Security Recommendations for Roaming User Profiles Shared Folders
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You need to ensure that access permissions are set appropriately on shared folders that contain user profile folders and to secure the servers in which the users’ data is stored. To provide enhanced security, host the roaming profile shared folders on servers running Windows 2000 or later, use NTFS on the volumes containing the users’ data, and grant share access permissions as follows.
For information about deploying Roaming User Profiles on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.
Granting profile share permissions
A common error in user profiles is permissions that are incorrectly set. To ensure that permissions are set correctly, use the following guidelines:
When you create the shared folders for roaming user profiles, limit access to the folder to only users who need access.
Because a roaming profile contains personal information, such as the user’s documents and EFS certificates, it is important to ensure that roaming user profiles are secure. Here are some ways you can enhance the security of roaming user profiles:
Restrict the shared folder to only users who need access. Create a security group for users who have profiles on a particular shared folder, and then limit access to only those users.
When you create the shared folder, hide the folder by putting a dollar sign ($) after the share name. This hides the folder from casual browsers and hides the folder in My Network Places.
Unless you need special permissions on the profile folder, do not create profile folders in advance for the user. Instead, allow the system to create them.
Assign users the minimum permissions that are required as described in Tables 7.7, 7.8, and 7.9. These tables list the required NTFS and share level server message block (SMB) permissions for roaming user profile shares and folders.
Table 7.7 NTFS Permissions for Roaming Profile Parent Folder
User Account | Minimum Permissions Required |
---|---|
Creator Owner |
Full Control, Subfolders and Files Only |
Administrator |
None |
Security group of users needing to put data on share |
List Folder/Read Data, Create Folders/Append Data - This Folder Only |
Everyone |
No permissions |
Local System |
Full Control, This Folder, Subfolders and Files |
Table 7.8 Share level (SMB) Permissions for Roaming Profile Share
User Account | Default Permissions | Minimum Permissions Required |
---|---|---|
Everyone |
Read only |
No permissions |
Security group of users needing to put data on share |
N/A |
Full Control |
Table 7.9 NTFS Permissions for Each User’s Roaming Profile Folder
User Account | Default Permissions | Minimum Permissions Required |
---|---|---|
%Username% |
Full Control, Owner of Folder |
Full Control, Owner of Folder |
Local System |
Full Control |
Full Control |
Administrators |
No Permissions* |
No Permissions |
Everyone |
No Permissions |
No Permissions |
* No permissions is the default unless the Add the Administrator security group to the roaming user profile share policy setting is set, in which case the Administrators group has full control. (The Add the Administrator security group to the roaming user profile share policy setting requires Windows 2000 Service Pack 2 or later).
Hosting profile shares on servers running Windows 2000 or Windows Server 2003
A user’s roaming profile contains personal information that is copied to and from the client computer and the server that hosts the roaming profile; therefore, it is important to ensure that the data is protected as it travels over the network.
The major potential threats to the privacy and integrity of a user’s data come from malicious users intercepting and tampering with data as it passes over the network, or the server hosting the user’s data.
Several features of Windows 2000 and Windows Server 2003 can help to secure a user’s data:
Kerberos. Standard on all versions of Windows 2000–based servers, Kerberos ensures the highest level of security to network resources. While NTLM authenticates the client only, Kerberos authenticates the server and the client. When NTLM is used, the client does not detect whether the server is valid. This is particularly important if the client exchanges personal files with the server, as is the case with roaming profiles. Kerberos provides better security than NTLM and is not available on Windows NT 4.0 or earlier operating systems.
IP Security Protocol (IPSec). IPSec provides network-level authentication, data integrity, and encryption to ensure that roamed data is safe from the following:
Data modification while en route
Interception, viewing, or copying
Access by unauthenticated parties
For more information about IPSec, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).
Server Message Block Signing. The SMB authentication protocol supports message authentication. This prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. To use SMB signing, you must either enable it or require it on both the SMB Service client and the SMB Service server.
Note
- SMB signing imposes a performance penalty even though it does not consume any more network bandwidth; it does use more CPU cycles on the client and server.
Using the NTFS File System for Volumes Containing User Data
For the most secure configuration, always configure servers that host roaming profiles to use NTFS. Unlike a file allocation table (FAT), NTFS supports discretionary access control lists (DACLs) and system access control lists (SACLs) which determine who can perform operations on a file and what events trigger logging of actions performed on a file.