You need to ensure that access permissions are set appropriately on shared folders that contain user profile folders and to secure the servers in which the users’ data is stored. To provide enhanced security, host the roaming profile shared folders on servers running Windows 2000 or later, use NTFS on the volumes containing the users’ data, and grant share access permissions as follows.
Granting profile share permissions
A common error in user profiles is permissions that are incorrectly set. To ensure that permissions are set correctly, use the following guidelines:
-
When you create the shared folders for roaming user profiles, limit access to the folder to only users who need access.
-
Because a roaming profile contains personal information, such as the
user’s documents and EFS certificates, it is important to ensure that
roaming user profiles are secure. Here are some ways you can enhance the
security of roaming user profiles:
-
Restrict the shared folder to only users who need access. Create a
security group for users who have profiles on a particular shared
folder, and then limit access to only those users.
-
When you create the shared folder, hide the folder by putting a dollar
sign ($) after the share name. This hides the folder from casual
browsers and hides the folder in My Network Places.
-
Unless you need special permissions on the profile folder, do not create
profile folders in advance for the user. Instead, allow the system to
create them.
- Assign users the minimum permissions that are required as described in Tables 7.7, 7.8, and 7.9. These tables list the required NTFS and share level server message block (SMB) permissions for roaming user profile shares and folders.
-
Restrict the shared folder to only users who need access. Create a
security group for users who have profiles on a particular shared
folder, and then limit access to only those users.
Table 7.7 NTFS Permissions for Roaming Profile Parent Folder
User Account | Minimum Permissions Required |
---|---|
Creator Owner |
Full Control, Subfolders and Files Only |
Administrator |
None |
Security group of users needing to put data on share |
List Folder/Read Data, Create Folders/Append Data - This Folder Only |
Everyone |
No permissions |
Local System |
Full Control, This Folder, Subfolders and Files |
Table 7.8 Share level (SMB) Permissions for Roaming Profile Share
User Account | Default Permissions | Minimum Permissions Required |
---|---|---|
Everyone |
Read only |
No permissions |
Security group of users needing to put data on share |
N/A |
Full Control |
Table 7.9 NTFS Permissions for Each User’s Roaming Profile Folder
User Account | Default Permissions | Minimum Permissions Required |
---|---|---|
%Username% |
Full Control, Owner of Folder |
Full Control, Owner of Folder |
Local System |
Full Control |
Full Control |
Administrators |
No Permissions* |
No Permissions |
Everyone |
No Permissions |
No Permissions |
* No permissions is the default unless the Add the Administrator security group to the roaming user profile share policy setting is set, in which case the Administrators group has full control. (The Add the Administrator security group to the roaming user profile share policy setting requires Windows 2000 Service Pack 2 or later).
Hosting profile shares on servers running Windows 2000 or Windows Server 2003
A user’s roaming profile contains personal information that is copied to and from the client computer and the server that hosts the roaming profile; therefore, it is important to ensure that the data is protected as it travels over the network.
The major potential threats to the privacy and integrity of a user’s data come from malicious users intercepting and tampering with data as it passes over the network, or the server hosting the user’s data.
Several features of Windows 2000 and Windows Server 2003 can help to secure a user’s data:
-
Kerberos. Standard on all versions of
Windows 2000–based servers, Kerberos ensures the highest level of
security to network resources. While NTLM authenticates the client only,
Kerberos authenticates the server and the client. When NTLM is used,
the client does not detect whether the server is valid. This is
particularly important if the client exchanges personal files with the
server, as is the case with roaming profiles. Kerberos provides better
security than NTLM and is not available on Windows NT 4.0 or earlier
operating systems.
-
IP Security Protocol (IPSec). IPSec
provides network-level authentication, data integrity, and encryption to
ensure that roamed data is safe from the following:
-
Data modification while en route
-
Interception, viewing, or copying
-
Access by unauthenticated parties
-
Data modification while en route
-
Server Message Block Signing. The SMB
authentication protocol supports message authentication. This prevents
active message and "man-in-the-middle" attacks. SMB signing provides
this authentication by placing a digital signature into each SMB, which
is then verified by both the client and the server. To use SMB signing,
you must either enable it or require it on both the SMB Service client
and the SMB Service server.
Note
-
SMB signing imposes a performance penalty even though it does not
consume any more network bandwidth; it does use more CPU cycles on the
client and server.
Using the NTFS File System for Volumes Containing User Data
For the most secure configuration, always configure servers that host roaming profiles to use NTFS. Unlike a file allocation table (FAT), NTFS supports discretionary access control lists (DACLs) and system access control lists (SACLs) which determine who can perform operations on a file and what events trigger logging of actions performed on a file.