Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

January 23, 2003 12:00 AM

Hiding Specific Files from Unauthorized Users

Hiding specific files from certain users' view isn't easy
David Chernicoff
Windows IT Pro
InstantDoc ID #37758
Rating: (1)

Sometimes, challenging what we think we know is important. Last week, I received an email message from a reader asking a seemingly simple question: "How do I hide the content of drives from my users who don't have permission to see the files on those drives?" I tossed off a simple reply: "There's a Group Policy Object (GPO) called Prevent Access to Drives from My Computer. Use that."

The next day, the reader responded, telling me that using Prevent Access to Drives from My Computer didn't solve his problem--his users could use Windows Explorer to expand the folder listings on a particular drive by clicking the plus signs. Even worse, the Dir command still worked at the command prompt, fully enumerating the contents of the specified directory. Users couldn't access the files, but they could see that the files existed. To solve this administrator's problem, the files' existence needed to be hidden from unauthorized users.

I searched through the available GPOs and found "Hide these specified drives in My Computer." When you enable this policy, users can't use Windows Explorer to see the target drives. However, the drives and their content are still visible when a user runs the Dir command at a command prompt.

I wanted to discover some way to make this information invisible from the command line but didn't find any way to do so by using the services and tools that the OS makes available. I'm willing to bet that third-party tools exist that will let an administrator accomplish this goal. However, the best I could do was to suggest that the administrator set NTFS permissions to deny browsing on the target folders, a solution that isn't terribly helpful because it means making explicit permission changes on every network root folder that needs additional control. For the short term, I suggested that the administrator use the "Disable the Command prompt" policy to prevent users in groups with limited network access from launching a command session.

My solution is rather inelegant and definitely falls into the "If the only tool you have is a hammer, every problem looks like a nail" category. If any Windows Client UPDATE reader has found a better solution than using three separate GPOs yet can let users access the command prompt if necessary, please drop me an email message, even if your solution requires a third-party software tool.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • Anonymous User
    7 years ago
    Apr 27, 2005

    There are now 2 options to make windows act like NetWare in this respect. A 3rd party solution for Windows 2000 or higher, and a free Microsoft solution for Windows 2003 SP1.

    Microsoft has now made this available in Windows 2003 SP1, with a free add-on called Windows Server 2003 Access-based Enumeration. Documentation can be found at http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx .

    ScriptLogic has a package called Cloak http://www.scriptlogic.com/eng/products/cloak/ that works on Windows 2000/2003.

  • Bill Bradley
    8 years ago
    May 05, 2004

    This is the most frustrating part about moving from NetWare to Windows--having ALL folders show, just not letting users into them. I wish MS would fix this. For instance, I have 84 folders in a share that a normal user would have access to only 4 or 5 of. With NetWare, I'd put the user in a Group, add that group to just those 4 or 5 folders, and, when the user opens the share, they ONLY see the 4 or 5 folders. Nice and simple. With Windows, they see all 82, but, can get into only 4 or 5, but, unless they know WHICH ones (and, I'd settle for a color or icon change), they have to click on them all, until they find which ones open.

  • David Taylor
    9 years ago
    Dec 22, 2003

    :) Here's what I like to do to hide folders & Files from prying eyes.

    1. Create a DFS root.
    2. Create a Share (example: UserData) and block Security list propogagtion (set only Administrator and System as Full Control (Everyone (users) are not listed) -- the share permission should allow Everyone (Read, Modify)
    3. Create a sub-folder named appropriately such as "Hidden", and assign security for who is allowed to Read/Create, etc..
    4. Add the shared folder, UserData, to the DFS root.

    5. Now, uses can browse the root, and they will see the folder UserData but they will be unable to open it to see the Hidden value (even if they have a mapped drive.

    6. Users who know the full path, can access it via \\\\dfsrootname.local\\UserData\\Hidden if they have sufficient rights. You can also create a nice "If Member" logon script to map that as a separate drive letter for those users who do have rights.

  • Christoper
    9 years ago
    Jan 28, 2003

    My only other suggestion would be to create an alias for the DIR command ... then make DIR = a message that states "Sorry, this command is disabled". Not sure it will work, but just an idea.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.