Security Recommendations for Folder Redirection
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use the following guidelines when you create the shares for redirected folders to ensure you set access permissions appropriately, and to help provide the most secure configuration.
For information about deploying Folder Redirection on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.
Restricting access to the share
Redirected folders contain personal information such as documents and EFS certificates so it is important to protect this data.
Create a security group for users who have redirected folders on a particular share and limit access only to those users
Create a hidden share by putting a dollar sign ($) after the share name. The share is not visible in the network neighborhood.
Grant users the minimum permissions that are required to access the data.
Assigning permissions for root folder, shares, and user’s redirected folder
Tables 7.12, 7.13, and 7.14 show the permissions for the folder redirection root, share, and the users’ redirected folders.
Table 7.12 NTFS Permissions for Folder Redirection Root Folder
| User Account | Minimum Permissions Required |
|---|---|
Creator Owner |
Full Control, Subfolders and Files Only |
Administrator |
None |
Security group of users that need to put data on share |
List Folder/Read Data, Create Folders/Append Data - This Folder Only |
Everyone |
No Permissions |
Local System |
Full Control, This Folder, Subfolders and Files |
Table 7.13 Share level (SMB) Permissions for Folder Redirection Share
| User Account | Default Permissions | Minimum permissions required |
|---|---|---|
Everyone |
Full Control |
No permissions |
Security group of users that need to put data on share. |
N A |
Full Control |
Table 7.14 NTFS Permissions for Users’ Redirected Folders
| User Account | Default Permissions | Minimum permissions required |
|---|---|---|
%Username% |
Full Control, Owner of Folder |
Full Control, Owner of Folder |
Local System |
Full Control |
Full Control |
Administrators |
No permissions |
No permissions |
Everyone |
No permissions |
No permissions |
Host redirected file shares on servers running Windows 2000 or Windows Server 2003
To provide the best protection as data is transmitted over the network, ensure that you set up the redirected folders shares on servers running Windows 2000 and later. The Kerberos, IPSec, and SMB signing security features of Windows 2000 and Windows Server 2003 help protect the users’ data.
Using the NTFS file system for user data volumes
Always configure the servers hosting redirected files to use NTFS to provide the most secure configuration.
Do not rely on EFS to encrypt users’ files when transmitted over the network
When you use EFS to encrypt files on a remote server, the data is encrypted only while it is stored on the disk, not when it is transmitted over the network. The exceptions to this are when your system includes IPSec or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server.
Encrypting the Offline Files cache
While access control lists (ACLs) protect the Offline Files cache on NTFS partitions by default, encrypting the cache enhances security on a local computer. By default, the cache on the local computer is not encrypted, so any encrypted files that are cached from the network are not encrypted on the local computer. This might pose a security risk in some environments.
When you enable encryption, all files in the Offline Files cache are encrypted, including existing files and any files that you add later. The cached copy on the local computer is affected, but the associated network copy is not.
You can encrypt the cache in one of two ways:
By using Group Policy to enable the Encrypt the offline files cache policy setting. This setting is in the Computer Configuration\Administrative Templates\Network\Offline Files node in the Group Policy Object Editor snap-in.
Manually, by clicking Folder Options on the Tools menu in Windows Explorer. Click the Offline Files tab, and then select the Encrypt offline files to secure data check box.
Note
- Encryption of the Offline File cache is only available in Windows XP and Windows Server 2003; it is not possible to encrypt the cache on Windows 2000–based computers.
For information about encrypting the Offline Files cache for Windows XP, see the How to Encrypt Offline Files link on the Web resources page at https://www.microsoft.com/windows/reskits/webresources. For information about encrypting files for Windows 2000, see the Encrypting File System for Windows 2000 link on the Web resources page.