Share via

Security Recommendations for Folder Redirection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following guidelines when you create the shares for redirected folders to ensure you set access permissions appropriately, and to help provide the most secure configuration.

For information about deploying Folder Redirection on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.

Restricting access to the share

Redirected folders contain personal information such as documents and EFS certificates so it is important to protect this data.

  • Create a security group for users who have redirected folders on a particular share and limit access only to those users

  • Create a hidden share by putting a dollar sign ($) after the share name. The share is not visible in the network neighborhood.

  • Grant users the minimum permissions that are required to access the data.

Assigning permissions for root folder, shares, and user’s redirected folder

Tables 7.12, 7.13, and 7.14 show the permissions for the folder redirection root, share, and the users’ redirected folders.

Table 7.12   NTFS Permissions for Folder Redirection Root Folder

User Account Minimum Permissions Required

Creator Owner

Full Control, Subfolders and Files Only



Security group of users that need to put data on share

List Folder/Read Data, Create Folders/Append Data - This Folder Only


No Permissions

Local System

Full Control, This Folder, Subfolders and Files

Table 7.13   Share level (SMB) Permissions for Folder Redirection Share

User Account Default Permissions Minimum permissions required


Full Control

No permissions

Security group of users that need to put data on share.


Full Control

Table 7.14 NTFS Permissions for Users’ Redirected Folders

User Account Default Permissions Minimum permissions required


Full Control, Owner of Folder

Full Control, Owner of Folder

Local System

Full Control

Full Control


No permissions

No permissions


No permissions

No permissions

Host redirected file shares on servers running Windows 2000 or Windows Server 2003

To provide the best protection as data is transmitted over the network, ensure that you set up the redirected folders shares on servers running Windows 2000 and later. The Kerberos, IPSec, and SMB signing security features of Windows 2000 and Windows Server 2003 help protect the users’ data.

Using the NTFS file system for user data volumes

Always configure the servers hosting redirected files to use NTFS to provide the most secure configuration.

Do not rely on EFS to encrypt users’ files when transmitted over the network

When you use EFS to encrypt files on a remote server, the data is encrypted only while it is stored on the disk, not when it is transmitted over the network. The exceptions to this are when your system includes IPSec or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server.

Encrypting the Offline Files cache

While access control lists (ACLs) protect the Offline Files cache on NTFS partitions by default, encrypting the cache enhances security on a local computer. By default, the cache on the local computer is not encrypted, so any encrypted files that are cached from the network are not encrypted on the local computer. This might pose a security risk in some environments.

When you enable encryption, all files in the Offline Files cache are encrypted, including existing files and any files that you add later. The cached copy on the local computer is affected, but the associated network copy is not.

You can encrypt the cache in one of two ways:

  • By using Group Policy to enable the Encrypt the offline files cache policy setting. This setting is in the Computer Configuration\Administrative Templates\Network\Offline Files node in the Group Policy Object Editor snap-in.

  • Manually, by clicking Folder Options on the Tools menu in Windows Explorer. Click the Offline Files tab, and then select the Encrypt offline files to secure data check box.


  • Encryption of the Offline File cache is only available in Windows XP and Windows Server 2003; it is not possible to encrypt the cache on Windows 2000–based computers.

For information about encrypting the Offline Files cache for Windows XP, see the How to Encrypt Offline Files link on the Web resources page at For information about encrypting files for Windows 2000, see the Encrypting File System for Windows 2000 link on the Web resources page.