Security Recommendations for Roaming User Profiles Shared Folders

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You need to ensure that access permissions are set appropriately on shared folders that contain user profile folders and to secure the servers in which the users’ data is stored. To provide enhanced security, host the roaming profile shared folders on servers running Windows 2000 or later, use NTFS on the volumes containing the users’ data, and grant share access permissions as follows.

For information about deploying Roaming User Profiles on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.

Granting profile share permissions

A common error in user profiles is permissions that are incorrectly set. To ensure that permissions are set correctly, use the following guidelines:

  • When you create the shared folders for roaming user profiles, limit access to the folder to only users who need access.

  • Because a roaming profile contains personal information, such as the user’s documents and EFS certificates, it is important to ensure that roaming user profiles are secure. Here are some ways you can enhance the security of roaming user profiles:

    • Restrict the shared folder to only users who need access. Create a security group for users who have profiles on a particular shared folder, and then limit access to only those users.

    • When you create the shared folder, hide the folder by putting a dollar sign ($) after the share name. This hides the folder from casual browsers and hides the folder in My Network Places.

    • Unless you need special permissions on the profile folder, do not create profile folders in advance for the user. Instead, allow the system to create them.

    • Assign users the minimum permissions that are required as described in Tables 7.7, 7.8, and 7.9. These tables list the required NTFS and share level server message block (SMB) permissions for roaming user profile shares and folders.

Table 7.7   NTFS Permissions for Roaming Profile Parent Folder

User Account Minimum Permissions Required

Creator Owner

Full Control, Subfolders and Files Only

Administrator

None

Security group of users needing to put data on share

List Folder/Read Data, Create Folders/Append Data - This Folder Only

Everyone

No permissions

Local System

Full Control, This Folder, Subfolders and Files

Table 7.8   Share level (SMB) Permissions for Roaming Profile Share

User Account Default Permissions Minimum Permissions Required

Everyone

Read only

No permissions

Security group of users needing to put data on share

N/A

Full Control

Table 7.9   NTFS Permissions for Each User’s Roaming Profile Folder

User Account Default Permissions Minimum Permissions Required

%Username%

Full Control, Owner of Folder

Full Control, Owner of Folder

Local System

Full Control

Full Control

Administrators

No Permissions*

No Permissions

Everyone

No Permissions

No Permissions

* No permissions is the default unless the Add the Administrator security group to the roaming user profile share policy setting is set, in which case the Administrators group has full control. (The Add the Administrator security group to the roaming user profile share policy setting requires Windows 2000 Service Pack 2 or later).

Hosting profile shares on servers running Windows 2000 or Windows Server 2003

A user’s roaming profile contains personal information that is copied to and from the client computer and the server that hosts the roaming profile; therefore, it is important to ensure that the data is protected as it travels over the network.

The major potential threats to the privacy and integrity of a user’s data come from malicious users intercepting and tampering with data as it passes over the network, or the server hosting the user’s data.

Several features of Windows 2000 and Windows Server 2003 can help to secure a user’s data:

  • Kerberos. Standard on all versions of Windows 2000–based servers, Kerberos ensures the highest level of security to network resources. While NTLM authenticates the client only, Kerberos authenticates the server and the client. When NTLM is used, the client does not detect whether the server is valid. This is particularly important if the client exchanges personal files with the server, as is the case with roaming profiles. Kerberos provides better security than NTLM and is not available on Windows NT 4.0 or earlier operating systems.

  • IP Security Protocol (IPSec). IPSec provides network-level authentication, data integrity, and encryption to ensure that roamed data is safe from the following:

    • Data modification while en route

    • Interception, viewing, or copying

    • Access by unauthenticated parties

    For more information about IPSec, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).

  • Server Message Block Signing. The SMB authentication protocol supports message authentication. This prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. To use SMB signing, you must either enable it or require it on both the SMB Service client and the SMB Service server.

Note

  • SMB signing imposes a performance penalty even though it does not consume any more network bandwidth; it does use more CPU cycles on the client and server.

Using the NTFS File System for Volumes Containing User Data

For the most secure configuration, always configure servers that host roaming profiles to use NTFS. Unlike a file allocation table (FAT), NTFS supports discretionary access control lists (DACLs) and system access control lists (SACLs) which determine who can perform operations on a file and what events trigger logging of actions performed on a file.