have full access to the \\server\UserData$ direcotry, which i
explained earlier is bad for virus's and users mp3s, and whats more is that
each user can view inside each others folders i.e
\\server\userdata$\%username%. Now sure the folder redirection grants
exclusive access to the My Docs folder that is located within the
\\userdata$\%username% folder but this stops even the administrator from
getting in their which is a real pain in the ass when you want to transfer
files or delete a file etc.
Sure this method is more convenient when setting up user accounts and less
time consuming but you end up with three shares that any authenticated domain
user has full access to. Namely \\server\profiles, \\server\userdata$ and
\\server\userdata$\%username%. This security just doesn't seem tight enough
for me.
Is this the way that the new generation of MCP & MCSE's setup their servers?
Surely their is a more secure way!!!! Please any advice would be much
apreciated even a link to some doco or step by step guides would be good.
The current doco i was refering to is from
Thanks to everyone who has stuck with this post and read it all i know its a
long one!!!!
Cheers
Chiper
