Blocking Access to the TS "C" and "D" Drive

Discussion:

(too old to reply)

Toolguy99

2005-03-22 17:39:07 UTC

I have a company that is just starting to use terminal server. The company
is small and the Terminal Server has been licensed on their main file server.
They want the users to have access to the file shares, but not the root of
the hard drives on the server, in this case, the C and D drive. Is there a
way to block access to those drives during a TS session while still allowing
access to mapped network drives (that may point back to folders on the local
(to TS) C and D drives?

Vera Noest [MVP]

2005-03-22 20:45:34 UTC

Permalink

Which OS are you running on the server?
You can and should do two things:

1) hide those drives from the users through a Group Policy. Note
that this is a cosmetic fix only, it's much more convenient for the
users when they don't see the drives, but it does *not* give you
any security. That's why you also need to:

2) use NTFS permissions on the file system to keep users out of the
disk area where they should not have access.

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295

231289 - Using Group Policy Objects to Hide Specified Drives in My
Computer for Windows 2000
http://support.microsoft.com/?kbid=231289

Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp

Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

Post by Toolguy99
I have a company that is just starting to use terminal server.
The company is small and the Terminal Server has been licensed
on their main file server.
They want the users to have access to the file shares, but not the root of
the hard drives on the server, in this case, the C and D drive.
Is there a way to block access to those drives during a TS
session while still allowing access to mapped network drives
(that may point back to folders on the local (to TS) C and D
drives?

toolguy99

2005-03-22 22:35:02 UTC

Permalink

Vera,

Thanks for the reply.

I did lock the drives down under a group policy, but they can still right
click the start button and select explore and see the C drive. The D drive
remains hidden.

This is running on Windows 2003 standard server.

Post by Vera Noest [MVP]
Which OS are you running on the server?
1) hide those drives from the users through a Group Policy. Note
that this is a cosmetic fix only, it's much more convenient for the
users when they don't see the drives, but it does *not* give you
2) use NTFS permissions on the file system to keep users out of the
disk area where they should not have access.
278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295
231289 - Using Group Policy Objects to Hide Specified Drives in My
Computer for Windows 2000
http://support.microsoft.com/?kbid=231289
Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp
Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

Vera Noest [MVP]

2005-03-23 21:42:44 UTC

Permalink

Yes, that's why you need the NTFS permissions. Hide drives works
only in standard "File Open" and "Save as" dialog boxes, and not
very well there either.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

Post by toolguy99
Vera,
Thanks for the reply.
I did lock the drives down under a group policy, but they can
still right click the start button and select explore and see
the C drive. The D drive remains hidden.
This is running on Windows 2003 standard server.

Post by Vera Noest [MVP]
Which OS are you running on the server?
1) hide those drives from the users through a Group Policy.
Note that this is a cosmetic fix only, it's much more
convenient for the users when they don't see the drives, but it
2) use NTFS permissions on the file system to keep users out of
the disk area where they should not have access.
278295 - How to Lock Down a Windows 2000 Terminal Services
Session http://support.microsoft.com/?kbid=278295
231289 - Using Group Policy Objects to Hide Specified Drives in
My Computer for Windows 2000
http://support.microsoft.com/?kbid=231289
Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp
Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
wrote on 22 mar 2005 in

Post by Toolguy99
I have a company that is just starting to use terminal
server. The company is small and the Terminal Server has been
licensed on their main file server.
They want the users to have access to the file shares, but
not the root of
the hard drives on the server, in this case, the C and D
drive. Is there a way to block access to those drives during
a TS session while still allowing access to mapped network
drives (that may point back to folders on the local (to TS) C
and D drives?