Security Recommendations for Roaming User Profiles Shared Folders
- By Huzaifah Ahmad
- Published 06/1/2010
Huzaifah Ahmad
I am currently working as a Senior Field Consultant. I started my professional career in 1999 in India. In the year 1999 I decided to transition from the Retail Industry to hard core Information Technology, which was always my strength and desire. I realised my strengths and keen interest when I worked on Dbase III Plus a few years back but due to various constraints I could not pursue my career at that point in time. I have worked in various capacities in the fields of Software Technology, as Systems administrator, Systems Support Engineer, Implementations Engineer and Senior Implementation Engineer. Currently, I am based as Senior Field Consultant for a Microsoft Gold Partner in Oxford, U.K.
I am certified in various disciplines
CCIE # 23368
CCNP
CCNA
CCA
MCSE NT, 2k & 2k3
MCSA 2k & 2k3
MCSE 2k & 2k3 (Messaging & Security)
MCSA 2k & 2k3 (Messaging & Security)
I devote my free time to the technology communities. I believe knowledge grows by sharing and I love to share my knowledge. I believe it is important to be passionate and really enjoy whatever you do. I am also the founder and maintain Ahmedgroup (http://www.ahmedgroup.co.uk)
Microsoft recommends that the users roaming profile folders should be created automatically by the OS and not manually.
But both the ways are supported. There is a less likely chance that you will make a mistake if you let the OS create the folders; also if the OS fails to write in relevant configured area than you can troubleshoot it straight away rather than constantly logging on and logging off with test user accounts.
Some key things to keep in mind are:
-------------------------------------------------
1. Allow permissions only to groups which require access.
2. Deny access where possible to secure the shares.
3. Create hidden shares to keep unwanted visitors away.
NTFS Permissions for Roaming Profile Parent Folder
|
User Account |
Minimum Permissions Required |
|
Creator Owner |
Full Control, Subfolders and Files Only |
|
Administrator |
None |
|
Security group of users needing to put data on share |
List Folder/Read Data, Create Folders/Append Data - This Folder Only |
|
Everyone |
No permissions |
|
Local System |
Full Control, This Folder, Subfolders and Files |
Share level (SMB) Permissions for Roaming Profile Share
|
User Account |
Default Permissions |
Minimum Permissions Required |
|
Everyone |
Read only |
No permissions |
|
Security group of users needing to put data on share |
N/A |
Full Control |
NTFS Permissions for Each User’s Roaming Profile Folder
|
User Account |
Default Permissions |
Minimum Permissions Required |
|
%Username% |
Full Control, Owner of Folder |
Full Control, Owner of Folder |
|
Local System |
Full Control |
Full Control |
|
Administrators |
No Permissions* |
No Permissions |
|
Everyone |
No Permissions |
No Permissions |
To read further in detail click on the URL below
Security Recommendations for Roaming User Profiles Shared Folders
http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
If addtional access is required for management apply relevant GPO settings as well.
Roaming Profile Folders Do Not Allow Administrative Access
http://support.microsoft.com/kb/222043