Security Considerations when Configuring Roaming User Profiles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When creating the roaming profile share, limit access to the share to only users that need access.

Because a users roaming profile contains personal information, such as documents and EFS certificates care should be taken to protect it as well as possible. In general:

  • Restrict the share to only users that need access. Create a security group for users that have profiles on a particular share, and limit access to only those users.

  • When creating the share, hide the share by putting a $ after the share name. This will hide the share from casual browsers; the share will not be visible in My Network Places.

  • Unless you need special permissions on the profile folder, don't pre-create profile folders for the user, allow the system to create them.

  • Only give users the minimum amount of permissions needed. The permissions needed are shown in the tables below:

Table 3 NTFS Permissions for Roaming Profile Parent Folder

User Account Minimum permissions required

Creator/Owner

Full Control, Subfolders And Files Only

Administrator

None

Security group of users needing to put data on share.

List Folder/Read Data, Create Folders/Append Data - This Folder Only

Everyone

No Permissions

Local System

Full Control, This Folder, Subfolders And Files

Table 4 Share level (SMB) Permissions for Roaming Profile Share

User Account Default Permissions Minimum permissions required

Everyone

Full Control

No Permissions

Security group of users needing to put data on share.

N/A

Full Control,

Table 5 NTFS Permissions for Each Users Roaming Profile Folder

User Account Default Permissions Minimum permissions required

%Username%

Full Control, Owner Of Folder

Full Control, Owner Of Folder

Local System

Full Control

Full Control

Administrators

No Permissions*

No Permissions

Everyone

No Permissions

No Permissions

*Unless the Add the Administrator security group to the roaming user profile share policy is set, in which case the Administrators group has Full Control. (requires Windows 2000 Service pack 2 or later)

Use at least Windows 2000 servers to host profile shares.

Because a users roaming profile contains personal information which is copied to and from the client computer, and the server hosting the roaming profile, it is important to ensure that data is protected as it travels over the network.

The biggest potential threats to the privacy and integrity of a users data come from intercepting the data as it passes over the network, tampering with the data as it passes over the network, and spoofing the server hosting the users data.

Several features of Windows 2000 and Windows Server 2003 can help to secure a users data:

  • Kerberos - Kerberos is standard on all versions of Windows 2000 and Windows Server 2003s, and ensures the highest level of security to network resources. While NTLM authenticates the client only, Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid this is particularly important if the client is exchanging personal files with the server, as is the case with Roaming Profiles. Kerberos provides better security than NTLM and is not available on Windows NT version 4.0 or earlier operating systems.

  • IPSec- The IP Security Protocol (IPSec) provides network-level authentication, data integrity, and encryption ensuring that roamed data is:

    • Safe from data modification while enroute.

    • Safe from interception, viewing, or copying.

    • Safe from being accessed by unauthenticated parties.

  • SMB Signing- The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. In order to use SMB signing, you must either enable it or require it on both the SMB client and the SMB server. Note: SMB signing imposes a performance penalty; although it doesn't consume any more network bandwidth, it does use more CPU cycles on the client and server side.

Always use the NTFS Filesystem for volumes holding users data.

For the most secure configuration, configure servers hosting roaming profiles to use the NTFS File System. Unlike FAT, NTFS supports Discretionary access control lists (DACLs) and system access control lists (SACLs), which control who can perform operations on a file and what events will trigger logging of actions performed on a file.