none
Home folder permissions

    Question

  • Hello

    My issue is about homefolders and IE9!.  At school our student homefolders are organised as follows

    server\2011intake$           with the student folders within it

    it is shared as Domain Admins: Full   Staff:full    and 2011intake :full  which is the students group

    This works fine for applications except IE9

    If a student does a right click and save as , it allows student to choose 'up one level'  and go back through the unc path so they can see 2011intake$ (and all of there peers folders) and go even further and find the Server itself (though network discovery is disabled)

    I would really like to be able to stop students being able to go 'Up one level' from within IE9 and can only.  Is there any permission I can deny at the 2011intake$ level to deny them access to the parent folder?

    Also am a bit worried that the hidden share (2011intake$) shows up in the Save As box.

    Any help greatly received.

     

    Thanks 

     

    Kevin


    Kevin Sait
    Monday, January 23, 2012 6:51 PM

Answers

  • Hi Kevin,

    Firstly, the share permissions are fine. Your area of focus is the file permissions themselves.

    The student group shouldn't have permissions to any parent directories above that which you have shared out with the name of 2011intake$.

    For the actual "2011intake" directory (not the share), they should only have one right applied to that folder only - not the usual "This folder, subfolder and files" setting, and that one right is the List right.

    Because of how sharing works, you cannot stop them from being able to see all the other student numbered sub-directories, however they most assuredly should not be able to get into those directories. Any attempt should yield an Access Denied error.

    What your current setup is relying upon is security through obscurity, rather than having truly locked down the permissions.

    Here's a quick screenshot of the List permission I described earlier:

    And here's one of what your overall access rights should resemble in the Advanced permissions view. Of course, you may need to add more based on your statement about staff and so on having access, but I'm only focusing on what you said about the students:

     

    One question I have is how are the student home directories themselves created? I'm making the assumption you have some kind of provisioning tool that creates these and you're not actually relying on something running under the logon context of the student itself.

    Cheers,
    Lain


    • Edited by Lain Robertson Thursday, January 26, 2012 5:55 AM Grammar and one final question.
    • Marked as answer by kevinsait Thursday, January 26, 2012 7:31 AM
    Thursday, January 26, 2012 5:53 AM

All replies

  • Your configuration is not very traditional. I create home folder when user is created. Users have theirs own folders with Creator Owner rights.  

    Regards

    Milos

    Monday, January 23, 2012 7:47 PM
  • Hi Kevin,

    Firstly, the share permissions are fine. Your area of focus is the file permissions themselves.

    The student group shouldn't have permissions to any parent directories above that which you have shared out with the name of 2011intake$.

    For the actual "2011intake" directory (not the share), they should only have one right applied to that folder only - not the usual "This folder, subfolder and files" setting, and that one right is the List right.

    Because of how sharing works, you cannot stop them from being able to see all the other student numbered sub-directories, however they most assuredly should not be able to get into those directories. Any attempt should yield an Access Denied error.

    What your current setup is relying upon is security through obscurity, rather than having truly locked down the permissions.

    Here's a quick screenshot of the List permission I described earlier:

    And here's one of what your overall access rights should resemble in the Advanced permissions view. Of course, you may need to add more based on your statement about staff and so on having access, but I'm only focusing on what you said about the students:

     

    One question I have is how are the student home directories themselves created? I'm making the assumption you have some kind of provisioning tool that creates these and you're not actually relying on something running under the logon context of the student itself.

    Cheers,
    Lain


    • Edited by Lain Robertson Thursday, January 26, 2012 5:55 AM Grammar and one final question.
    • Marked as answer by kevinsait Thursday, January 26, 2012 7:31 AM
    Thursday, January 26, 2012 5:53 AM