locked
Prohibit users from viewing other users and groups in "security tab" of folders on client machines RRS feed

  • Question

  • We have some workstations connected to 2012 R2 Essentials server that's configured as:domain/dns/dhcp/application server. We noticed that users can get in the folder properties window and view all the users and groups through the security tab.

    Does that represent a vulnerability? How can we prevent that? We want to keep some accounts and groups unknown..


    • Edited by DevyEng Wednesday, October 26, 2016 6:50 AM
    Tuesday, October 25, 2016 2:37 PM

Answers

  • Well, I solved this issue by using Group Policy:

    • On the server, with an admin credentials I created a new GPO
    • Edit the policy
    • Then under : User Configuration ---> Administrative Templates ---> Windows Components ---> File Explorer
    • Select and open and policy setting: Remove Security tab
    • Enable this setting
    • Press OK on the setting window

    We are not done yet..... we need to link this policy to of the units of your active directory (AD)

    • So, go back to "Group Policy Management" console
    • Select the unit you want to apply this policy to i.e. your domain server
    • Display the context menu by clicking the right button of your pointing/mouse device
    • Select "Link an Existing GPO ..."
    • On the "Select GPO" window, select the policy you just created, its listed in "Group Policy objects" list box
    • Then click on the OK button

    Are we done? not yet, be patient, cause as if I hear somebody saying why not using the "Default Domain Policy"? The answer to this is the need to the final steps:

    • On the group policy you created, and under the "Security Filtering" if the Authenticated Users is in the list, remove it
    • Add the group of users you want to apply this policy to

    That's it.... and the explanation for this I believe is clear for the reader, but to complete the answer I will state it:

    If you use the Group Default  Policy that setting "Remove Security tab" will affect all your authenticated Users. Its logical to leave this default policy for all the users.

    On the other hand, if we leave the created policy affecting all users, that will include your admins and operators.

    So, to summarize the key solution:

    1. Use a custom policy
    2. Filter by the group of users you target to prohibit from viewing your folders' Security tab

    Update: I think we can also use the "WMI Filtering" instead of the "Security Filtering", I have not experienced it, but I would rather leave this option for complicated filtering that we cannot achieve easily with the "Security Filtering".

    I hope this will someone there...

    Thanks for those who responded to this question

     



    • Marked as answer by DevyEng Monday, October 31, 2016 5:02 AM
    • Edited by DevyEng Monday, October 31, 2016 5:16 AM
    Monday, October 31, 2016 5:02 AM

All replies

  • Hi DevyEng,

    >We noticed that users can get in the folder properties window and view all the users and groups through the security tab.

    What is the "User" you point to? Do the users logon the server and access the properties, or users on other computers remote to the server to access the folder properties?

    Is the server a DC? If yes, we need to configure "User rights assignment" to enable other accounts to logon a DC.

    If you mean remote to the server, then what is folder? Is it a shared folder?

    Or, maybe the behavior is related with administrative share?

    Could you explain the behavior in detail for us?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, October 26, 2016 8:21 AM
  • Hi Anne,

    Thank you for your response, and please let explain what you have asked about:

    What is the "User" you point to? I mean non-Administrators

    Do the users logon the server and access the properties? they are not supposed to logon the server

    or users on other computers remote to the server to access the folder properties? Yes, I mean users logging on from their workstations, as stated above

    Is the server a DC? . Yes its a DC server.

    If yes, we need to configure "User rights assignment" to enable other accounts to logon a DC

    That's is done already, i.e. they can logon from their workstation to the DC server

    If you mean remote to the server, then what is folder? Is it a shared folder? any folder, but I tested a shared folder

    Or, maybe the behavior is related with administrative share?

    Could you explain the behavior in detail for us?

    When you get in file explorer and right click on a folder, then select the security tab, users (non-administrators) will be able to view all the users on the DC if they select to change permissions by clicking the edit button

    Hope I explained the issue we have

    Thanks again and Best Regards,

    Thursday, October 27, 2016 5:19 AM
  • Well, I solved this issue by using Group Policy:

    • On the server, with an admin credentials I created a new GPO
    • Edit the policy
    • Then under : User Configuration ---> Administrative Templates ---> Windows Components ---> File Explorer
    • Select and open and policy setting: Remove Security tab
    • Enable this setting
    • Press OK on the setting window

    We are not done yet..... we need to link this policy to of the units of your active directory (AD)

    • So, go back to "Group Policy Management" console
    • Select the unit you want to apply this policy to i.e. your domain server
    • Display the context menu by clicking the right button of your pointing/mouse device
    • Select "Link an Existing GPO ..."
    • On the "Select GPO" window, select the policy you just created, its listed in "Group Policy objects" list box
    • Then click on the OK button

    Are we done? not yet, be patient, cause as if I hear somebody saying why not using the "Default Domain Policy"? The answer to this is the need to the final steps:

    • On the group policy you created, and under the "Security Filtering" if the Authenticated Users is in the list, remove it
    • Add the group of users you want to apply this policy to

    That's it.... and the explanation for this I believe is clear for the reader, but to complete the answer I will state it:

    If you use the Group Default  Policy that setting "Remove Security tab" will affect all your authenticated Users. Its logical to leave this default policy for all the users.

    On the other hand, if we leave the created policy affecting all users, that will include your admins and operators.

    So, to summarize the key solution:

    1. Use a custom policy
    2. Filter by the group of users you target to prohibit from viewing your folders' Security tab

    Update: I think we can also use the "WMI Filtering" instead of the "Security Filtering", I have not experienced it, but I would rather leave this option for complicated filtering that we cannot achieve easily with the "Security Filtering".

    I hope this will someone there...

    Thanks for those who responded to this question

     



    • Marked as answer by DevyEng Monday, October 31, 2016 5:02 AM
    • Edited by DevyEng Monday, October 31, 2016 5:16 AM
    Monday, October 31, 2016 5:02 AM