Security Recommendations for Folder Redirection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following guidelines when you create the shares for redirected folders to ensure you set access permissions appropriately, and to help provide the most secure configuration.

For information about deploying Folder Redirection on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.

Redirected folders contain personal information such as documents and EFS certificates so it is important to protect this data.

• Create a security group for users who have redirected folders on a particular share and limit access only to those users

• Create a hidden share by putting a dollar sign ($) after the share name. The share is not visible in the network neighborhood.

• Grant users the minimum permissions that are required to access the data.

Tables 7.12, 7.13, and 7.14 show the permissions for the folder redirection root, share, and the users’ redirected folders.

Table 7.12   NTFS Permissions for Folder Redirection Root Folder

Table 7.13   Share level (SMB) Permissions for Folder Redirection Share

Table 7.14 NTFS Permissions for Users’ Redirected Folders

To provide the best protection as data is transmitted over the network, ensure that you set up the redirected folders shares on servers running Windows 2000 and later. The Kerberos, IPSec, and SMB signing security features of Windows 2000 and Windows Server 2003 help protect the users’ data.

Always configure the servers hosting redirected files to use NTFS to provide the most secure configuration.

When you use EFS to encrypt files on a remote server, the data is encrypted only while it is stored on the disk, not when it is transmitted over the network. The exceptions to this are when your system includes IPSec or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server.

While access control lists (ACLs) protect the Offline Files cache on NTFS partitions by default, encrypting the cache enhances security on a local computer. By default, the cache on the local computer is not encrypted, so any encrypted files that are cached from the network are not encrypted on the local computer. This might pose a security risk in some environments.

When you enable encryption, all files in the Offline Files cache are encrypted, including existing files and any files that you add later. The cached copy on the local computer is affected, but the associated network copy is not.

You can encrypt the cache in one of two ways:

• By using Group Policy to enable the Encrypt the offline files cache policy setting. This setting is in the Computer Configuration\Administrative Templates\Network\Offline Files node in the Group Policy Object Editor snap-in.

• Manually, by clicking Folder Options on the Tools menu in Windows Explorer. Click the Offline Files tab, and then select the Encrypt offline files to secure data check box.

Note

• Encryption of the Offline File cache is only available in Windows XP and Windows Server 2003; it is not possible to encrypt the cache on Windows 2000–based computers.

For information about encrypting the Offline Files cache for Windows XP, see the How to Encrypt Offline Files link on the Web resources page at https://www.microsoft.com/windows/reskits/webresources. For information about encrypting files for Windows 2000, see the Encrypting File System for Windows 2000 link on the Web resources page.